Malware Monthly Update February - 2021

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M21-2x9i1Trickbot_a9392a4dWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a9392a4d881a556ddf5b4bc812b5e079https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 9b7ca2a5d739eadeeb2290e26ca8a11dffc85331fa539d080777083af9123b45
SHA1: 4e587b19ae95a13d36dbac636ef0ce73f8699494
MD5: a9392a4d881a556ddf5b4bc812b5e079
M21-0u6b1Trickbot_fae34a61Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.fae34a61be4d7b2f15de7e8aaad8358bhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 28324d38845e953911330e985a51bda6431c40d63a7fc40a6d05a9f86b702ce8
SHA1: 0281b57b3554841a850c8afa7da1d454a7b39f5a
MD5: fae34a61be4d7b2f15de7e8aaad8358b
M21-ao1y1DarkComet_b06f43f7Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.b06f43f7f11d71d39ee45e745767928fhttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: c72000deaafee8b3a26c31808316ecae94e429ff5d5b4334379adb1f91365c5f
SHA1: c9ed3a8395a5eb4a3cae0977f6671c1cb79c7062
MD5: b06f43f7f11d71d39ee45e745767928f
M21-317m1DarkComet_1ccf967bWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.1ccf967b97a04e428c427aa7e2443e4ehttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: d48cd3dc1e4203c1af41580fa1575f4e478a6947b75ac92271c9cb24481dcb40
SHA1: af0beb59d1c59265ac43943f2812d685a538530b
MD5: 1ccf967b97a04e428c427aa7e2443e4e
M21-c0fq1Buer_89d8c5bdWindows This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.89d8c5bdcc1dbb18e7ba59e4450fd001https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
https://twitter.com/VK_Intel/status/1359688058069790722
SHA256: 753276c5887ba5cb818360e797b94d1306069c6871b61f60ecc0d31c78c6d31e
SHA1: 47ca59c0056894200475e25f86e2ab0972d34b2c
MD5: 89d8c5bdcc1dbb18e7ba59e4450fd001
M21-0kzv1DarkComet_dacded52Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.dacded526944ecb98ddd58f543141c84https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 47f31e2c01e3608564d18be81c165583fec2e775ffbb913ca0bc31e5265fd850
SHA1: 594cfe2c9982f6ebefedf70f046a0c48666f4a43
MD5: dacded526944ecb98ddd58f543141c84
M21-hg921BazaLoader_50a737acWindows This strike sends a malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.50a737acebc342a7d5bdca05419c1564https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day
SHA256: 447b4c867b7147afe178d73adf8113fc33f6399f03707e4308efa36e0859bf86
SHA1: fcdb1a81a27f9ac7a8efcfa591fb723bd001c66f
MD5: 50a737acebc342a7d5bdca05419c1564
M21-zu9u1Buer_1ab2fc91Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has a random section name renamed according to the PE format specification.1ab2fc91ddfc486d3ec76c36a7ec5b43https://arxiv.org/abs/1801.08917
SHA256: e633ad8fa3ed54c42a0fa617eab5f440aed6cf66a0634a357a2ed4a0b980a43d
PARENTID: M21-nkhl1
SSDEEP: 3072:taLJO81NCCCoyq+IuvD/9QrCBrOg8T8O81NCCCoyq+IuvD/9QrCBrOg8TOg/PDgy:2GqEDuqEDtgzgMFjMVAKy7X7SuiapJ
SHA1: a98860ec4ce0b0405006638d186f5d4cce7bfb4b
MD5: 1ab2fc91ddfc486d3ec76c36a7ec5b43
M21-yfhd1Redline_945955bbWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .945955bb867fb99aa6b2b2eed03840b5FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: f89e6f2527aa365968333a01f97ba93b6d21e55375e6be255841fed0ecf67054
SHA1: cb2dd721650e7999c0d4f17cfb4b28f0b45d281f
MD5: 945955bb867fb99aa6b2b2eed03840b5
M21-lmdl1Buer_cac3879eWindows This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.cac3879ed9dba1145f99376c2f32ebb7https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
https://twitter.com/VK_Intel/status/1359688058069790722
SHA256: fa699eab565f613df563ce47de5b82bde16d69c5d0c05ec9fc7f8d86ad7682ce
SHA1: 059a1c87b0d2cb1f41588f7b81b7b569be204b57
MD5: cac3879ed9dba1145f99376c2f32ebb7
M21-v4ah1Buer_1fa27c5eWindows This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.1fa27c5e084887e9e3a2e232d27e10e3https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
https://twitter.com/VK_Intel/status/1359688058069790722
SHA256: 41a4ee153b3c61cc8ed50de571e5b8f884de1c8c07332b7b31f238360832988c
SHA1: a7c98a694753ed745e8618369d16e39c46cca1e7
MD5: 1fa27c5e084887e9e3a2e232d27e10e3
M21-5r1n1Redline_208b1854Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .208b18547a5e4eca91494fd6ba71efd7FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 9f53624e3d08ef50e14c5761553d0f90d1203f69ba5674c35b309e285980c811
SHA1: 015ff088425ac06c1a2dc0d1795dbd35a9d27ff5
MD5: 208b18547a5e4eca91494fd6ba71efd7
M21-5sbm1Ruskill_8b761275Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.8b761275be3448835ca45f2c089721b9https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 1c4503406deebc20d8575edf1bad548fc627052365af2cdc4d2c2d78f8c91fb6
SHA1: 2d9aa3f9bc1fa98b217891bb2c34d9136ed54a6f
MD5: 8b761275be3448835ca45f2c089721b9
M21-y7mu1Trickbot_d1d23a53Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.d1d23a53b5bf6b060b5714fee99460f2https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 239789e83dc0a80e8bbd0665a30c2219cbe4cc3d2677bdc818177b260c7fe982
SHA1: 133facb3c6bd369b2ea030c458bad556c0fc102b
MD5: d1d23a53b5bf6b060b5714fee99460f2
M21-i1301Redline_ef29de5fWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .ef29de5f57bf968677023aacb1faaf15FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 8bc9c34c4795259ec849342ef090ff6afe98386cf8f3e178090462ea2e9222a3
SHA1: ded9d460552ce29a569beaa049e683921c38cf20
MD5: ef29de5f57bf968677023aacb1faaf15
M21-x1nd1Ruskill_8935551dWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.8935551d375c42018bcef423006fced5https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 3963634f532439291b94c949ac2b702a4f0216aaae6c38abff24871d96918530
SHA1: 1170d616b974907e31231f088393b0f826a39ab3
MD5: 8935551d375c42018bcef423006fced5
M21-6qic1DarkComet_e5df0db4Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.e5df0db41a655829f3564fb6d45f527ahttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 853fe6dcbc1947060a26cfee85e433f0af72157f0e56672671f6f0bb9edb22c0
SHA1: 8ec2628392a16ba5fe7ee65036cbc74dfcae1c2f
MD5: e5df0db41a655829f3564fb6d45f527a
M21-h6ze1Redline_c7c0a75dWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .c7c0a75da9042c5b0a9d82e09fec7aa7FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 69fca12354a4e0577c699dfbf58b665f5358693660ce2cf8144b75ea08249d50
SHA1: b7824189764703cc253ea16235fa8f273bf5cc4e
MD5: c7c0a75da9042c5b0a9d82e09fec7aa7
M21-2jmd1Ruskill_de840601Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.de840601a818c3b2bfce3828ad10ab78https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 2eaf24384812f6b8df0b345ee7f11aef2f8a2339e11b3752eb2d3daabf3ba588
SHA1: 3138d12d1270ef6028397588621117788eb590d9
MD5: de840601a818c3b2bfce3828ad10ab78
M21-tuej1DarkComet_97eebf03Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.97eebf03ca937627e7a35c84503ceb2dhttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 720c7086ec84b14499b6b0803c841c59e56f4b17f566afa633b68c155871f05a
SHA1: 3b414d2c91d1bd6411b22c90307723d97c367c5c
MD5: 97eebf03ca937627e7a35c84503ceb2d
M21-ctde1Redline_fd0e02dcWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .fd0e02dc2e477d0229807f2486fff6b8FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 181deb00fe0cef63aa1110722c263e33e010bef99b2239f7f3e010e4ef896ee8
SHA1: 60962cca79bf8754ce04a2f09d13533d36cc2afa
MD5: fd0e02dc2e477d0229807f2486fff6b8
M21-8ohh1Ruskill_f12998e1Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.f12998e1874bfbad5103305a910e6a45https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 0e45a2aebdc4a6212f2bb7cb9f84d5597a4c249077c7f6d4152f55931a622be2
SHA1: 4e07cdf5ec2ba71ce6eb489c04c2b6dcd16e05f3
MD5: f12998e1874bfbad5103305a910e6a45
M21-8cru1Redline_a4358594Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .a43585940b7a2bb9f0af4587dc4fa1d4FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: be92ed06586b1d63cd82f3ae730ca8c99abd2a2de403b5f14094fd01ce47a1c2
SHA1: 518ea1514680996304ee65e53dd3e252302cab50
MD5: a43585940b7a2bb9f0af4587dc4fa1d4
M21-whtj1DarkComet_f5491800Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.f5491800859ca7512dc4839225543a2dhttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 783031a8d7e9d3b9c32b9827c2121d1da92e63a5fc99a089a6743c829be54855
SHA1: c0a2c8f45a8583b91afc128eea794efa0fa78775
MD5: f5491800859ca7512dc4839225543a2d
M21-2owv1Ruskill_2d3f70b0Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.2d3f70b08c4d9a3c4ac2d2065dbb1130https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 4968881ce2cd887f5677d49cf260d43440f37d822f3294b6a49afed736c038af
SHA1: 3f6c5544e56717ea228625b125320e1420b9e59d
MD5: 2d3f70b08c4d9a3c4ac2d2065dbb1130
M21-loza1DarkComet_21c6f354Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.21c6f354ae5716237ce20d781a9fe1b6https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: c76017b1ec2b90bdc6d3a6fd8e34b8c948dc2c103fe40c5ef690a3ebf14c2cea
SHA1: 9bbba8865f13a6370d1fe4d1ec39d5e7720c8c6b
MD5: 21c6f354ae5716237ce20d781a9fe1b6
M21-qg081Redline_fe13bef0Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .fe13bef02933d061609d3f614bc0f303FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 9cef12bd078776ed63eeac73915174764c331244fc79609a0b8d8a7589c09c83
SHA1: a7dd6d25a2a8b84e94e8eacfa8b850679730d0b0
MD5: fe13bef02933d061609d3f614bc0f303
M21-4bk91DarkComet_e34111d9Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.e34111d9e2ddbea03a6cd91236f4dc27https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 83d6c112004f89884e05919f941ca3a5f3a918f4bde181bed477f659a275e630
SHA1: 6512750e732b640891b06e661e0b169556519ca3
MD5: e34111d9e2ddbea03a6cd91236f4dc27
M21-p8k91Redline_b0ab5154Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .b0ab5154bb8b4ff883500f410342d580FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 99e8f71c4b1defd1fdad56f2b9e70578633cb2cd1901698bbadf97c1538c7384
SHA1: 80b69b488bb821593a5f3ff77a8444373af65bc7
MD5: b0ab5154bb8b4ff883500f410342d580
M21-mnd61Ruskill_2824fdebWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.2824fdebf4c8188c6128cd06a403da6ahttps://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 24447cf4a7cae8a7602d6ab18cbf57a50cd6d7f05413742149806489823e97e0
SHA1: 88a9ae60ab897ac21467a8042e77882e4aaf394b
MD5: 2824fdebf4c8188c6128cd06a403da6a
M21-oatb1Redline_ea49bd1bWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .ea49bd1b6b5a19618dff479ee0d2aa24FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 5ed7321d0e4d7e0dbec935824a15bd6706d26e1798c8d86ac820e7632fa12af5
SHA1: 4a7cd5222a303d961482c83461e43ea1e741631d
MD5: ea49bd1b6b5a19618dff479ee0d2aa24
M21-mqyu1Trickbot_e2ff2674Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.e2ff26741a46499b6e5eb4b0b9786b2ahttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 31d1fa0cb2a8af462c681c38d5fde174f69735009bede1f6e20e27f561b783d4
SHA1: f3136e2b74b869f8f70402ebdec0cd7c7e0ca054
MD5: e2ff26741a46499b6e5eb4b0b9786b2a
M21-ge6e1DarkComet_38353d77Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.38353d77489a0a4c074fa0754481b847https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 52e6ad0b9fa496b52e9e1365d2208e7c60614ee0b4b231b4159d9218c3607ce6
SHA1: 8710ea5f78b53fcc01273227ae063d5fc0e72454
MD5: 38353d77489a0a4c074fa0754481b847
M21-9c3n1Redline_b619847aWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .b619847a7c65a0947cf7a132e510030dFRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: f043c533c3d2a09cbff857a3351a7c7f3938342494d73cb5c582b1a999c11260
SHA1: c93657c472b47d425a3e105e8c20c182df1b2483
MD5: b619847a7c65a0947cf7a132e510030d
M21-kkjc1Razy_0c56c0cfWindows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows Trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.0c56c0cf7ddb488dce5757499b0a5504https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: b04c5b176df3486b09bb504e79427ec7c24b2ae74647867e6dbc0635875bcfda
SHA1: 2f0f134815a4abe27b236706b540d31982fc0f0d
MD5: 0c56c0cf7ddb488dce5757499b0a5504
M21-7zso1Buer_41f095e2Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has been packed using upx packer, with the default options.41f095e2a4b692820a8d70b27ed74590https://attack.mitre.org/techniques/T1045/
SHA256: 805dd8e2d5b079dcaa1729aaaf0bb860c5ef7025a116886c215e6d88c4555267
PARENTID: M21-nkhl1
SSDEEP: 3072:lsnGEkevye88PJFPTWRxhEMrA5EKLiO7zw2eCNGVfAj5PTU+VukFSuJYCCrqjpA2:ZfeAxhEMrpKLiOXVkCn7Suiap
SHA1: d118684f1b5a79d01290262dacc94568092d0cc8
MD5: 41f095e2a4b692820a8d70b27ed74590
M21-h11c1Buer_884fa51eWindows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has the timestamp field updated in the PE file header.884fa51e7110c68b831899626e81345ahttps://attack.mitre.org/techniques/T1099/
SHA256: db3a2bea74abdc89fa9b21af3a52f9f9c1248aeec6609b49d5abad26c28dc647
PARENTID: M21-ffky1
SSDEEP: 3072:0JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:3boNIn+I+51/g
SHA1: 20c6684627cc939097346a61dcb634e466bebb56
MD5: 884fa51e7110c68b831899626e81345a
M21-lb9t1DarkComet_99ddecddWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.99ddecdd7bf0b3c8ee071b8876c77b0ehttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 5e371cd3f7fab8a9e095cfca5d22b01330109d22244cbadd2a4c800963769512
SHA1: a7b16a3ea119a925e61dea98d3158daab02dd4e1
MD5: 99ddecdd7bf0b3c8ee071b8876c77b0e
M21-umi81Ruskill_4674372dWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.4674372dfcdbeef581d50685083ec0f4https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 4dec4954a5c2aa7954c91ee4e715d7dc03c11c09d08ba8933f0946d1971cf167
SHA1: 066fb3b1c89a022d807b4117d9de303cbe921c6f
MD5: 4674372dfcdbeef581d50685083ec0f4
M21-3hlz1Buer_3dcd5f44Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random bytes appended at the end of the file.3dcd5f4471a4f9dd34ac0b61d2f295dchttps://attack.mitre.org/techniques/T1009/
SHA256: bb2bc9c9c8b9d799757750ec439aaca9e0255babb50e2a1ff533196db7dd2570
PARENTID: M21-nkhl1
SSDEEP: 3072:taLJO81NCCCoyq+IuvD/9QrCBrOg8T8O81NCCCoyq+IuvD/9QrCBrOg8TOg/PDgX:2GqEDuqEDtgzgMFjMVAKy7X7Suiap4
SHA1: 3c3b807ceb91c6d6a7d423c87573312d89111ab1
MD5: 3dcd5f4471a4f9dd34ac0b61d2f295dc
M21-g9481Ruskill_d8c2cb4dWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.d8c2cb4d206da999ba787f961e46db89https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 053967bd98d93eb711b67210ba469b94f262172ae10f92fc5d45c1bece28ee48
SHA1: 273526cc4ae0212f61711260216b8b1f335cd2ce
MD5: d8c2cb4d206da999ba787f961e46db89
M21-1k1h1DarkComet_12ceea8aWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.12ceea8ab41fbbee00fe350ea1948eeehttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: c4b6a21f07d4f5bafaea1238efcdd6da1783631407e612b2f598727cf69c5980
SHA1: fdd51f786fe095cf6063d368877b09d15ba755f7
MD5: 12ceea8ab41fbbee00fe350ea1948eee
M21-iomi1Ruskill_d873e514Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.d873e514a8b483b31a49d6063b4d3522https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 193ee557ac28a56eb39b7e305c8f82af5b44d5dcbcd63a5bc68764ae64c5b679
SHA1: 896ad20a95040e1a426f5e26a64362da5f55b30a
MD5: d873e514a8b483b31a49d6063b4d3522
M21-i1c31xCry_7475713dWindows This strike sends a malware sample known as xCry. xCry is a ransomware that is written in Nim and can easily be adapted to work across multiple platforms.7475713df82b2a81b2d32715a94c2b63https://twitter.com/VK_Intel/status/1085974213838688257
SHA256: e32c8b2da15e294e2ad8e1df5c0b655805d9c820e85a33e6a724b65c07d1a043
SHA1: 21579bc21798f831337799da7ce01e0c1d8fe947
MD5: 7475713df82b2a81b2d32715a94c2b63
M21-khhe1DarkComet_123164e8Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.123164e86411d412d6d7815f5da7a3f7https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: f4202295bc667e7b2d086747892bcefc5c5dc65692d769d1b1aa7cf6a112ef41
SHA1: 8a08749f980d2210ecf2af99f7f335fba78e4322
MD5: 123164e86411d412d6d7815f5da7a3f7
M21-hr4x1Redline_c46105a3Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .c46105a343ef37ca940d93a01f465933FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 8c0e0c1eb5b238d795ee9403e342c9b174bb3d1adefbaeec4897002bd02b5c5d
SHA1: 326cadd885b0ff0cd30508ad905683aae16a6625
MD5: c46105a343ef37ca940d93a01f465933
M21-bwee1BazaLoader_034e2d69Windows This strike sends a polymorphic malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.The binary file has one more imports added in the import table.034e2d6983dfcd827b99f8592aba6acfhttps://arxiv.org/abs/1702.05983
SHA256: 615fafc5c7e094eb002b2dd886f437d5c6d070a169868e85d3fd46ce67a95d98
SHA1: d556d2b835c8bc336733e2d196cf387ad23f0c14
PARENTID: M21-hg921
SSDEEP: 1536:Y00PmIpeN4kwTkFtUOKGBTk/W0fzW9t07ij+2v5OMUtvz4ag0I3mz03ANBxLs0J:YXPeJ/UwyRfzuDj+2k1B60I3mzLDs0J
MD5: 034e2d6983dfcd827b99f8592aba6acf
M21-fj341BazarLoader_1d528a2eWindows This strike sends a malware sample known as BazarLoader. BazarLoader is a malware loader with the function to install and download additional malware. This sample of BazarLoader is Nim-compiled to make detection more difficult.1d528a2e1d0a097421e57f86ba04e79fhttps://twitter.com/i/web/status/1357376719225765892
SHA256: 397e4dc12d48fb0c4d80980643581c9416a4bed022d4676f30218fb1f1e1811c
SHA1: bbe63233d1a918902e2e506d8cddf102a20f4fe8
MD5: 1d528a2e1d0a097421e57f86ba04e79f
M21-c76x1Redline_6097a5dbWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .6097a5db8c5cab3c031969fabeea6244FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 8d41ef2fb5dc6d40326edbc5c030442c9b405adb1dec5340a43c5a63fda16ee2
SHA1: 4e91e26a4a983f103e172f037082775bfb3149c7
MD5: 6097a5db8c5cab3c031969fabeea6244
M21-bk621Buer_093ddecfWindows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random contents appended in one of the existing sections in the PE file format.093ddecf0e75f245cb2b3a8e431cbb06https://arxiv.org/abs/1801.08917
SHA256: 0f8a8ddb588be8fefd396a2759711b9edf992a721b730ea8974961a699eecd5e
PARENTID: M21-ffky1
SSDEEP: 3072:3JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:iboNIn+I+51/g
SHA1: 74dca7f68212c3abe50f71b9fbb2e4dfb8d89818
MD5: 093ddecf0e75f245cb2b3a8e431cbb06
M21-3i6y1Redline_d8e51ae2Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .d8e51ae2875cb0328b492c8238d4d1e0FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: c2a7cf7be6e395d3212033cde522a314c8ab117dc279ff19b15066d14e2f7829
SHA1: 206c92b1734d46eb17655050b4a1a75c9e817a0d
MD5: d8e51ae2875cb0328b492c8238d4d1e0
M21-4nki1Ursnif_91debc88Windows This strike sends a malware sample known as Ursnif. Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.91debc889c24d97edeab1c65810b239chttps://twitter.com/JAMESWT_MHT/status/1358673279981154304
SHA256: bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9
SHA1: ab4899ffc60699b28a76f2e0cd3676b4677b9a4c
MD5: 91debc889c24d97edeab1c65810b239c
M21-57bj1Ruskill_b9b6030cWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.b9b6030c56aff5136cd86f88cef141ebhttps://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 1824f91ccbc4431b22f5599747db639a096b1d4f446b3c7cead96f3b4066d6fa
SHA1: 41611179ef4bb6039b2bedd716cc5c93acde23c1
MD5: b9b6030c56aff5136cd86f88cef141eb
M21-3gcu1Ruskill_b804afd1Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.b804afd1fc915ef1e78e2343d2024800https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 18b1dca10253a42417655885b76dfdbafa9f6f9f5c322b2c809227233c7f0dc9
SHA1: afb92fdfa547488dad35656255b7e8184769a4fa
MD5: b804afd1fc915ef1e78e2343d2024800
M21-16mv1Trickbot_a8d9d1a9Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a8d9d1a932b2afad5a31816cb8b506cahttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 187fb2770b614909ce81559f70db3af470c551ce403778219a22c1d3083a4edc
SHA1: f33c057d652aa70c5f1332e14c0b8d9c77a5aa1c
MD5: a8d9d1a932b2afad5a31816cb8b506ca
M21-t8aw1Ruskill_9c91abffWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.9c91abff2ec28b11d6a188a865d37ff9https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 373ae055a2f7646f60913248957447d01aa19ca9f7c48d1be5434efdee7ecadf
SHA1: 53c92687df866d8579af6635f53711db44045e6b
MD5: 9c91abff2ec28b11d6a188a865d37ff9
M21-yi0y1Redline_c1828a78Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .c1828a782fe78675119058eea22fdbc2FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 6c8e9ea9c67e2807cdf62f2b682bbb59038d00435c55e18a69de6ad3331e5455
SHA1: da7fa5cb1ac760fbf43522715782a23f50cf9186
MD5: c1828a782fe78675119058eea22fdbc2
M21-ncn61Trickbot_a1bfc1c4Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a1bfc1c4c491e866f28d78b88c22e1f2https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: aa9daa79af830a093fa2b0e6ebdbfb67f4ea2f66e2adca60acc0beef3f1a895e
SHA1: 82b82a374beff25379eb9f99f1601c422967b7e0
MD5: a1bfc1c4c491e866f28d78b88c22e1f2
M21-i8481Redline_9c07bc1eWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .9c07bc1e99a6083c29dc32c8c84dff4aFRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 8c89c9a094a0f0d39f2b58ba29bad8a5d2373a98cf7adf0ae8d535853005dee9
SHA1: 1c7106879f1f19475d996e81c7eac1cef67a7592
MD5: 9c07bc1e99a6083c29dc32c8c84dff4a
M21-ka101Ursnif_9201b26cMixed This strike sends a malware sample known as Ursnif. Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.9201b26ca98c8cf301348e64dab51c13https://twitter.com/JAMESWT_MHT/status/1358673279981154304
SHA256: 586023f50536b66296e214a14a8c7d7cd11f5b8c93b1c69367e93996f9a8339f
SHA1: b59130480a4faefd9a9cc552953602407c6bbd20
MD5: 9201b26ca98c8cf301348e64dab51c13
M21-36mf1Trickbot_2b8de879Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.2b8de879e137896bf7887a6f26510b01https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: ea8c36f9ce78e94cde716fd4eae708324cfa430fa93ae230292b2c68343d7fa4
SHA1: 864d3e3f7ad0f144f8d838ea9638d4c264c5c063
MD5: 2b8de879e137896bf7887a6f26510b01
M21-bd081Buer_8c5bd634Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has the checksum removed in the PE file format.8c5bd6343ee9630d246af49ca85951b0https://arxiv.org/abs/1801.08917
SHA256: 8f7a119a298b18940db8770ce079deeca2b15052af84b49f8008201c25dca383
PARENTID: M21-ffky1
SSDEEP: 3072:QJAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:7boNIn+I+51/g
SHA1: 57464251c7e178666a849c60c1d5c292474520cb
MD5: 8c5bd6343ee9630d246af49ca85951b0
M21-snqd1DarkComet_b88fa8adWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.b88fa8add9ac38d0507751f35edfc183https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 1daf2746645dcab7ea4ec4e75a9ac52c0722522b80c701691a12d2882d739a51
SHA1: a3c2834fdbc1cb35a45168bf4d6d33c9eef7fdda
MD5: b88fa8add9ac38d0507751f35edfc183
M21-z5zz1Ruskill_1df989f0Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.1df989f01c373dcdaa768e1d616c4ee1https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 48d6fcee65464b7b5dd0df802407bf3fd050d291d7d61cba92cb8cd2e206661c
SHA1: d8246738f5e38f939b666e16f99b9018194f7679
MD5: 1df989f01c373dcdaa768e1d616c4ee1
M21-due11Ruskill_c5c85a5dWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.c5c85a5dec6e85e0987dc77534cd2245https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 061612a0b63136df5b725ba0be77646d3581962daee5de1af7cdbdee781d105d
SHA1: 69837117a3603a729ccab6e85eb263f6ebed1ade
MD5: c5c85a5dec6e85e0987dc77534cd2245
M21-qif91DarkComet_fdb454b6Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.fdb454b644e210f2b986295d8d25d383https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 771d51caabb75872ef9af76b2ba90693404f217a86885c82365b4b0f054db71a
SHA1: 8e3de08726196376fab8c3c44cd45bfb4deb2917
MD5: fdb454b644e210f2b986295d8d25d383
M21-wcl31Buer_c397c806Windows This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.c397c806d3c6196f368566319880df3chttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
https://twitter.com/VK_Intel/status/1359688058069790722
SHA256: 9e8db7a722cc2fa13101a306343039e8783df66f4d1ba83ed6e1fe13eebaec73
SHA1: 73821da0404624fe7efc4116f4141859377335ef
MD5: c397c806d3c6196f368566319880df3c
M21-gybp1Ruskill_62b6204dWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.62b6204d3fa543db17027c918b300e83https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 01df4ae369661dccfade59d2e3498c8d88dded4bda6b42ba310c38c30a037314
SHA1: c4733429b6e966ed543f72a078337f5af76c1861
MD5: 62b6204d3fa543db17027c918b300e83
M21-nkhl1Buer_693df2e2Windows This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.693df2e2029ed05eb3e7ccd214fb414fhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
https://twitter.com/VK_Intel/status/1359688058069790722
SHA256: 6c694df8bde06ffebb8a259bebbae8d123effd58c9dd86564f7f70307443ccd0
SHA1: 1d9644cbeaaea47550bd0b6c2fc722f425aaeeab
MD5: 693df2e2029ed05eb3e7ccd214fb414f
M21-81k81Razy_0dd8ba9eWindows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows Trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.0dd8ba9e4af52d8cfd1f12b856f44060https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 6ad7a1a2107a7529c9106ece35296f4d8384ecac3041311ce5a7206d74e38d74
SHA1: 4d5f49fc442214af10b383056a3f58946b740968
MD5: 0dd8ba9e4af52d8cfd1f12b856f44060
M21-7ltu1Gh0stRAT_d1c7d9b6Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.d1c7d9b619ac682d4d3c4635b2b4ed5ahttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 33ad59a2f4938f21cb29a303f6fb296763912a141644a76d858ea47c14b53a24
SHA1: 309e6f4565fbd224a0306b49bfea1656cee3ea4f
MD5: d1c7d9b619ac682d4d3c4635b2b4ed5a
M21-6v6t1Trickbot_3f2bda5fWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.3f2bda5f7852cea174cccc8a7e4e1280https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: c874dd4a471fb101f8d019efbcf5b849d4575c36b479aea3d0ab54ad8ad6d164
SHA1: bdf565f76e51f0f4cfd7827d1f91243c4648a0d5
MD5: 3f2bda5f7852cea174cccc8a7e4e1280
M21-69j21Ruskill_2671866dWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.2671866d29ef60cef7d2543a72d4fa05https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 19d85f1d25e6808f47798d09a3c612e1f68db90ad33a41b5c0bc4488747418e4
SHA1: e94a26f4edbcc2484616d7eed76f4816183bc66c
MD5: 2671866d29ef60cef7d2543a72d4fa05
M21-inty1BazaLoader_8ef02674Windows This strike sends a polymorphic malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.The binary has a random section name renamed according to the PE format specification.8ef02674c322336d04f054f470eea0cehttps://arxiv.org/abs/1801.08917
SHA256: ad5bc5eaf5cbe8a702c482a2b4f203c6a35f2b4351b6a5ef7b79923b07d6cf55
SHA1: 5983e511ce3068aef005b97c7195dc8d8fd1e510
PARENTID: M21-hg921
SSDEEP: 1536:/00PmIpeN4kwTkFtUOKGBTk/W0fzW9t07ij+2v5OMUtvz4ag0I3mz03ANBxLR0J:/XPeJ/UwyRfzuDj+2k1B60I3mzLDR0J
MD5: 8ef02674c322336d04f054f470eea0ce
M21-60uz1Buer_2c5569c4Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has the debug flag removed in the PE file format.2c5569c4873195b82b2e3a602309c338https://arxiv.org/abs/1801.08917
SHA256: b7ec90d0cd03647e342dc861e23e94023a4492769c0fff3cc7e93985f91468c9
PARENTID: M21-ffky1
SSDEEP: 3072:VJAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:kboNIn+I+51/g
SHA1: 0fd4fa418515e0f800fc955453b45c2ad281b819
MD5: 2c5569c4873195b82b2e3a602309c338
M21-8vpt1Buer_ef9cb824Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random strings (lorem ipsum) appended at the end of the file.ef9cb8244219f4110d208229eff412d2https://attack.mitre.org/techniques/T1009/
SHA256: bc7d0297d76aaca6fb68896ae6e7d5ae7608349d040224ef7aad5cbdd7faf5e1
PARENTID: M21-ffky1
SSDEEP: 3072:3JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9QH:iboNIn+I+51/gb
SHA1: 0e0de5cf9139c10a2a8b93a7a448edf790db417d
MD5: ef9cb8244219f4110d208229eff412d2
M21-249o1Trickbot_c771651dWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.c771651d916c8e942c8ebfd7bb0fafc3https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 03a68c65701896f79a23b22d2844146f91a237ddd4e840a5e78494b238f2aff1
SHA1: 09cd06080924888cc46cd4d0695ef65e876252d4
MD5: c771651d916c8e942c8ebfd7bb0fafc3
M21-we4c1Redline_e910b20cWindows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .e910b20cdae914ecd558f493e4df6a4fFRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 81d268ae82f4444e0635482a5cdeb183b03a9f514815d1b37e3db42845d26391
SHA1: 6e1b3af82dc804e247762697ed98d77c32d45308
MD5: e910b20cdae914ecd558f493e4df6a4f
M21-t65e1Buer_9e8ca433Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has the timestamp field updated in the PE file header.9e8ca4331d3d087f6ce750c2ba8ad455https://attack.mitre.org/techniques/T1099/
SHA256: 47493535ccb82f8207450aee2e722d9337f0d2d086ec5f9cef98a208b4b70699
PARENTID: M21-nkhl1
SSDEEP: 3072:eaLJO81NCCCoyq+IuvD/9QrCBrOg8T8O81NCCCoyq+IuvD/9QrCBrOg8TOg/PDgy:JGqEDuqEDtgzgMFjMVAKy7X7SuiapJ
SHA1: fda13754185f3c080adb56e76c84dccbeee10d58
MD5: 9e8ca4331d3d087f6ce750c2ba8ad455
M21-zs2p1DoppelPaymer_c9b7413eWindows This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc. Most recently Kia Motor Company has suffered an attack from DoppelPaymer with the attackers requesting a $27 Milliion dollar ransom.c9b7413e50bfb22074734d615857a6f5https://siliconangle.com/2021/02/17/kia-motors-america-allegedly-struck-doppelpaymer-ransomware-attack/
SHA256: 624255fef7e958cc3de9e454d2de4ae1a914a41fedc98b2042756042f68c2b69
SHA1: 2a51b4f20ff4fc283ad2f9d19d5aab210fe7c2d1
MD5: c9b7413e50bfb22074734d615857a6f5
M21-11kn1Ruskill_f8169d67Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.f8169d674fa96973c0b37a0e4524d497https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 3cdb2401ac9bf018e5077a4e8d52c0a7c7f6a4a1b80018d535483a051870e31c
SHA1: b83d9f5005d2adc7c43d9a1f34438044d52c40e7
MD5: f8169d674fa96973c0b37a0e4524d497
M21-9zok1Ruskill_cbeaa60dWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.cbeaa60d3ca9e95aa97ced332046597fhttps://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 40267e2489ce22b75d0dec5d26420a71531577e87276f0217410490f61a4aaee
SHA1: 7644788b39d13e59b5177db5a9e8063fdac5e8f8
MD5: cbeaa60d3ca9e95aa97ced332046597f
M21-cvnx1Trickbot_e5d84074Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.e5d84074f043e53fcb6f74e3bc2b4017https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 7de1b9afef4135f13888a521142bb247284306184276326ef745a294ecb3cc31
SHA1: 578d87df59c30b08e18ed84760bbd4bc5d9578e9
MD5: e5d84074f043e53fcb6f74e3bc2b4017
M21-ihtd1Trickbot_81cfada2Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.81cfada27d2a3c2f4e7afd0d24803ebahttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: d69e6e3b30a7e193eafebdb19ae91643faab437855523d994b1d1684a4c0ac0e
SHA1: 24263d91575bb825c33e3fd27f35bc7bd611cee3
MD5: 81cfada27d2a3c2f4e7afd0d24803eba
M21-lcw11Ruskill_06186a2fWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.06186a2f936fee608094cf074e49072bhttps://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 3077d499cf1701fe9cda3b797962b96cc604a7edbbd6ce93f6ccfe18ea512933
SHA1: 33cafe5b35c3ea56c6e2b35934783ae49bbb6b97
MD5: 06186a2f936fee608094cf074e49072b
M21-nd1o1Ruskill_c217a53dWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.c217a53dcba7dd40209b16909d2dabe9https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 258c0ea198a5248e11dba69eeee9dbe7904e7065139bcaac747d4209c2b589e2
SHA1: 2aaf2abb16f2390ddddc18eeb2626b1a862a0f92
MD5: c217a53dcba7dd40209b16909d2dabe9
M21-xmc81Redline_55fcdb39Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .55fcdb39dca31049eb2fe68fb4daad64FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 1f6a851e6ec58527597fa34f45bf3fb57fb792dc510dd2924223fe06767ac5db
SHA1: caf3bce6abb7110ab38c6b06af8846c9dcbc4360
MD5: 55fcdb39dca31049eb2fe68fb4daad64
M21-lw5a1DarkComet_ac34dce8Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.ac34dce8050f844dd3927018a2e365f1https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 8f6cdb7c77903c36b0710a606cc71af7bf28b7bbc6f45e0d9467925c25e41afe
SHA1: 40fca39c271126b2cf6de49ceabd500988e1c598
MD5: ac34dce8050f844dd3927018a2e365f1
M21-5h591Ruskill_3ed76c13Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.3ed76c13d2dee62a1b707530a744354chttps://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 3ad12cacad094bcdb0307246a14bd2d4a8e74109a4bc8a28ffdf04765fd12524
SHA1: 98d364053adbefd5c15e0a34a157d5393d254e53
MD5: 3ed76c13d2dee62a1b707530a744354c
M21-9rru1Buer_a3987c9cWindows This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.a3987c9c0ca7b09971a34fad7684cbc1https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
https://twitter.com/VK_Intel/status/1359688058069790722
SHA256: ab21d61b35a8d1dc4ffb3cc4b75094c31b8c00de3ffaaa17ce1ad15e876dbd1f
SHA1: 217a2bdd6b7b90571990f6fd8f9b50efb57114ad
MD5: a3987c9c0ca7b09971a34fad7684cbc1
M21-q8f21BazaLoader_66a795a6Windows This strike sends a polymorphic malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.The binary has random contents appended in one of the existing sections in the PE file format.66a795a6c30b329d358293a47ad02de5https://arxiv.org/abs/1801.08917
SHA256: 47479579dc590ac05d1121a792c640a4389be600d849e964502b4a88e3750ad7
SHA1: f7aaf7a69f7d5184f031ebba8854053161aa758c
PARENTID: M21-hg921
SSDEEP: 1536:U00PmIpeN4kwTkFtUOKGBTk/W0fzW9t07ij+2v5OMUtvz4ag0I3mz03ANBxLR0J:UXPeJ/UwyRfzuDj+2k1B60I3mzLDR0J
MD5: 66a795a6c30b329d358293a47ad02de5
M21-2u6y1Ruskill_8c9b501aWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.8c9b501a908efe3ba7d828d7b51a6c9chttps://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 296d563b7e5041750b6c1f8a4ed8f6711a41d9dbc24bc84d11f7d017691999e1
SHA1: fe471cb7271084782fd4331a813cac162aa4282e
MD5: 8c9b501a908efe3ba7d828d7b51a6c9c
M21-13f91DarkComet_117dba14Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.117dba14282c9be237e14438af11f35chttps://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: 934936ac5b2cf33bb1cfcf6a750094beb7015119608a454d99ca8324669e9ec7
SHA1: 56286771fe4ad96eb54e9811d6f4ecaf364b4b37
MD5: 117dba14282c9be237e14438af11f35c
M21-kikt1Buer_25f10854Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random bytes appended at the end of the file.25f108547ce1d51064bfd9fd083c8da5https://attack.mitre.org/techniques/T1009/
SHA256: f747b4e7c0af4c90d309c0cb266d539e92ccd789c007ab8029f9a75bda797759
PARENTID: M21-ffky1
SSDEEP: 3072:3JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Qk:iboNIn+I+51/gY
SHA1: de1619121f95522c98dd6085ad7836505d8c69fc
MD5: 25f108547ce1d51064bfd9fd083c8da5
M21-btn81Trickbot_d91f878bWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.d91f878bc1707aecdb28e895cf5a7fd9https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: 8e2afd9599508f6a4652826e6ff133d6a29d7d3bf6a05de3332826b7c80688de
SHA1: 6de843fb12f456b0ea42876d82f39fe35b5cf6ca
MD5: d91f878bc1707aecdb28e895cf5a7fd9
M21-7it31BazaLoader_3c9d6dd0Windows This strike sends a polymorphic malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.The binary has the timestamp field updated in the PE file header.3c9d6dd012f71a9d021227ef35c593d4https://attack.mitre.org/techniques/T1099/
SHA256: c9b8cebfd4a89ba2f1f100825153f172717adc35f12a9d3ca98d1b25a1d7f6f0
SHA1: fa144f94e417bf59c5506929067ea0c3a718f391
PARENTID: M21-hg921
SSDEEP: 1536:800PmIpeN4kwTkFtUOKGBTk/W0fzW9t07ij+2v5OMUtvz4ag0I3mz03ANBxLR0J:8XPeJ/UwyRfzuDj+2k1B60I3mzLDR0J
MD5: 3c9d6dd012f71a9d021227ef35c593d4
M21-gu2w1DarkComet_aaf9800cWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.aaf9800c6ebda965c676c580dee47186https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
SHA256: d4f8550b614995e44044bd2b83f4955bd60b9ec5ff4d7bfc3e0af4e04bbee535
SHA1: c8e0bfb453a7ae4230b8ea3c350011f59f240ece
MD5: aaf9800c6ebda965c676c580dee47186
M21-xkm81DoppelPaymer_2d49243cWindows This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc. Most recently Kia Motor Company has suffered an attack from DoppelPaymer with the attackers requesting a $27 Milliion dollar ransom.2d49243c9ee70e4998362082c98e1819https://siliconangle.com/2021/02/17/kia-motors-america-allegedly-struck-doppelpaymer-ransomware-attack/
SHA256: c66157a916c7f874bd381a775b8eede422eb59819872fdffafc5649eefa76373
SHA1: c863a8baad7dcb7337b42aabcbe12ce7b2147f52
MD5: 2d49243c9ee70e4998362082c98e1819
M21-egl51Trickbot_78896e48Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.78896e48b0e9033f04096ec7eb2a9eeehttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: e270893e964120a11f48c888cd127959d3e60961fc7c8d7e58e4a13d58aff8f4
SHA1: b1f7f71b5f7fee1cf38e2591e50cb181f7bd5353
MD5: 78896e48b0e9033f04096ec7eb2a9eee
M21-6fip1Redline_4a7186b7Windows This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in .4a7186b73bb3dfa1ee69a25d2a6ad958FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
SHA256: d1db7d5b29bdde7c9e1e7899d1867eba946e961c95e0d9867dbbdfc63d7b81da
SHA1: c251e1f329c5701a93aadd7943651c758976ac17
MD5: 4a7186b73bb3dfa1ee69a25d2a6ad958
M21-9kn51Buer_845c6f85Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has a random section name renamed according to the PE format specification.845c6f85f2a58dee6c49ed47ab052662https://arxiv.org/abs/1801.08917
SHA256: 3d9eb8a9420591153b2560f7f6c999935448f3e33c4d4c4fbc31b9a78cbe6776
PARENTID: M21-ffky1
SSDEEP: 3072:sJAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:fboNIn+I+51/g
SHA1: 56ed430ea70c6f03d771c5ece6fdaa21d7bfdfc7
MD5: 845c6f85f2a58dee6c49ed47ab052662
M21-p6gb1Ruskill_1d1bccd2Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.1d1bccd23b7cf435334f34766ffb6858https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 065d25b7577fe097ba6c789428b370eec7967256db2c43cf1cc95ec197805dd1
SHA1: 655cdc1bb1c74b95dc5220ac895dbcc399530475
MD5: 1d1bccd23b7cf435334f34766ffb6858
M21-voul1Buer_d1b2c5f7Windows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random strings (lorem ipsum) appended at the end of the file.d1b2c5f79f39a646bbd29f9aebbc57e9https://attack.mitre.org/techniques/T1009/
SHA256: f334b1a002b0204533f671729c33752d813e1a0d7816c8588c075a73aa52bb97
PARENTID: M21-nkhl1
SSDEEP: 3072:taLJO81NCCCoyq+IuvD/9QrCBrOg8T8O81NCCCoyq+IuvD/9QrCBrOg8TOg/PDg7:2GqEDuqEDtgzgMFjMVAKy7X7SuiapQ
SHA1: a8482072ce3a953f9764b620d25db8a45ae492a5
MD5: d1b2c5f79f39a646bbd29f9aebbc57e9
M21-ffky1Buer_285e5729Windows This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.285e57297f578e565dc814301149edbfhttps://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
https://twitter.com/VK_Intel/status/1359688058069790722
SHA256: 197163b6eb2114f3b565391f43b44fb8d61531a23758e35b11ef0dc44d349e90
SHA1: 1b7a5c582d56646a0e51b3296e69e9f61b3ffa0d
MD5: 285e57297f578e565dc814301149edbf
M21-00es1Buer_1292fd2eWindows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has a new section added in the PE file format with random contents.1292fd2e94145944fc89568de433ea78https://arxiv.org/abs/1801.08917
SHA256: d44f0005202bf35c13fbc4d397a5422bc04af75c1bed2708f446591f43341899
PARENTID: M21-ffky1
SSDEEP: 3072:2JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:NboNIn+I+51/g
SHA1: 17951cdd0f2b19d2e54ab0e0a8ad65ea807d3a80
MD5: 1292fd2e94145944fc89568de433ea78
M21-q6yp1Buer_733098caWindows This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has been packed using upx packer, with the default options.733098cad6d135345bc00f37cdca52c5https://attack.mitre.org/techniques/T1045/
SHA256: 96c7d4846b05d45d474e3e10df3691f19b6365a607e384b3cc3d14133700f162
PARENTID: M21-ffky1
SSDEEP: 3072:eGoAKhyKshZlQwPevcQlxeub1wn/LVv/txcCxQy:ZZtQxcuL1KlxcC
SHA1: bda10f0c4aad411401ae5fe5fa8234730bff8d9d
MD5: 733098cad6d135345bc00f37cdca52c5
M21-0bfd1Ruskill_52479cddWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.52479cdd528eaeb80b34602492607c8fhttps://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
SHA256: 3d241bc13f8b401bfc9cd9e76a61e306c63be399bee6fb251b91e7d4b472cf1f
SHA1: dc1932bf26a004dea909b1bfb159f3613a785cdf
MD5: 52479cdd528eaeb80b34602492607c8f