Malware Monthly Update August - 2021 Release Notes

Malware Monthly Update August - 2021

Malware Strikes

Strike ID	Malware	Platform	Info	MD5	External References
M21-jlzp1	BlackMatter_e6b0276b	Windows	This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.	e6b0276bc3f541d8ff1ebb1b59c8bd29	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720 SHA1: 295de44a0adbef57c51458978ccd71437aff0bf1 MD5: e6b0276bc3f541d8ff1ebb1b59c8bd29
M21-rby71	DarkComet_eb1de375	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	eb1de375f155cf314cd6f41f754ce930	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 302085c4d19e84b33f64b7f177dcb5bdf31a919917e27c54691e599b65ec550f SHA1: d561ebb09ec070733d63b8313554687451a4e55a MD5: eb1de375f155cf314cd6f41f754ce930
M21-ngxa1	Trickbot_654b1a59	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	654b1a591b182b0665352dde68720652	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 2224cc59bb76c875cfcf04df8ad82f6c3c4c5418ab0a281bd0cd1ba73d685a1f SHA1: 77a416f2f7898d7c5c542d8dff00aecc23b6be62 MD5: 654b1a591b182b0665352dde68720652
M21-6oee1	Qakbot_a3d6462c	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	a3d6462cdc162149e22502c694a7427c	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 07f0e31106f56a2af7eb4e283625b4b3408f0eeb74c09b1ade3840daa4d1b8bb SHA1: f99af91f1fd4cc539eb1d552f9160245a071a4b2 MD5: a3d6462cdc162149e22502c694a7427c
M21-sbf81	Qakbot_4f2e59b6	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	4f2e59b6050e873fd41a0b369b354243	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 240e331b52966de8e05cea16155fb5cbf97ccc934af991f7d794107302665b4c SHA1: a603a8d095d6e0e95c1323b77e9fc748b05320c4 MD5: 4f2e59b6050e873fd41a0b369b354243
M21-qp9u1	Haron_731797d3	Windows	This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.	731797d30d8ff6eaf901e788bd4e6048	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: 66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2 SHA1: 9d38ce8e4c3ca5fbdfdfbed3ec452151041189c0 MD5: 731797d30d8ff6eaf901e788bd4e6048
M21-ksoe1	Qakbot_4989af5b	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	4989af5b16f7fdb9de808337dbdc0b3a	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 3383b0672661207be263722ba4cd2341bb90f680819359cb07c26c6b7dfcaa9b SHA1: 4357873c9c578632bc76a180a10d60002570b542 MD5: 4989af5b16f7fdb9de808337dbdc0b3a
M21-s16t1	Ramnit_52efe8c8	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	52efe8c8b4205a6c099ade4e32aeea32	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 72d4e7805d94785b9c95147f8a42e3700f2bfa56a79a46dfcf0791bd3a0f090d SHA1: c8d7c5629cf6775d7e6361c5756a0b3561f35429 MD5: 52efe8c8b4205a6c099ade4e32aeea32
M21-ijkd1	BlackMatter_98a3bee4	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options.	98a3bee4399116289036d0224aac78d7	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 5475378077eb6a5841515dd35c5b8e0ca9181000e3a06da4cb30f02c66fb1408 https://attack.mitre.org/techniques/T1045/ PARENTID: M21-mfzl1 SSDEEP: 768:PNETtdX7D3UKhRmr6GRfIC7uSj9UBiXUO8vR3V8YZaAQ0hMTndaN/:qp1arxxum94eU1pnVQ0qdaN SHA1: 4bffcde1b205b8aba0b648006b89958891175a7c MD5: 98a3bee4399116289036d0224aac78d7
M21-obcm1	BlackMatter_ac50d0bc	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format.	ac50d0bc460a702822ebae99a86761b5	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 473e2f87064a676a943f2c62d25deb42032cdb1a31c0b765683da0c75f221d91 https://arxiv.org/abs/1801.08917 PARENTID: M21-73ke1 SSDEEP: 1536:aICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:Z2SN3mxYnKr SHA1: 4fcada52709b935f0bf968eaf52a806acfb006ce MD5: ac50d0bc460a702822ebae99a86761b5
M21-s1371	Ramnit_4a7a546c	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	4a7a546c94e0918c95ae5a4cc9575042	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 38953969ed21113318984529205154f47908974d18e791e04955386aaf4dadaf SHA1: f5ead2a3a942288e4f1f80870eb64e97b6ca00d3 MD5: 4a7a546c94e0918c95ae5a4cc9575042
M21-85jk1	Qakbot_8f46946b	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	8f46946bc6fe6cd5843ca93c5b7d3045	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 03cb6dc235578dd1562851d4d06555af1cf9382353ba3f54306a27e37a5305a1 SHA1: aeea21e79394c7cea389e818f55731563c589d28 MD5: 8f46946bc6fe6cd5843ca93c5b7d3045
M21-ah8i1	Trickbot_64a8dfe6	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	64a8dfe64ee1298325a8af441ae6abef	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 3359b593b46b2c55971ab4f5a10228ffd462a8f5fd8b9357a71955b6a1e1e477 SHA1: cbf88ed990eebeb0f4179b70f126309b8b2b6aae MD5: 64a8dfe64ee1298325a8af441ae6abef
M21-45971	BlackMatter_b73ff289	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary file has one more imports added in the import table.	b73ff289f910386f378a9b0a86b82fe9	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 2137b44db4676a8a9ccf838bb415cff759bfde9a116f894c99b72b9c7ad99779 https://arxiv.org/abs/1702.05983 PARENTID: M21-do2n1 SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKvwZg3klyDV:qR7auJXSYZg3CO SHA1: e42e493ca6e748ef4ea9f3548575a4be779ddcef MD5: b73ff289f910386f378a9b0a86b82fe9
M21-zsjp1	BlackMatter_9d047a42	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random bytes appended at the end of the file.	9d047a4230a677be7daf5268a075d7e2	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 9e2f23be87942756483bec3d374f6405dc77cb2f458e3f4d9439ac5e603dd15d https://attack.mitre.org/techniques/T1009/ PARENTID: M21-73ke1 SSDEEP: 1536:yICS4AgxwhjEO3r825exqkHYnKeGsXqsMtn:R2SN3mxYnKr5 SHA1: f9ebc7f793d5ae05f058274ca1d993d03e968e5f MD5: 9d047a4230a677be7daf5268a075d7e2
M21-52731	Qakbot_3f7f4d66	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	3f7f4d669ff9f912a8bceafc89f2b924	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 03fe14caddbd6902e265a566efcbeacda1a413065a98b66b4e74fa59cea083e4 SHA1: 0ffd77b60f25c3324e79c1772615370c773c8b55 MD5: 3f7f4d669ff9f912a8bceafc89f2b924
M21-mvvm1	Qakbot_a896b96a	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	a896b96a31d0ece9e401e1d77b7d6567	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 1502723beda5c3fc95c3532d89ee16bdd3ad5ead9f323ee48be4d653474110bc SHA1: ca8bf9a73c90dbbbb8a202d7361327245b1554df MD5: a896b96a31d0ece9e401e1d77b7d6567
M21-ienp1	Ramnit_68464084	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	68464084c82fbd09faebcbf040dfc7c4	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 01b7940f00b1fe720244be50cb1eaa65cf41d91d387b0009d7c3c02332c6d90a SHA1: 6d8c13cd8c7f1e0626e9e574204bc6f8495685c3 MD5: 68464084c82fbd09faebcbf040dfc7c4
M21-taw21	Qakbot_e5a95f5f	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	e5a95f5f45d3afd5f9f3d0f27692def5	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 3337b985888559a139cd62e925156264e64b8a1a8943bbb08ccb7a8c2684b570 SHA1: e2011d84269cfa7ad06f4808ff5f5988259ff938 MD5: e5a95f5f45d3afd5f9f3d0f27692def5
M21-78tz1	Qakbot_86c75973	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	86c7597356d5b2a7e1c664b83d703efd	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 0d2aad6da1068580e457b85c1df14497b1f66870c73d9c7b60d387a8ecc587ba SHA1: 187a83576f0e430af77e6e3243c498138d05687e MD5: 86c7597356d5b2a7e1c664b83d703efd
M21-auio1	Haron_af79a121	Windows	This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.	af79a121a5c315f5a7b8a2180ccbea0f	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: caf815381680cfa6afedcd7c7af5a5c838788b1c7ec593ce817114a25ab63441 SHA1: 5a1ffabbcb8709c5c29911a4bd09b48a79731968 MD5: af79a121a5c315f5a7b8a2180ccbea0f
M21-cvnq1	Ramnit_bbb2d2c7	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	bbb2d2c7a02bb20e476ef9ea2483d575	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 191a8a81de6aee304ac908fccad0c138abccf5baf851714d8e28a3879300500f SHA1: 32921fe5277fd747d68567dc98fcef7b77863c0e MD5: bbb2d2c7a02bb20e476ef9ea2483d575
M21-oouo1	Ramnit_ccbf0c65	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	ccbf0c6561f9f4cbd092bbcab0455734	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 03edf7d9493484932879614edd7f0649c8bbcf2a19cef53f602c3f28d92905ab SHA1: 1dcced722886a65bb349c9208d05bdc9fb3de44f MD5: ccbf0c6561f9f4cbd092bbcab0455734
M21-exv21	Ramnit_520c2909	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	520c2909c35be0ed73fa17fc56f43aa4	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 5d5d522c80d90a077cedc1701b69bba4a0ec3b5c607de6802143f334a448d3c8 SHA1: b1609b7be37aee877cc110073a0278eec6bcb3f8 MD5: 520c2909c35be0ed73fa17fc56f43aa4
M21-lmo31	Qakbot_b6f8b13c	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	b6f8b13c020450d5218ed523754b1b56	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 2c4541a8d520b195f8dda3f731584e6391f714e2c4b01f4f97523728511dfb5c SHA1: 4d0345630121c30d7536fcb1ae8ffebb3d8f1e1e MD5: b6f8b13c020450d5218ed523754b1b56
M21-3qpg1	BlackMatter_50c49700	Windows	This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.	50c4970003a84cab1bf2634631fe39d7	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57 SHA1: 721a749cbd6afcd765e07902c17d5ab949b04e4a MD5: 50c4970003a84cab1bf2634631fe39d7
M21-2x1j1	BlackMatter_48f3e009	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random contents appended in one of the existing sections in the PE file format.	48f3e0096689e5b981a7494f9373c466	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: a5ba6d746e383918f8e9177e0de823e843295fc52612679ed7aa31ef624dabfa https://arxiv.org/abs/1801.08917 PARENTID: M21-do2n1 SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8ZgXkl/:qR7auJXSkZgXC/ SHA1: 6cebe28f484bbc42da23e0051cf0cd1c5cfbdaff MD5: 48f3e0096689e5b981a7494f9373c466
M21-03o11	BlackMatter_687e5999	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification.	687e599972236164dbcbd1c229d27087	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: b91a54d32e5f4625c25d1e0c2f24a9bab29140cad871a44a04ebb9f50c11b4a0 https://arxiv.org/abs/1801.08917 PARENTID: M21-73ke1 SSDEEP: 1536:2ICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:92SN3mxYnKr SHA1: 1dbace88ee6dc7d55657e3ce2dd0149a8263697e MD5: 687e599972236164dbcbd1c229d27087
M21-agjt1	BlackMatter_4c146e1f	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the debug flag removed in the PE file format.	4c146e1f99bbdc09ef5fcc8780b5b844	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 984192ecd4ddbbf484f7d26c4b63db9c79b1d0c2e08d969133ebea61f9a58491 https://arxiv.org/abs/1801.08917 PARENTID: M21-mfzl1 SSDEEP: 1536:1zICS4AT6GxdEe+TOdincJXvKv8Zg3kl:WR7auJXSkZg3C SHA1: c31affeb0609eba44ef0af3983fd29293959a3da MD5: 4c146e1f99bbdc09ef5fcc8780b5b844
M21-ga7a1	DarkComet_71be9b56	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	71be9b56b5d518b855fefbd3514bbc09	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 001276dd30093a56534c93cf39335eb23943ab0b532c9ab4bfac250485355b8e SHA1: 470a908d399dae1af0768726b3091e931b2f2470 MD5: 71be9b56b5d518b855fefbd3514bbc09
M21-60ge1	Ramnit_cf99487a	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	cf99487abb258b230c1ff2b484a6161a	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 604724f5db4975c1aa1eb88eaf1931e674a506b7da0e29f10344b8bb7ce7c15c SHA1: 8ed68926fd12bd3f4e4efd1ffeb156109b26dbb2 MD5: cf99487abb258b230c1ff2b484a6161a
M21-2oar1	Ramnit_5e135573	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	5e13557300fce99cd3f4176946f55461	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: ff7ca617a730a8d1f245142054b09a76341dc6b543a239ff7e1d3be28287d902 SHA1: dac07404d30a5736072c5fa76e7e1777f3de95b5 MD5: 5e13557300fce99cd3f4176946f55461
M21-gskn1	DarkComet_eab4cfa5	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	eab4cfa5c8a4af29ee1727f9814dc806	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 4bff08590e863279e04681f752fac6770a3863b7000e8a49c0e9c9e1fd3c1863 SHA1: bd5dfec9e308d9bb5345cfcea54850e3d46a6da3 MD5: eab4cfa5c8a4af29ee1727f9814dc806
M21-m3q21	Ramnit_04cbcba0	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	04cbcba0a0651a66cdcca68366862617	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 5b2ca117e7bfddd8863b6a61520433488e50155db71f9c681f174819ff975034 SHA1: bcbb4198cb7eb1f453b88acde49b3d50f86cc98d MD5: 04cbcba0a0651a66cdcca68366862617
M21-2pw31	BlackMatter_ba375d06	Windows	This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.	ba375d0625001102fc1f2ccb6f582d91	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99 SHA1: 379ebd1eff6f8685f4ff72657626bf6df5383d87 MD5: ba375d0625001102fc1f2ccb6f582d91
M21-tnzs1	Trickbot_22409c5a	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	22409c5a370a8bb00faace48c76f67fb	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 27acdc8a6518e083365a5cebd518a98f5755fb2a4b588257b3f052ed3aca2b47 SHA1: ff65f20a80b425ed1e773629a9738dd277c778e4 MD5: 22409c5a370a8bb00faace48c76f67fb
M21-0bby1	DarkComet_eda137e5	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	eda137e5ecbae3a6e14adc9266ccf038	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 1845ebdef56daeb7edebc6677864436a036d3b043b7e1923b75c65594d4345a9 SHA1: 7922c27a57c22667d03eb0aa1c62075b1c1d64b6 MD5: eda137e5ecbae3a6e14adc9266ccf038
M21-xntt1	Thanos_e01e11dc	Windows	This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.	e01e11dca5e8b08fc8231b1cb6e2048c	https://unit42.paloaltonetworks.com/thanos-ransomware/ SHA256: 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f SHA1: 4983d07f004436caa3f10b38adacbba6a4ede01a MD5: e01e11dca5e8b08fc8231b1cb6e2048c
M21-b4tj1	Trickbot_12b50245	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	12b5024549eb5412d5211cf9848b1bfb	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 14c0fd429ed69daddb8b66b41cc4d1630f7dbf5951b52ab1ced2289449fa1b55 SHA1: 2957f592cebf00ce6fc41cddaa2edad4f6314e3a MD5: 12b5024549eb5412d5211cf9848b1bfb
M21-3ft71	Trickbot_68037c38	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	68037c38f6b16cdf60c8c2b0d29bfeab	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 284b939dbd6258063b3a4d43911635e28926667947435a9697b93661417884e8 SHA1: 2814f8f46f27626301f34204d57df0c0d528a843 MD5: 68037c38f6b16cdf60c8c2b0d29bfeab
M21-hhwg1	Ramnit_f457f41a	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	f457f41a6bd5a0a1e4608c8a097d6a43	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 731fc49dabea5962c6a00ef142a75a507415e2aae14d426e063f9e53a60355ca SHA1: 35c5df0b662cf6093c5a2891f9e27e31728a09a6 MD5: f457f41a6bd5a0a1e4608c8a097d6a43
M21-73ke1	BlackMatter_1dd464cb	Windows	This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.	1dd464cbb3fbd6881eef3f05b8b1fbd5	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f SHA1: cafd8d20f2abaebbbfc367b4b4512107362f3758 MD5: 1dd464cbb3fbd6881eef3f05b8b1fbd5
M21-6n8o1	BlackMatter_c5ef4711	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options.	c5ef4711b1b6303b622a8c73f4704430	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 5864517605fcaa6416bd2a4241b9f3a2b96c12a35f320859a95dabd9caaefbc6 https://attack.mitre.org/techniques/T1045/ PARENTID: M21-73ke1 SSDEEP: 768:9Esd1Xkoqgm1lGG9MsmWpIowIx0Uko82MrKdzW5F8hMoZQUJkwjbP+9:BB8JlGUMlBho82RE38/ZQdub SHA1: 1be04991c3d57c641fd1e40e7ae37f12f744d744 MD5: c5ef4711b1b6303b622a8c73f4704430
M21-rp6e1	Thanos_d6d95626	Windows	This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.	d6d956267a268c9dcf48445629d2803e	https://unit42.paloaltonetworks.com/thanos-ransomware/ SHA256: c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850 SHA1: cc0feae505dad9c140dd21d1b40b518d8e61b3a4 MD5: d6d956267a268c9dcf48445629d2803e
M21-gscf1	Ramnit_3eb1a18b	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	3eb1a18b4c1516e434c54d6ef8a151cc	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 021dc00f29097bae2e878dadd5aef152f6deb540b0cc7220cc61e9f782990f23 SHA1: 581ffa02cee0ed85800d7437b4c23a97c7bd087a MD5: 3eb1a18b4c1516e434c54d6ef8a151cc
M21-2hr11	Trickbot_ea8ace01	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	ea8ace0142ab9a30a140134d558a43df	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 14c64c9047b71fce74225216653b3491861d8f9274afa3519ae1976f2b8d76a0 SHA1: 952e147614595fc84fdf68a3a65eaf1c1698b013 MD5: ea8ace0142ab9a30a140134d558a43df
M21-w90c1	Trickbot_b638dabc	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	b638dabcf64b3233ea43318c981c536b	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 1afc3ee244bda23d65c3495c30a3ebad2b7a716f6eb62bc02b6ac036082af227 SHA1: 5e3ec28c9c57af4defc98db4384d3c9517d340ae MD5: b638dabcf64b3233ea43318c981c536b
M21-he5b1	BlackMatter_1019e015	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format.	1019e0151d6c55eeecf06443fa6197c7	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f https://arxiv.org/abs/1801.08917 PARENTID: M21-mfzl1 SSDEEP: 1536:jzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:8R7auJXSkZg3C SHA1: 369445caaca7ba44bc684f9d9fd7651467ed5167 MD5: 1019e0151d6c55eeecf06443fa6197c7
M21-y6d41	DarkComet_096522f8	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	096522f8c09e14d2e70723bd8d0ecd21	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 4efae949b98bf76d42f3613a7864e3d70ada3d1b2824149b3a40a07a3654160d SHA1: d746956c2ef6a1756829efdaab0ce3defd519416 MD5: 096522f8c09e14d2e70723bd8d0ecd21
M21-0iu61	Qakbot_40155b0f	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	40155b0fba5d52eb6c3dc9b1164e6404	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 20d724fc562fa14b107c292020f6d03cb3c958d90a79ce3476e3f877f46ea0e8 SHA1: 5b11840b071e4e69a021d10a8349b9c60768094f MD5: 40155b0fba5d52eb6c3dc9b1164e6404
M21-2vcp1	BlackMatter_b492d118	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random bytes appended at the end of the file.	b492d118edc1f091d3371012c2463e57	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: bd2b55ffb7c8a10662e0946d3f0124294b421b2eafb82fd4f13dab95de6ae385 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-mfzl1 SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl1:qR7auJXSkZg3C1 SHA1: 52a17b1a3525365b6c84b6f28b42d9df20c68d41 MD5: b492d118edc1f091d3371012c2463e57
M21-51dw1	Thanos_1d45efc7	Windows	This strike sends a polymorphic malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.The binary has random strings (lorem ipsum) appended at the end of the file.	1d45efc7078b10c28a1d606053d066af	https://unit42.paloaltonetworks.com/thanos-ransomware/ SHA256: 36f584b8d76e4ddb40b3af735b9fc275783d7e0f27e1f238b9642cc23081eb77 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-rp6e1 SSDEEP: 1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPb4:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkH SHA1: 846fcbbbbcf1152b1c93dfa6583533b001e5b556 MD5: 1d45efc7078b10c28a1d606053d066af
M21-kwps1	Qakbot_925bb382	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	925bb382d450c773a5585ccdf6f13884	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 16ad7701d366ef3dab53c0979741279b684f2f94fb52398a788071438921b31d SHA1: 6717f38fc8d211e7c2afa917030f2f1eff91a6d8 MD5: 925bb382d450c773a5585ccdf6f13884
M21-bkdk1	Thanos_18cec1f1	Windows	This strike sends a polymorphic malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.The binary has a random section name renamed according to the PE format specification.	18cec1f15061129aff9fa49bc639dbbe	https://unit42.paloaltonetworks.com/thanos-ransomware/ SHA256: 5fc581f02abb01a666d8fb9200ad2d3fa11e9d0f4aaf11e5e26ba0fe463892b4 https://arxiv.org/abs/1801.08917 PARENTID: M21-ogcu1 SSDEEP: 1536:TguHLgeS6umiCp31W4qYXgsLlOqrgB9GpF7LXdarTkCAKL5dsluhtvM4CoLT6QPg:86seqCp31Hgsp9a9GTrda8CAKLTsWkyI SHA1: 497d83dff7465190d640b10e015024d4aeb45c20 MD5: 18cec1f15061129aff9fa49bc639dbbe
M21-vom11	Qakbot_55abb44e	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	55abb44e737b2a7a27b0f424bb5d2ba5	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 3c4e2eb21f26dee76e957a5c46b0492a43bf4dd53651615b2a84940011257929 SHA1: f403de4fc77e457f3a695dba08dc1376b7cd769c MD5: 55abb44e737b2a7a27b0f424bb5d2ba5
M21-r04g1	Haron_e8f8e4eb	Windows	This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.	e8f8e4eb0d2c03f0b12fb1cf09932bbd	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: 81411c9010f2adcb4758bac5ed6128d5a76b24689d477f6ed2c3003fd57e4f3b SHA1: 8ae409a74a209c304233ce6c6f778915fc59264f MD5: e8f8e4eb0d2c03f0b12fb1cf09932bbd
M21-4w111	BlackMatter_cfacfde5	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the debug flag removed in the PE file format.	cfacfde557d2762c0b7932b03c683b8a	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: e05c2049e12dda3a36a21f6fa2acd3cb532743e61d5d11a2503f3069b38de3be https://arxiv.org/abs/1801.08917 PARENTID: M21-do2n1 SSDEEP: 1536:1zICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:WR7auJXSkZg3C/ SHA1: ca9147e7086940b8520b6c8565d20e7452445bf3 MD5: cfacfde557d2762c0b7932b03c683b8a
M21-oig31	Trickbot_c0f61798	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	c0f6179824cdd74331aa36aea17315a3	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 19e74a92942859c1f9d23cf1a924d5232663226e44a64f90712f6d7653d03f25 SHA1: 413cf8a13c6ca782a827dbf51d655e236ed1827e MD5: c0f6179824cdd74331aa36aea17315a3
M21-67v01	BlackMatter_3317daac	Windows	This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.	3317daace715dc332622d883091cf68b	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda SHA1: 02fa74523198ebc1db490bdc6f10a78a44c4e28b MD5: 3317daace715dc332622d883091cf68b
M21-wlko1	Haron_dedad693	Windows	This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.	dedad693898bba0e4964e6c9a749d380	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: 6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c SHA1: 0475d9d3485583090f00b1c37450771ccd0df00e MD5: dedad693898bba0e4964e6c9a749d380
M21-4x901	Qakbot_70011104	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	70011104f678ba095188b3975d29aa6b	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 3136bf60107ecc6bcf659edd6e60cf01b3228fc7098a4bf2acf7d5a250ac3f29 SHA1: 591a90474b8bfae7ddd33cf9620b827f7f13a876 MD5: 70011104f678ba095188b3975d29aa6b
M21-xeda1	Qakbot_5b656068	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	5b6560682dbd9b107b0b8d3acb1f6267	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 40934bae7c322b0d6ae26a5a90dc17ad28f5d964a9c2032de0243043781c586d SHA1: faee87cf8b22bc93f93f8ce5ec9edd19fea9b8ea MD5: 5b6560682dbd9b107b0b8d3acb1f6267
M21-3ary1	Ramnit_b4a403f5	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	b4a403f53da0d72524dd7600b7d68dca	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 70c417fcdd20459484733bc71379e11b17dbea93b4848e1a990dc68e928c04ce SHA1: 8b2906600c9c5e692ee1fbab39c7d816c008a4f6 MD5: b4a403f53da0d72524dd7600b7d68dca
M21-3h6h1	BlackMatter_bff66be9	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification.	bff66be9812f514e2ba8bd00746ef5cf	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 9bb22043e0551eaaa84efc99d21c0da1732d12f153104c72ccdbe0975d344d91 https://arxiv.org/abs/1801.08917 PARENTID: M21-do2n1 SSDEEP: 1536:MzICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:jR7auJXSkZg3C/ SHA1: a69a48bd9004440b3bd9103424687da259b4e361 MD5: bff66be9812f514e2ba8bd00746ef5cf
M21-59y61	DarkComet_0024d4df	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	0024d4df650a7d03dae83d24097cfa10	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 445d9223cdc386994df6089ab69340c195b06125cf30b9424d44c0eb24b0d502 SHA1: b3cce32d5fcdcbc1d1b8413877a8d6a1a986ec86 MD5: 0024d4df650a7d03dae83d24097cfa10
M21-np1r1	Trickbot_b1313c41	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	b1313c41c879457c5c15bfefcce64f66	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 057ffc3a33d129bbb509f49bbff396c750f0a5186b30633fee9b05ac544a1a52 SHA1: b5e428ca952f590db676494799584e81be8b0a63 MD5: b1313c41c879457c5c15bfefcce64f66
M21-xdp41	Trickbot_11975ca9	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	11975ca9e9ebb3f66129e59d490fc257	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 02dd2fe1cd74b60e822ae700a1c4be45139a6aa88a5f81ce5e9a6644d6b2d2d8 SHA1: ff090427e7118382924b765e0ef1605b5b2ea8ee MD5: 11975ca9e9ebb3f66129e59d490fc257
M21-s87e1	Haron_04ef9ed3	Windows	This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.	04ef9ed3902dadccabb678c9dad53f19	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: cbdb04d23e395b270e16d7ca81cc6b734039fa069932989d4e4f4d4d266df28b SHA1: 39e30adae70f605e09db5c5a359a53e4e6f3a14a MD5: 04ef9ed3902dadccabb678c9dad53f19
M21-j7tl1	Thanos_03b76a51	Windows	This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.	03b76a5130d0df8134a6bdea7fe97bcd	https://unit42.paloaltonetworks.com/thanos-ransomware/ SHA256: ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75 SHA1: 60053d661ed03cd2a07f6750532e6ef11abcc4e5 MD5: 03b76a5130d0df8134a6bdea7fe97bcd
M21-5e5r1	Ramnit_b3632d95	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	b3632d958616bac3b775d19f3347f6cd	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 888368daa079dad1ba47d59f2ef8d7a5f9352f09004e59aea1e3c1118b72c524 SHA1: fdd23efa8685d25ace96387d793a1822681f4c3b MD5: b3632d958616bac3b775d19f3347f6cd
M21-vpb91	BlackMatter_b5c9d7c1	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification.	b5c9d7c157a3fffd0cab340313f1c5ec	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: da9d5213bc40b956f306b161eaa859b09bd9fe88101ee5d27503d9656337a4d7 https://arxiv.org/abs/1801.08917 PARENTID: M21-mfzl1 SSDEEP: 1536:tzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:+R7auJXSkZg3C SHA1: e7e1080eaaafc88cdc21f11e2e32283875b3aa01 MD5: b5c9d7c157a3fffd0cab340313f1c5ec
M21-jcvm1	DarkComet_6d0ab127	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	6d0ab12741204e06e5b8ddcf1ebd4e76	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 0063112e85dfaf4331c73ad5a73856cfa5a29911ef8d80c12250a874f60c48ba SHA1: 3288c15f4dafb1732150eb28e976d76dc7a5d122 MD5: 6d0ab12741204e06e5b8ddcf1ebd4e76
M21-ds931	BlackMatter_61d0a6a7	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options.	61d0a6a753435fdae8993473c083b872	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 83c0a6a905be917cac1c56b0a3688763543acade02ab73882e0f62782a661ebf https://attack.mitre.org/techniques/T1045/ PARENTID: M21-do2n1 SSDEEP: 768:BgwSZTs5PurwdYuWMni9LO7Tl76j/4T+m5CrfR:mPTs5Pur35Mn6S+8Cr5 SHA1: 316d6a6f18272839eacb8a346be986cb8858a3dd MD5: 61d0a6a753435fdae8993473c083b872
M21-do2n1	BlackMatter_d0512f20	Windows	This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.	d0512f2063cbd79fb0f770817cc81ab3	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984 SHA1: e324a2c8fae0d26b12f00ac859340f8d9945a9c1 MD5: d0512f2063cbd79fb0f770817cc81ab3
M21-fp7f1	DarkComet_e9398ac5	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	e9398ac53c135781e952477e91fbb02c	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 06cc9a66099e3a7b1cfb87a005501ec3410a280521e02fe39674bf31d4bc4c17 SHA1: 7fbf8fbf093958a5d55a79e03465bffcb0263131 MD5: e9398ac53c135781e952477e91fbb02c
M21-3ba01	Ramnit_c6d47278	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	c6d472784b73e47ea8af9f50ce45fb58	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 6788c4a2c0bc6d5f80dc8b5ecb7b37100f6c37d231a389ec906aae784cff529e SHA1: f9ce1342a8b5762c5b2125025a231eac28bbb536 MD5: c6d472784b73e47ea8af9f50ce45fb58
M21-rws11	Trickbot_11364049	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	11364049a6159e255dc03eae0dec6daf	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 0909cc85312268a10d2705100ea2ed5b95eb7ab5f765e41a3a6eb7e4dc5eeaf0 SHA1: 150c97ce4733f82c4dfa7683c889a6ee50ff4c1e MD5: 11364049a6159e255dc03eae0dec6daf
M21-fio31	Trickbot_69f7682d	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	69f7682d754f01aecd9658f57f8670d0	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 0abccd961e1dd93ab520cd88c2e07a7a2ec4e8a6138f7bcd714cd1cd2743be6f SHA1: f4f66df1861350bcbfdbadc2ea3afe9b46c4f259 MD5: 69f7682d754f01aecd9658f57f8670d0
M21-yef71	BlackMatter_3f9a28e8	Linux	This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.	3f9a28e8c057e7ea7ccf15a4db81f362	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502 SHA1: 10d6d3c957facf06098771bf409b9593eea58c75 MD5: 3f9a28e8c057e7ea7ccf15a4db81f362
M21-hg7r1	Haron_6da3c779	Windows	This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.	6da3c7796bca2f47f11e8711a945cf1d	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: d29abe6ed086a5508c54df31010c36cc19fea3bdc5d521ee7c0d7063a51bb131 SHA1: e65df27b70ba3206d216a49b43f6beb2095cfe1b MD5: 6da3c7796bca2f47f11e8711a945cf1d
M21-0et61	Qakbot_140712ed	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	140712ed211d973de5a3274608cf28c0	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 35150a082f7fc90418facbde01f262cee672ae4dfd34b0aae06da95ec064b580 SHA1: 112bb65dbedbe728082bdd8988ca4c9e21a3a38e MD5: 140712ed211d973de5a3274608cf28c0
M21-ogcu1	Thanos_be60e389	Windows	This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.	be60e389a0108b2871dff12dfbb542ac	https://unit42.paloaltonetworks.com/thanos-ransomware/ SHA256: 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d SHA1: 14b4e0bfac64ec0f837f84ab1780ca7ced8d670d MD5: be60e389a0108b2871dff12dfbb542ac
M21-ef1j1	BlackMatter_9fa3cafb	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary file has one more imports added in the import table.	9fa3cafbc2f1ded8fe92007408e7625d	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 6d4406e0636511dcff4e24aac5075e09c576e9198d53f0d1d7aa86b08d033f76 https://arxiv.org/abs/1702.05983 PARENTID: M21-mfzl1 SSDEEP: 1536:xzICS4AT6GxdEe+TOdincJXvKvYZg3kl:KR7auJXSgZg3C SHA1: fcacc83dcf30b91634690ecc1d73d2df591760d7 MD5: 9fa3cafbc2f1ded8fe92007408e7625d
M21-2gx61	Ramnit_0a48bae2	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	0a48bae2ff4780521936d8b94d3b0ce0	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 8836d87dec16f04560a0ba2f9ab1423bbedcc69031a7b5d7a11cf4fed024a984 SHA1: 851052f212450b674c34ad78a3f8dcfd490730a6 MD5: 0a48bae2ff4780521936d8b94d3b0ce0
M21-b4y11	Qakbot_e0c23898	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	e0c23898f4acf8a0fae7b430a3891b62	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 357be50930bd829907a4068b1017b945263a56bc12cc9728977d3c866c9a68a6 SHA1: 08b63275867ae22788bafc5a0ed34b95b1efceb3 MD5: e0c23898f4acf8a0fae7b430a3891b62
M21-ccj91	Qakbot_5c00db17	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	5c00db1760ffd163c86597a1ac93a20b	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 209b3eeabd048f7cb2c634bf1e7414262ded407ae41b25d00db5db86008aa84f SHA1: 10b05f3ef3ca5703e397584d0df52e0b9fa8c165 MD5: 5c00db1760ffd163c86597a1ac93a20b
M21-wdry1	Ramnit_d475fd84	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	d475fd848f01340ad4219ff55b6bc52e	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 42f1e9f830ef80f92e5abd3e2463e01c4bbce62342247c76c0ee4f1d87ec28b5 SHA1: 331767d919e206de45a46fde3c2a6bbb70ff06bd MD5: d475fd848f01340ad4219ff55b6bc52e
M21-cexl1	Trickbot_4813b76a	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	4813b76a9400b62a0acaab0cb5c09bfe	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 27e3ba58cbb7ab7628e97dab88836edf3525a0137360056fc05e869dac57711a SHA1: f153407ef869810bd869a58b0d2b175d867d545d MD5: 4813b76a9400b62a0acaab0cb5c09bfe
M21-vykk1	Ramnit_3123ff95	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	3123ff955e554c6ddfaaae2619fbf997	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 3ca3e6ac1fad0e004643a5512be7282935d6dbe98e088e256846ee6de2c390ce SHA1: 21f2a926592de040280c4557345e1238f033d32e MD5: 3123ff955e554c6ddfaaae2619fbf997
M21-mfzl1	BlackMatter_598c53bf	Windows	This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.	598c53bfef81e489375f09792e487f1a	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 SHA1: 80a29bd2c349a8588edf42653ed739054f9a10f5 MD5: 598c53bfef81e489375f09792e487f1a
M21-pf5o1	BlackMatter_da66726c	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random strings (lorem ipsum) appended at the end of the file.	da66726c18cecc87d776623fb1a26344	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 978b92cde2fae00e5c49f0bd1ffca9f8d35b505bbf1436692979d6e07e243ab6 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-do2n1 SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl2:qR7auJXSkZg3C2 SHA1: 9dc8c171793421e9973d8dce9bc63670ca655c6f MD5: da66726c18cecc87d776623fb1a26344
M21-klix1	Qakbot_672e642a	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	672e642af35cac2735e19f1e488be72f	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 2edf0dabcb16bde79ecddafaaa52644de1229db74ba8e1abf6fe868e8e1c4447 SHA1: aa4bc6c41c710217bfceb2adad5b49482e54a65e MD5: 672e642af35cac2735e19f1e488be72f
M21-go3s1	DarkComet_5de32a2e	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	5de32a2ef97290585b28f4409384251a	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 0a4acb875e2052335654082e77210a8a30001d2847532ae2a58066efafb37c5e SHA1: b30660ce3aec157199736c9f47d127eef891e976 MD5: 5de32a2ef97290585b28f4409384251a
M21-kusc1	DarkComet_7a7a2615	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	7a7a261530db35879c9c080cc46084de	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 615453b9561c9c612ae38166917e9a34f67d5012ce0ed946a0eff07dbb9a7ae1 SHA1: 23c16f29432cf04c87a587f8ae8a31633b753308 MD5: 7a7a261530db35879c9c080cc46084de
M21-ehog1	Trickbot_d9ce38bc	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	d9ce38bc0aeac55de3ee8b579a68e177	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 287a910ea787f13609d4c8002a0ac86b8068a6fca8bfadb0c1d2b1fb63436b96 SHA1: 9ff572bcb26693f810c6763403e3feb8f8e12672 MD5: d9ce38bc0aeac55de3ee8b579a68e177
M21-ji551	Qakbot_a2f1f09d	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	a2f1f09d1bbe5bfc8630fab2187811ee	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 3b06eecb334b5f57bde24eeb0a7c4147fc01713c8c3e8f0a660a4e8a9a5df3e1 SHA1: b6b1892d0180b9f2b255a1f9a15d2e370d66393b MD5: a2f1f09d1bbe5bfc8630fab2187811ee
M21-vvac1	Qakbot_9e4bb7c2	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	9e4bb7c2bff8cc4245bf1327e84f125b	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 23c3b45782c70bccb1ca807e59486247c5b9074228e14ce9b3994003b354919f SHA1: 4a261263c86c5c1182312f6264260071003ce940 MD5: 9e4bb7c2bff8cc4245bf1327e84f125b
M21-o9xj1	Haron_92c2e2f6	Windows	This strike sends a polymorphic malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.The binary has the timestamp field updated in the PE file header.	92c2e2f66b9717304aa67c9114b959c2	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: da105ee43fb48770f296a5b325dc29c57a992f5ac36ee815ac88663571bef3b4 https://attack.mitre.org/techniques/T1099/ PARENTID: M21-wlko1 SSDEEP: 1536:E3wWdw/3oHK8pEzgfIdmedUqPkYRzHKS396Fn2Y+aYxc13TpNw:EgWM32MOuPkc96Fnr+eQ SHA1: 08834c273c66cfec1ed7b5433eaba575f2a2e6f3 MD5: 92c2e2f66b9717304aa67c9114b959c2
M21-tl2b1	Haron_27757047	Windows	This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.	277570474740f06232e009b5ff15d47a	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: 4852f22df095db43f2a92e99384ff7667020413e74f67fcbd42fca16f8f96f4c SHA1: 9cd9dee39f132cb398a3408cd16a53b98dafea7e MD5: 277570474740f06232e009b5ff15d47a
M21-kg3n1	Trickbot_fc0c2d9d	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	fc0c2d9dcb18806606d6e2673db4380a	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 32ed191361a69cf8d93f2431fe449a822e812a5f08c9c7e8bb04acc543443a92 SHA1: e1bd9054f400bf10cf7d2baffe9643cd481feca9 MD5: fc0c2d9dcb18806606d6e2673db4380a
M21-g8w11	Trickbot_713bb022	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	713bb022f264a713db52286227714a58	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 2d465c82cfcd0f6121a68ff352d9f97aaa74c7c74527b6d8a9df2514a9ae0797 SHA1: b7f5ad8b97687f791e8c04bab5423302543361df MD5: 713bb022f264a713db52286227714a58
M21-zvav1	Qakbot_d867d6d9	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	d867d6d9a9b8a1fdf2467f27088f5230	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 0ea2f761e10efb2a635185671de8ca90837745f5da186d84e6a3c564bd020903 SHA1: 7dfa6639d37a754e7097fec864568847fb658551 MD5: d867d6d9a9b8a1fdf2467f27088f5230
M21-e17h1	Ramnit_2bef963c	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	2bef963c0d8b3c5d796dac3541489c08	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 0da2d59d76684e3912a82d88c978e16b65e3a9f8aea0c43d269953cff6956a7e SHA1: 861a7e9a9dcc20911775b8c9e33f221826dfe9ee MD5: 2bef963c0d8b3c5d796dac3541489c08
M21-ujrx1	Qakbot_76f0cfb3	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	76f0cfb3c8143fe677dae170a9804c66	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 0b77fdf610d7444d1fe1a7f5098d45152936fc48ca601b929281c587bb5133b8 SHA1: 2f230e16fe8e3ac4726e627add2439a92a9ae8a9 MD5: 76f0cfb3c8143fe677dae170a9804c66
M21-cjnm1	DarkComet_d619583b	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	d619583b03bae980edca49feede8579c	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 42c2c565e5844ee30f45e046984956949aa7b4268fa79fa3bca325079a0199b5 SHA1: c305d614c71d66208bf5bc3a378af9df5448b3e4 MD5: d619583b03bae980edca49feede8579c
M21-z2da1	Trickbot_d9547c4f	Windows	This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	d9547c4f1c13fac1a1c7e8f8f67df45b	https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html SHA256: 307e3804d8a677f1c176534c8eb85e63f89421e6a1bf4477485c0a4e3eb9e9d1 SHA1: df765949f9714454985b29c770e92a2b06ce014a MD5: d9547c4f1c13fac1a1c7e8f8f67df45b
M21-lmxx1	Qakbot_9d0ed878	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	9d0ed8785c88f732ebfc7d11637a57c7	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 3a1e5884cf079fdca3cb5b8385c53f780dd4c17a3165ccb4148f9916c3740614 SHA1: 4f046eb7ce469d0e97c98b54759b1cef56a3a365 MD5: 9d0ed8785c88f732ebfc7d11637a57c7
M21-5wpg1	Qakbot_988e391a	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	988e391a7bd88b2d362e44d57e97a778	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 06d5ca9ab245e57ad65d2afa9633a2b7e11eca16555f5c5bf9f7a92d8f78e87d SHA1: e39f6a5faa08af6176494604a3a3d6f4ccab9876 MD5: 988e391a7bd88b2d362e44d57e97a778
M21-rxic1	BlackMatter_6fd84253	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random strings (lorem ipsum) appended at the end of the file.	6fd842539aa3f5fd2e0474f3b48f877a	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 234fb77f708ef2e34bff04de92e9b6e1995b54ebb083d1b8805a494d25617c94 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-mfzl1 SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kla:qR7auJXSkZg3Ca SHA1: 790e12fea4dd5c10bda6b51eabd8f2a24eff3b6d MD5: 6fd842539aa3f5fd2e0474f3b48f877a
M21-df611	DarkComet_eceac426	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	eceac426ece31db82c011c3925d1561a	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 5174169e7a1ef4ba358189dafac7eb4c514e4c12ecdc9525e2fe6cb5b35265ad SHA1: b0580608e253b296b588823f0ee9704a2c9a53dd MD5: eceac426ece31db82c011c3925d1561a
M21-kt8f1	Ramnit_156ff7ed	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	156ff7ed174247ad7a7132fa51664949	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: d1f95a5223c6f4dc954e4ccbab6d58fa9e54ff9037c88f06c9814ab4a7877058 SHA1: 5347f3766750fe3e4968fdee3230f8e364cb5951 MD5: 156ff7ed174247ad7a7132fa51664949
M21-o1sv1	BlackMatter_720f6799	Windows	This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format.	720f6799e6befa45cb4233b9631f4c82	https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ SHA256: 9e18f6ebb169f6bc7ae18526f71e132f96b678809e7873df7c3bbb35d4d694ee https://arxiv.org/abs/1801.08917 PARENTID: M21-do2n1 SSDEEP: 1536:jzICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:8R7auJXSkZg3C/ SHA1: 514b2d4a0747143989ec5458216723b78a93c919 MD5: 720f6799e6befa45cb4233b9631f4c82
M21-8qhl1	Ramnit_bf70c723	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	bf70c7230fb57e3732a87cc5b09defa3	https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html SHA256: 011597cdbf40d1f08a644d42c20e19175574a433a735eef887283c719ef8e63e SHA1: 9aae7d0c871579f122eb55b16aac785ef4c4e665 MD5: bf70c7230fb57e3732a87cc5b09defa3
M21-2ddo1	DarkComet_b84ab2c0	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	b84ab2c079ef2e9dad478abc81e3dee0	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 0d08e3c0b2f6668387b90dc0d21ebd8fec5de6393580cff145cdff8a32c10ea6 SHA1: b82b92d9f80fcf6e0196adac066ed123de3f2fc4 MD5: b84ab2c079ef2e9dad478abc81e3dee0
M21-ew801	Qakbot_ba811d0b	Windows	This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.	ba811d0b025160b8c7766be010784dca	https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html SHA256: 172b6ada107441489b8abc961f2548486487a15d5e3375417b9c6981e5d676e9 SHA1: 410146de3cd295234c2a6b5a13a322ebf4be0ab0 MD5: ba811d0b025160b8c7766be010784dca
M21-wd911	Haron_7806efea	Windows	This strike sends a polymorphic malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.The binary has a random section name renamed according to the PE format specification.	7806efea649a3b312be91e609541359b	https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 SHA256: ae2168018a6b48e4e6bc61a042e40facc4260b138594cc22b0810e1b57e30803 https://arxiv.org/abs/1801.08917 PARENTID: M21-wlko1 SSDEEP: 1536:13wWdw/3oHK8pEzgfIdmedUqPkYRzHKS396Fn2Y+aYxc13TpNw:1gWM32MOuPkc96Fnr+eQ SHA1: 1c02c91cc5d63bf06e4c38965f6ec043d5fe221f MD5: 7806efea649a3b312be91e609541359b