M21-2x9i1 | Trickbot_a9392a4d | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | a9392a4d881a556ddf5b4bc812b5e079 | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 9b7ca2a5d739eadeeb2290e26ca8a11dffc85331fa539d080777083af9123b45SHA1: 4e587b19ae95a13d36dbac636ef0ce73f8699494MD5: a9392a4d881a556ddf5b4bc812b5e079 |
M21-0u6b1 | Trickbot_fae34a61 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | fae34a61be4d7b2f15de7e8aaad8358b | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 28324d38845e953911330e985a51bda6431c40d63a7fc40a6d05a9f86b702ce8SHA1: 0281b57b3554841a850c8afa7da1d454a7b39f5aMD5: fae34a61be4d7b2f15de7e8aaad8358b |
M21-ao1y1 | DarkComet_b06f43f7 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | b06f43f7f11d71d39ee45e745767928f | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: c72000deaafee8b3a26c31808316ecae94e429ff5d5b4334379adb1f91365c5fSHA1: c9ed3a8395a5eb4a3cae0977f6671c1cb79c7062MD5: b06f43f7f11d71d39ee45e745767928f |
M21-317m1 | DarkComet_1ccf967b | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 1ccf967b97a04e428c427aa7e2443e4e | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: d48cd3dc1e4203c1af41580fa1575f4e478a6947b75ac92271c9cb24481dcb40SHA1: af0beb59d1c59265ac43943f2812d685a538530bMD5: 1ccf967b97a04e428c427aa7e2443e4e |
M21-c0fq1 | Buer_89d8c5bd | Windows |
This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery. | 89d8c5bdcc1dbb18e7ba59e4450fd001 | https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplacehttps://twitter.com/VK_Intel/status/1359688058069790722SHA256: 753276c5887ba5cb818360e797b94d1306069c6871b61f60ecc0d31c78c6d31eSHA1: 47ca59c0056894200475e25f86e2ab0972d34b2cMD5: 89d8c5bdcc1dbb18e7ba59e4450fd001 |
M21-0kzv1 | DarkComet_dacded52 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | dacded526944ecb98ddd58f543141c84 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 47f31e2c01e3608564d18be81c165583fec2e775ffbb913ca0bc31e5265fd850SHA1: 594cfe2c9982f6ebefedf70f046a0c48666f4a43MD5: dacded526944ecb98ddd58f543141c84 |
M21-hg921 | BazaLoader_50a737ac | Windows |
This strike sends a malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day. | 50a737acebc342a7d5bdca05419c1564 | https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-daySHA256: 447b4c867b7147afe178d73adf8113fc33f6399f03707e4308efa36e0859bf86SHA1: fcdb1a81a27f9ac7a8efcfa591fb723bd001c66fMD5: 50a737acebc342a7d5bdca05419c1564 |
M21-zu9u1 | Buer_1ab2fc91 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has a random section name renamed according to the PE format specification. | 1ab2fc91ddfc486d3ec76c36a7ec5b43 | https://arxiv.org/abs/1801.08917SHA256: e633ad8fa3ed54c42a0fa617eab5f440aed6cf66a0634a357a2ed4a0b980a43dPARENTID: M21-nkhl1SSDEEP: 3072:taLJO81NCCCoyq+IuvD/9QrCBrOg8T8O81NCCCoyq+IuvD/9QrCBrOg8TOg/PDgy:2GqEDuqEDtgzgMFjMVAKy7X7SuiapJSHA1: a98860ec4ce0b0405006638d186f5d4cce7bfb4bMD5: 1ab2fc91ddfc486d3ec76c36a7ec5b43 |
M21-yfhd1 | Redline_945955bb | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | 945955bb867fb99aa6b2b2eed03840b5 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: f89e6f2527aa365968333a01f97ba93b6d21e55375e6be255841fed0ecf67054SHA1: cb2dd721650e7999c0d4f17cfb4b28f0b45d281fMD5: 945955bb867fb99aa6b2b2eed03840b5 |
M21-lmdl1 | Buer_cac3879e | Windows |
This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery. | cac3879ed9dba1145f99376c2f32ebb7 | https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplacehttps://twitter.com/VK_Intel/status/1359688058069790722SHA256: fa699eab565f613df563ce47de5b82bde16d69c5d0c05ec9fc7f8d86ad7682ceSHA1: 059a1c87b0d2cb1f41588f7b81b7b569be204b57MD5: cac3879ed9dba1145f99376c2f32ebb7 |
M21-v4ah1 | Buer_1fa27c5e | Windows |
This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery. | 1fa27c5e084887e9e3a2e232d27e10e3 | https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplacehttps://twitter.com/VK_Intel/status/1359688058069790722SHA256: 41a4ee153b3c61cc8ed50de571e5b8f884de1c8c07332b7b31f238360832988cSHA1: a7c98a694753ed745e8618369d16e39c46cca1e7MD5: 1fa27c5e084887e9e3a2e232d27e10e3 |
M21-5r1n1 | Redline_208b1854 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | 208b18547a5e4eca91494fd6ba71efd7 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 9f53624e3d08ef50e14c5761553d0f90d1203f69ba5674c35b309e285980c811SHA1: 015ff088425ac06c1a2dc0d1795dbd35a9d27ff5MD5: 208b18547a5e4eca91494fd6ba71efd7 |
M21-5sbm1 | Ruskill_8b761275 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 8b761275be3448835ca45f2c089721b9 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 1c4503406deebc20d8575edf1bad548fc627052365af2cdc4d2c2d78f8c91fb6SHA1: 2d9aa3f9bc1fa98b217891bb2c34d9136ed54a6fMD5: 8b761275be3448835ca45f2c089721b9 |
M21-y7mu1 | Trickbot_d1d23a53 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | d1d23a53b5bf6b060b5714fee99460f2 | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 239789e83dc0a80e8bbd0665a30c2219cbe4cc3d2677bdc818177b260c7fe982SHA1: 133facb3c6bd369b2ea030c458bad556c0fc102bMD5: d1d23a53b5bf6b060b5714fee99460f2 |
M21-i1301 | Redline_ef29de5f | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | ef29de5f57bf968677023aacb1faaf15 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 8bc9c34c4795259ec849342ef090ff6afe98386cf8f3e178090462ea2e9222a3SHA1: ded9d460552ce29a569beaa049e683921c38cf20MD5: ef29de5f57bf968677023aacb1faaf15 |
M21-x1nd1 | Ruskill_8935551d | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 8935551d375c42018bcef423006fced5 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 3963634f532439291b94c949ac2b702a4f0216aaae6c38abff24871d96918530SHA1: 1170d616b974907e31231f088393b0f826a39ab3MD5: 8935551d375c42018bcef423006fced5 |
M21-6qic1 | DarkComet_e5df0db4 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | e5df0db41a655829f3564fb6d45f527a | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 853fe6dcbc1947060a26cfee85e433f0af72157f0e56672671f6f0bb9edb22c0SHA1: 8ec2628392a16ba5fe7ee65036cbc74dfcae1c2fMD5: e5df0db41a655829f3564fb6d45f527a |
M21-h6ze1 | Redline_c7c0a75d | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | c7c0a75da9042c5b0a9d82e09fec7aa7 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 69fca12354a4e0577c699dfbf58b665f5358693660ce2cf8144b75ea08249d50SHA1: b7824189764703cc253ea16235fa8f273bf5cc4eMD5: c7c0a75da9042c5b0a9d82e09fec7aa7 |
M21-2jmd1 | Ruskill_de840601 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | de840601a818c3b2bfce3828ad10ab78 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 2eaf24384812f6b8df0b345ee7f11aef2f8a2339e11b3752eb2d3daabf3ba588SHA1: 3138d12d1270ef6028397588621117788eb590d9MD5: de840601a818c3b2bfce3828ad10ab78 |
M21-tuej1 | DarkComet_97eebf03 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 97eebf03ca937627e7a35c84503ceb2d | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 720c7086ec84b14499b6b0803c841c59e56f4b17f566afa633b68c155871f05aSHA1: 3b414d2c91d1bd6411b22c90307723d97c367c5cMD5: 97eebf03ca937627e7a35c84503ceb2d |
M21-ctde1 | Redline_fd0e02dc | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | fd0e02dc2e477d0229807f2486fff6b8 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 181deb00fe0cef63aa1110722c263e33e010bef99b2239f7f3e010e4ef896ee8SHA1: 60962cca79bf8754ce04a2f09d13533d36cc2afaMD5: fd0e02dc2e477d0229807f2486fff6b8 |
M21-8ohh1 | Ruskill_f12998e1 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | f12998e1874bfbad5103305a910e6a45 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 0e45a2aebdc4a6212f2bb7cb9f84d5597a4c249077c7f6d4152f55931a622be2SHA1: 4e07cdf5ec2ba71ce6eb489c04c2b6dcd16e05f3MD5: f12998e1874bfbad5103305a910e6a45 |
M21-8cru1 | Redline_a4358594 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | a43585940b7a2bb9f0af4587dc4fa1d4 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: be92ed06586b1d63cd82f3ae730ca8c99abd2a2de403b5f14094fd01ce47a1c2SHA1: 518ea1514680996304ee65e53dd3e252302cab50MD5: a43585940b7a2bb9f0af4587dc4fa1d4 |
M21-whtj1 | DarkComet_f5491800 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | f5491800859ca7512dc4839225543a2d | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 783031a8d7e9d3b9c32b9827c2121d1da92e63a5fc99a089a6743c829be54855SHA1: c0a2c8f45a8583b91afc128eea794efa0fa78775MD5: f5491800859ca7512dc4839225543a2d |
M21-2owv1 | Ruskill_2d3f70b0 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 2d3f70b08c4d9a3c4ac2d2065dbb1130 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 4968881ce2cd887f5677d49cf260d43440f37d822f3294b6a49afed736c038afSHA1: 3f6c5544e56717ea228625b125320e1420b9e59dMD5: 2d3f70b08c4d9a3c4ac2d2065dbb1130 |
M21-loza1 | DarkComet_21c6f354 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 21c6f354ae5716237ce20d781a9fe1b6 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: c76017b1ec2b90bdc6d3a6fd8e34b8c948dc2c103fe40c5ef690a3ebf14c2ceaSHA1: 9bbba8865f13a6370d1fe4d1ec39d5e7720c8c6bMD5: 21c6f354ae5716237ce20d781a9fe1b6 |
M21-qg081 | Redline_fe13bef0 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | fe13bef02933d061609d3f614bc0f303 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 9cef12bd078776ed63eeac73915174764c331244fc79609a0b8d8a7589c09c83SHA1: a7dd6d25a2a8b84e94e8eacfa8b850679730d0b0MD5: fe13bef02933d061609d3f614bc0f303 |
M21-4bk91 | DarkComet_e34111d9 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | e34111d9e2ddbea03a6cd91236f4dc27 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 83d6c112004f89884e05919f941ca3a5f3a918f4bde181bed477f659a275e630SHA1: 6512750e732b640891b06e661e0b169556519ca3MD5: e34111d9e2ddbea03a6cd91236f4dc27 |
M21-p8k91 | Redline_b0ab5154 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | b0ab5154bb8b4ff883500f410342d580 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 99e8f71c4b1defd1fdad56f2b9e70578633cb2cd1901698bbadf97c1538c7384SHA1: 80b69b488bb821593a5f3ff77a8444373af65bc7MD5: b0ab5154bb8b4ff883500f410342d580 |
M21-mnd61 | Ruskill_2824fdeb | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 2824fdebf4c8188c6128cd06a403da6a | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 24447cf4a7cae8a7602d6ab18cbf57a50cd6d7f05413742149806489823e97e0SHA1: 88a9ae60ab897ac21467a8042e77882e4aaf394bMD5: 2824fdebf4c8188c6128cd06a403da6a |
M21-oatb1 | Redline_ea49bd1b | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | ea49bd1b6b5a19618dff479ee0d2aa24 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 5ed7321d0e4d7e0dbec935824a15bd6706d26e1798c8d86ac820e7632fa12af5SHA1: 4a7cd5222a303d961482c83461e43ea1e741631dMD5: ea49bd1b6b5a19618dff479ee0d2aa24 |
M21-mqyu1 | Trickbot_e2ff2674 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | e2ff26741a46499b6e5eb4b0b9786b2a | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 31d1fa0cb2a8af462c681c38d5fde174f69735009bede1f6e20e27f561b783d4SHA1: f3136e2b74b869f8f70402ebdec0cd7c7e0ca054MD5: e2ff26741a46499b6e5eb4b0b9786b2a |
M21-ge6e1 | DarkComet_38353d77 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 38353d77489a0a4c074fa0754481b847 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 52e6ad0b9fa496b52e9e1365d2208e7c60614ee0b4b231b4159d9218c3607ce6SHA1: 8710ea5f78b53fcc01273227ae063d5fc0e72454MD5: 38353d77489a0a4c074fa0754481b847 |
M21-9c3n1 | Redline_b619847a | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | b619847a7c65a0947cf7a132e510030d | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: f043c533c3d2a09cbff857a3351a7c7f3938342494d73cb5c582b1a999c11260SHA1: c93657c472b47d425a3e105e8c20c182df1b2483MD5: b619847a7c65a0947cf7a132e510030d |
M21-kkjc1 | Razy_0c56c0cf | Windows |
This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows Trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process. | 0c56c0cf7ddb488dce5757499b0a5504 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: b04c5b176df3486b09bb504e79427ec7c24b2ae74647867e6dbc0635875bcfdaSHA1: 2f0f134815a4abe27b236706b540d31982fc0f0dMD5: 0c56c0cf7ddb488dce5757499b0a5504 |
M21-7zso1 | Buer_41f095e2 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has been packed using upx packer, with the default options. | 41f095e2a4b692820a8d70b27ed74590 | https://attack.mitre.org/techniques/T1045/SHA256: 805dd8e2d5b079dcaa1729aaaf0bb860c5ef7025a116886c215e6d88c4555267PARENTID: M21-nkhl1SSDEEP: 3072:lsnGEkevye88PJFPTWRxhEMrA5EKLiO7zw2eCNGVfAj5PTU+VukFSuJYCCrqjpA2:ZfeAxhEMrpKLiOXVkCn7SuiapSHA1: d118684f1b5a79d01290262dacc94568092d0cc8MD5: 41f095e2a4b692820a8d70b27ed74590 |
M21-h11c1 | Buer_884fa51e | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has the timestamp field updated in the PE file header. | 884fa51e7110c68b831899626e81345a | https://attack.mitre.org/techniques/T1099/SHA256: db3a2bea74abdc89fa9b21af3a52f9f9c1248aeec6609b49d5abad26c28dc647PARENTID: M21-ffky1SSDEEP: 3072:0JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:3boNIn+I+51/gSHA1: 20c6684627cc939097346a61dcb634e466bebb56MD5: 884fa51e7110c68b831899626e81345a |
M21-lb9t1 | DarkComet_99ddecdd | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 99ddecdd7bf0b3c8ee071b8876c77b0e | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 5e371cd3f7fab8a9e095cfca5d22b01330109d22244cbadd2a4c800963769512SHA1: a7b16a3ea119a925e61dea98d3158daab02dd4e1MD5: 99ddecdd7bf0b3c8ee071b8876c77b0e |
M21-umi81 | Ruskill_4674372d | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 4674372dfcdbeef581d50685083ec0f4 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 4dec4954a5c2aa7954c91ee4e715d7dc03c11c09d08ba8933f0946d1971cf167SHA1: 066fb3b1c89a022d807b4117d9de303cbe921c6fMD5: 4674372dfcdbeef581d50685083ec0f4 |
M21-3hlz1 | Buer_3dcd5f44 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random bytes appended at the end of the file. | 3dcd5f4471a4f9dd34ac0b61d2f295dc | https://attack.mitre.org/techniques/T1009/SHA256: bb2bc9c9c8b9d799757750ec439aaca9e0255babb50e2a1ff533196db7dd2570PARENTID: M21-nkhl1SSDEEP: 3072:taLJO81NCCCoyq+IuvD/9QrCBrOg8T8O81NCCCoyq+IuvD/9QrCBrOg8TOg/PDgX:2GqEDuqEDtgzgMFjMVAKy7X7Suiap4SHA1: 3c3b807ceb91c6d6a7d423c87573312d89111ab1MD5: 3dcd5f4471a4f9dd34ac0b61d2f295dc |
M21-g9481 | Ruskill_d8c2cb4d | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | d8c2cb4d206da999ba787f961e46db89 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 053967bd98d93eb711b67210ba469b94f262172ae10f92fc5d45c1bece28ee48SHA1: 273526cc4ae0212f61711260216b8b1f335cd2ceMD5: d8c2cb4d206da999ba787f961e46db89 |
M21-1k1h1 | DarkComet_12ceea8a | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 12ceea8ab41fbbee00fe350ea1948eee | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: c4b6a21f07d4f5bafaea1238efcdd6da1783631407e612b2f598727cf69c5980SHA1: fdd51f786fe095cf6063d368877b09d15ba755f7MD5: 12ceea8ab41fbbee00fe350ea1948eee |
M21-iomi1 | Ruskill_d873e514 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | d873e514a8b483b31a49d6063b4d3522 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 193ee557ac28a56eb39b7e305c8f82af5b44d5dcbcd63a5bc68764ae64c5b679SHA1: 896ad20a95040e1a426f5e26a64362da5f55b30aMD5: d873e514a8b483b31a49d6063b4d3522 |
M21-i1c31 | xCry_7475713d | Windows |
This strike sends a malware sample known as xCry. xCry is a ransomware that is written in Nim and can easily be adapted to work across multiple platforms. | 7475713df82b2a81b2d32715a94c2b63 | https://twitter.com/VK_Intel/status/1085974213838688257SHA256: e32c8b2da15e294e2ad8e1df5c0b655805d9c820e85a33e6a724b65c07d1a043SHA1: 21579bc21798f831337799da7ce01e0c1d8fe947MD5: 7475713df82b2a81b2d32715a94c2b63 |
M21-khhe1 | DarkComet_123164e8 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 123164e86411d412d6d7815f5da7a3f7 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: f4202295bc667e7b2d086747892bcefc5c5dc65692d769d1b1aa7cf6a112ef41SHA1: 8a08749f980d2210ecf2af99f7f335fba78e4322MD5: 123164e86411d412d6d7815f5da7a3f7 |
M21-hr4x1 | Redline_c46105a3 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | c46105a343ef37ca940d93a01f465933 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 8c0e0c1eb5b238d795ee9403e342c9b174bb3d1adefbaeec4897002bd02b5c5dSHA1: 326cadd885b0ff0cd30508ad905683aae16a6625MD5: c46105a343ef37ca940d93a01f465933 |
M21-bwee1 | BazaLoader_034e2d69 | Windows |
This strike sends a polymorphic malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.The binary file has one more imports added in the import table. | 034e2d6983dfcd827b99f8592aba6acf | https://arxiv.org/abs/1702.05983SHA256: 615fafc5c7e094eb002b2dd886f437d5c6d070a169868e85d3fd46ce67a95d98SHA1: d556d2b835c8bc336733e2d196cf387ad23f0c14PARENTID: M21-hg921SSDEEP: 1536:Y00PmIpeN4kwTkFtUOKGBTk/W0fzW9t07ij+2v5OMUtvz4ag0I3mz03ANBxLs0J:YXPeJ/UwyRfzuDj+2k1B60I3mzLDs0JMD5: 034e2d6983dfcd827b99f8592aba6acf |
M21-fj341 | BazarLoader_1d528a2e | Windows |
This strike sends a malware sample known as BazarLoader. BazarLoader is a malware loader with the function to install and download additional malware. This sample of BazarLoader is Nim-compiled to make detection more difficult. | 1d528a2e1d0a097421e57f86ba04e79f | https://twitter.com/i/web/status/1357376719225765892SHA256: 397e4dc12d48fb0c4d80980643581c9416a4bed022d4676f30218fb1f1e1811cSHA1: bbe63233d1a918902e2e506d8cddf102a20f4fe8MD5: 1d528a2e1d0a097421e57f86ba04e79f |
M21-c76x1 | Redline_6097a5db | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | 6097a5db8c5cab3c031969fabeea6244 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 8d41ef2fb5dc6d40326edbc5c030442c9b405adb1dec5340a43c5a63fda16ee2SHA1: 4e91e26a4a983f103e172f037082775bfb3149c7MD5: 6097a5db8c5cab3c031969fabeea6244 |
M21-bk621 | Buer_093ddecf | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random contents appended in one of the existing sections in the PE file format. | 093ddecf0e75f245cb2b3a8e431cbb06 | https://arxiv.org/abs/1801.08917SHA256: 0f8a8ddb588be8fefd396a2759711b9edf992a721b730ea8974961a699eecd5ePARENTID: M21-ffky1SSDEEP: 3072:3JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:iboNIn+I+51/gSHA1: 74dca7f68212c3abe50f71b9fbb2e4dfb8d89818MD5: 093ddecf0e75f245cb2b3a8e431cbb06 |
M21-3i6y1 | Redline_d8e51ae2 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | d8e51ae2875cb0328b492c8238d4d1e0 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: c2a7cf7be6e395d3212033cde522a314c8ab117dc279ff19b15066d14e2f7829SHA1: 206c92b1734d46eb17655050b4a1a75c9e817a0dMD5: d8e51ae2875cb0328b492c8238d4d1e0 |
M21-4nki1 | Ursnif_91debc88 | Windows |
This strike sends a malware sample known as Ursnif. Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 91debc889c24d97edeab1c65810b239c | https://twitter.com/JAMESWT_MHT/status/1358673279981154304SHA256: bad7c7a4553a600deef25fe5e29b22fcba05d32f9155352d12f8438080b07fa9SHA1: ab4899ffc60699b28a76f2e0cd3676b4677b9a4cMD5: 91debc889c24d97edeab1c65810b239c |
M21-57bj1 | Ruskill_b9b6030c | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | b9b6030c56aff5136cd86f88cef141eb | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 1824f91ccbc4431b22f5599747db639a096b1d4f446b3c7cead96f3b4066d6faSHA1: 41611179ef4bb6039b2bedd716cc5c93acde23c1MD5: b9b6030c56aff5136cd86f88cef141eb |
M21-3gcu1 | Ruskill_b804afd1 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | b804afd1fc915ef1e78e2343d2024800 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 18b1dca10253a42417655885b76dfdbafa9f6f9f5c322b2c809227233c7f0dc9SHA1: afb92fdfa547488dad35656255b7e8184769a4faMD5: b804afd1fc915ef1e78e2343d2024800 |
M21-16mv1 | Trickbot_a8d9d1a9 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | a8d9d1a932b2afad5a31816cb8b506ca | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 187fb2770b614909ce81559f70db3af470c551ce403778219a22c1d3083a4edcSHA1: f33c057d652aa70c5f1332e14c0b8d9c77a5aa1cMD5: a8d9d1a932b2afad5a31816cb8b506ca |
M21-t8aw1 | Ruskill_9c91abff | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 9c91abff2ec28b11d6a188a865d37ff9 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 373ae055a2f7646f60913248957447d01aa19ca9f7c48d1be5434efdee7ecadfSHA1: 53c92687df866d8579af6635f53711db44045e6bMD5: 9c91abff2ec28b11d6a188a865d37ff9 |
M21-yi0y1 | Redline_c1828a78 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | c1828a782fe78675119058eea22fdbc2 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 6c8e9ea9c67e2807cdf62f2b682bbb59038d00435c55e18a69de6ad3331e5455SHA1: da7fa5cb1ac760fbf43522715782a23f50cf9186MD5: c1828a782fe78675119058eea22fdbc2 |
M21-ncn61 | Trickbot_a1bfc1c4 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | a1bfc1c4c491e866f28d78b88c22e1f2 | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: aa9daa79af830a093fa2b0e6ebdbfb67f4ea2f66e2adca60acc0beef3f1a895eSHA1: 82b82a374beff25379eb9f99f1601c422967b7e0MD5: a1bfc1c4c491e866f28d78b88c22e1f2 |
M21-i8481 | Redline_9c07bc1e | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | 9c07bc1e99a6083c29dc32c8c84dff4a | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 8c89c9a094a0f0d39f2b58ba29bad8a5d2373a98cf7adf0ae8d535853005dee9SHA1: 1c7106879f1f19475d996e81c7eac1cef67a7592MD5: 9c07bc1e99a6083c29dc32c8c84dff4a |
M21-ka101 | Ursnif_9201b26c | Mixed |
This strike sends a malware sample known as Ursnif. Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 9201b26ca98c8cf301348e64dab51c13 | https://twitter.com/JAMESWT_MHT/status/1358673279981154304SHA256: 586023f50536b66296e214a14a8c7d7cd11f5b8c93b1c69367e93996f9a8339fSHA1: b59130480a4faefd9a9cc552953602407c6bbd20MD5: 9201b26ca98c8cf301348e64dab51c13 |
M21-36mf1 | Trickbot_2b8de879 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 2b8de879e137896bf7887a6f26510b01 | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: ea8c36f9ce78e94cde716fd4eae708324cfa430fa93ae230292b2c68343d7fa4SHA1: 864d3e3f7ad0f144f8d838ea9638d4c264c5c063MD5: 2b8de879e137896bf7887a6f26510b01 |
M21-bd081 | Buer_8c5bd634 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has the checksum removed in the PE file format. | 8c5bd6343ee9630d246af49ca85951b0 | https://arxiv.org/abs/1801.08917SHA256: 8f7a119a298b18940db8770ce079deeca2b15052af84b49f8008201c25dca383PARENTID: M21-ffky1SSDEEP: 3072:QJAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:7boNIn+I+51/gSHA1: 57464251c7e178666a849c60c1d5c292474520cbMD5: 8c5bd6343ee9630d246af49ca85951b0 |
M21-snqd1 | DarkComet_b88fa8ad | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | b88fa8add9ac38d0507751f35edfc183 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 1daf2746645dcab7ea4ec4e75a9ac52c0722522b80c701691a12d2882d739a51SHA1: a3c2834fdbc1cb35a45168bf4d6d33c9eef7fddaMD5: b88fa8add9ac38d0507751f35edfc183 |
M21-z5zz1 | Ruskill_1df989f0 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 1df989f01c373dcdaa768e1d616c4ee1 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 48d6fcee65464b7b5dd0df802407bf3fd050d291d7d61cba92cb8cd2e206661cSHA1: d8246738f5e38f939b666e16f99b9018194f7679MD5: 1df989f01c373dcdaa768e1d616c4ee1 |
M21-due11 | Ruskill_c5c85a5d | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | c5c85a5dec6e85e0987dc77534cd2245 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 061612a0b63136df5b725ba0be77646d3581962daee5de1af7cdbdee781d105dSHA1: 69837117a3603a729ccab6e85eb263f6ebed1adeMD5: c5c85a5dec6e85e0987dc77534cd2245 |
M21-qif91 | DarkComet_fdb454b6 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | fdb454b644e210f2b986295d8d25d383 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 771d51caabb75872ef9af76b2ba90693404f217a86885c82365b4b0f054db71aSHA1: 8e3de08726196376fab8c3c44cd45bfb4deb2917MD5: fdb454b644e210f2b986295d8d25d383 |
M21-wcl31 | Buer_c397c806 | Windows |
This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery. | c397c806d3c6196f368566319880df3c | https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplacehttps://twitter.com/VK_Intel/status/1359688058069790722SHA256: 9e8db7a722cc2fa13101a306343039e8783df66f4d1ba83ed6e1fe13eebaec73SHA1: 73821da0404624fe7efc4116f4141859377335efMD5: c397c806d3c6196f368566319880df3c |
M21-gybp1 | Ruskill_62b6204d | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 62b6204d3fa543db17027c918b300e83 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 01df4ae369661dccfade59d2e3498c8d88dded4bda6b42ba310c38c30a037314SHA1: c4733429b6e966ed543f72a078337f5af76c1861MD5: 62b6204d3fa543db17027c918b300e83 |
M21-nkhl1 | Buer_693df2e2 | Windows |
This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery. | 693df2e2029ed05eb3e7ccd214fb414f | https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplacehttps://twitter.com/VK_Intel/status/1359688058069790722SHA256: 6c694df8bde06ffebb8a259bebbae8d123effd58c9dd86564f7f70307443ccd0SHA1: 1d9644cbeaaea47550bd0b6c2fc722f425aaeeabMD5: 693df2e2029ed05eb3e7ccd214fb414f |
M21-81k81 | Razy_0dd8ba9e | Windows |
This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows Trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process. | 0dd8ba9e4af52d8cfd1f12b856f44060 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 6ad7a1a2107a7529c9106ece35296f4d8384ecac3041311ce5a7206d74e38d74SHA1: 4d5f49fc442214af10b383056a3f58946b740968MD5: 0dd8ba9e4af52d8cfd1f12b856f44060 |
M21-7ltu1 | Gh0stRAT_d1c7d9b6 | Windows |
This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads. | d1c7d9b619ac682d4d3c4635b2b4ed5a | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 33ad59a2f4938f21cb29a303f6fb296763912a141644a76d858ea47c14b53a24SHA1: 309e6f4565fbd224a0306b49bfea1656cee3ea4fMD5: d1c7d9b619ac682d4d3c4635b2b4ed5a |
M21-6v6t1 | Trickbot_3f2bda5f | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 3f2bda5f7852cea174cccc8a7e4e1280 | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: c874dd4a471fb101f8d019efbcf5b849d4575c36b479aea3d0ab54ad8ad6d164SHA1: bdf565f76e51f0f4cfd7827d1f91243c4648a0d5MD5: 3f2bda5f7852cea174cccc8a7e4e1280 |
M21-69j21 | Ruskill_2671866d | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 2671866d29ef60cef7d2543a72d4fa05 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 19d85f1d25e6808f47798d09a3c612e1f68db90ad33a41b5c0bc4488747418e4SHA1: e94a26f4edbcc2484616d7eed76f4816183bc66cMD5: 2671866d29ef60cef7d2543a72d4fa05 |
M21-inty1 | BazaLoader_8ef02674 | Windows |
This strike sends a polymorphic malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.The binary has a random section name renamed according to the PE format specification. | 8ef02674c322336d04f054f470eea0ce | https://arxiv.org/abs/1801.08917SHA256: ad5bc5eaf5cbe8a702c482a2b4f203c6a35f2b4351b6a5ef7b79923b07d6cf55SHA1: 5983e511ce3068aef005b97c7195dc8d8fd1e510PARENTID: M21-hg921SSDEEP: 1536:/00PmIpeN4kwTkFtUOKGBTk/W0fzW9t07ij+2v5OMUtvz4ag0I3mz03ANBxLR0J:/XPeJ/UwyRfzuDj+2k1B60I3mzLDR0JMD5: 8ef02674c322336d04f054f470eea0ce |
M21-60uz1 | Buer_2c5569c4 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has the debug flag removed in the PE file format. | 2c5569c4873195b82b2e3a602309c338 | https://arxiv.org/abs/1801.08917SHA256: b7ec90d0cd03647e342dc861e23e94023a4492769c0fff3cc7e93985f91468c9PARENTID: M21-ffky1SSDEEP: 3072:VJAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:kboNIn+I+51/gSHA1: 0fd4fa418515e0f800fc955453b45c2ad281b819MD5: 2c5569c4873195b82b2e3a602309c338 |
M21-8vpt1 | Buer_ef9cb824 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random strings (lorem ipsum) appended at the end of the file. | ef9cb8244219f4110d208229eff412d2 | https://attack.mitre.org/techniques/T1009/SHA256: bc7d0297d76aaca6fb68896ae6e7d5ae7608349d040224ef7aad5cbdd7faf5e1PARENTID: M21-ffky1SSDEEP: 3072:3JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9QH:iboNIn+I+51/gbSHA1: 0e0de5cf9139c10a2a8b93a7a448edf790db417dMD5: ef9cb8244219f4110d208229eff412d2 |
M21-249o1 | Trickbot_c771651d | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | c771651d916c8e942c8ebfd7bb0fafc3 | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 03a68c65701896f79a23b22d2844146f91a237ddd4e840a5e78494b238f2aff1SHA1: 09cd06080924888cc46cd4d0695ef65e876252d4MD5: c771651d916c8e942c8ebfd7bb0fafc3 |
M21-we4c1 | Redline_e910b20c | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | e910b20cdae914ecd558f493e4df6a4f | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 81d268ae82f4444e0635482a5cdeb183b03a9f514815d1b37e3db42845d26391SHA1: 6e1b3af82dc804e247762697ed98d77c32d45308MD5: e910b20cdae914ecd558f493e4df6a4f |
M21-t65e1 | Buer_9e8ca433 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has the timestamp field updated in the PE file header. | 9e8ca4331d3d087f6ce750c2ba8ad455 | https://attack.mitre.org/techniques/T1099/SHA256: 47493535ccb82f8207450aee2e722d9337f0d2d086ec5f9cef98a208b4b70699PARENTID: M21-nkhl1SSDEEP: 3072:eaLJO81NCCCoyq+IuvD/9QrCBrOg8T8O81NCCCoyq+IuvD/9QrCBrOg8TOg/PDgy:JGqEDuqEDtgzgMFjMVAKy7X7SuiapJSHA1: fda13754185f3c080adb56e76c84dccbeee10d58MD5: 9e8ca4331d3d087f6ce750c2ba8ad455 |
M21-zs2p1 | DoppelPaymer_c9b7413e | Windows |
This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc. Most recently Kia Motor Company has suffered an attack from DoppelPaymer with the attackers requesting a $27 Milliion dollar ransom. | c9b7413e50bfb22074734d615857a6f5 | https://siliconangle.com/2021/02/17/kia-motors-america-allegedly-struck-doppelpaymer-ransomware-attack/SHA256: 624255fef7e958cc3de9e454d2de4ae1a914a41fedc98b2042756042f68c2b69SHA1: 2a51b4f20ff4fc283ad2f9d19d5aab210fe7c2d1MD5: c9b7413e50bfb22074734d615857a6f5 |
M21-11kn1 | Ruskill_f8169d67 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | f8169d674fa96973c0b37a0e4524d497 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 3cdb2401ac9bf018e5077a4e8d52c0a7c7f6a4a1b80018d535483a051870e31cSHA1: b83d9f5005d2adc7c43d9a1f34438044d52c40e7MD5: f8169d674fa96973c0b37a0e4524d497 |
M21-9zok1 | Ruskill_cbeaa60d | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | cbeaa60d3ca9e95aa97ced332046597f | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 40267e2489ce22b75d0dec5d26420a71531577e87276f0217410490f61a4aaeeSHA1: 7644788b39d13e59b5177db5a9e8063fdac5e8f8MD5: cbeaa60d3ca9e95aa97ced332046597f |
M21-cvnx1 | Trickbot_e5d84074 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | e5d84074f043e53fcb6f74e3bc2b4017 | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 7de1b9afef4135f13888a521142bb247284306184276326ef745a294ecb3cc31SHA1: 578d87df59c30b08e18ed84760bbd4bc5d9578e9MD5: e5d84074f043e53fcb6f74e3bc2b4017 |
M21-ihtd1 | Trickbot_81cfada2 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 81cfada27d2a3c2f4e7afd0d24803eba | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: d69e6e3b30a7e193eafebdb19ae91643faab437855523d994b1d1684a4c0ac0eSHA1: 24263d91575bb825c33e3fd27f35bc7bd611cee3MD5: 81cfada27d2a3c2f4e7afd0d24803eba |
M21-lcw11 | Ruskill_06186a2f | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 06186a2f936fee608094cf074e49072b | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 3077d499cf1701fe9cda3b797962b96cc604a7edbbd6ce93f6ccfe18ea512933SHA1: 33cafe5b35c3ea56c6e2b35934783ae49bbb6b97MD5: 06186a2f936fee608094cf074e49072b |
M21-nd1o1 | Ruskill_c217a53d | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | c217a53dcba7dd40209b16909d2dabe9 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 258c0ea198a5248e11dba69eeee9dbe7904e7065139bcaac747d4209c2b589e2SHA1: 2aaf2abb16f2390ddddc18eeb2626b1a862a0f92MD5: c217a53dcba7dd40209b16909d2dabe9 |
M21-xmc81 | Redline_55fcdb39 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | 55fcdb39dca31049eb2fe68fb4daad64 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 1f6a851e6ec58527597fa34f45bf3fb57fb792dc510dd2924223fe06767ac5dbSHA1: caf3bce6abb7110ab38c6b06af8846c9dcbc4360MD5: 55fcdb39dca31049eb2fe68fb4daad64 |
M21-lw5a1 | DarkComet_ac34dce8 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | ac34dce8050f844dd3927018a2e365f1 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 8f6cdb7c77903c36b0710a606cc71af7bf28b7bbc6f45e0d9467925c25e41afeSHA1: 40fca39c271126b2cf6de49ceabd500988e1c598MD5: ac34dce8050f844dd3927018a2e365f1 |
M21-5h591 | Ruskill_3ed76c13 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 3ed76c13d2dee62a1b707530a744354c | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 3ad12cacad094bcdb0307246a14bd2d4a8e74109a4bc8a28ffdf04765fd12524SHA1: 98d364053adbefd5c15e0a34a157d5393d254e53MD5: 3ed76c13d2dee62a1b707530a744354c |
M21-9rru1 | Buer_a3987c9c | Windows |
This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery. | a3987c9c0ca7b09971a34fad7684cbc1 | https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplacehttps://twitter.com/VK_Intel/status/1359688058069790722SHA256: ab21d61b35a8d1dc4ffb3cc4b75094c31b8c00de3ffaaa17ce1ad15e876dbd1fSHA1: 217a2bdd6b7b90571990f6fd8f9b50efb57114adMD5: a3987c9c0ca7b09971a34fad7684cbc1 |
M21-q8f21 | BazaLoader_66a795a6 | Windows |
This strike sends a polymorphic malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.The binary has random contents appended in one of the existing sections in the PE file format. | 66a795a6c30b329d358293a47ad02de5 | https://arxiv.org/abs/1801.08917SHA256: 47479579dc590ac05d1121a792c640a4389be600d849e964502b4a88e3750ad7SHA1: f7aaf7a69f7d5184f031ebba8854053161aa758cPARENTID: M21-hg921SSDEEP: 1536:U00PmIpeN4kwTkFtUOKGBTk/W0fzW9t07ij+2v5OMUtvz4ag0I3mz03ANBxLR0J:UXPeJ/UwyRfzuDj+2k1B60I3mzLDR0JMD5: 66a795a6c30b329d358293a47ad02de5 |
M21-2u6y1 | Ruskill_8c9b501a | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 8c9b501a908efe3ba7d828d7b51a6c9c | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 296d563b7e5041750b6c1f8a4ed8f6711a41d9dbc24bc84d11f7d017691999e1SHA1: fe471cb7271084782fd4331a813cac162aa4282eMD5: 8c9b501a908efe3ba7d828d7b51a6c9c |
M21-13f91 | DarkComet_117dba14 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 117dba14282c9be237e14438af11f35c | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: 934936ac5b2cf33bb1cfcf6a750094beb7015119608a454d99ca8324669e9ec7SHA1: 56286771fe4ad96eb54e9811d6f4ecaf364b4b37MD5: 117dba14282c9be237e14438af11f35c |
M21-kikt1 | Buer_25f10854 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random bytes appended at the end of the file. | 25f108547ce1d51064bfd9fd083c8da5 | https://attack.mitre.org/techniques/T1009/SHA256: f747b4e7c0af4c90d309c0cb266d539e92ccd789c007ab8029f9a75bda797759PARENTID: M21-ffky1SSDEEP: 3072:3JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Qk:iboNIn+I+51/gYSHA1: de1619121f95522c98dd6085ad7836505d8c69fcMD5: 25f108547ce1d51064bfd9fd083c8da5 |
M21-btn81 | Trickbot_d91f878b | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | d91f878bc1707aecdb28e895cf5a7fd9 | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: 8e2afd9599508f6a4652826e6ff133d6a29d7d3bf6a05de3332826b7c80688deSHA1: 6de843fb12f456b0ea42876d82f39fe35b5cf6caMD5: d91f878bc1707aecdb28e895cf5a7fd9 |
M21-7it31 | BazaLoader_3c9d6dd0 | Windows |
This strike sends a polymorphic malware sample known as BazaLoader. BazaLoader is a modular malware loader with the purpose to deliver additional malware. Most recently BazaLoader campaigns have been detected delivering email and document lures related to Valentine's Day.The binary has the timestamp field updated in the PE file header. | 3c9d6dd012f71a9d021227ef35c593d4 | https://attack.mitre.org/techniques/T1099/SHA256: c9b8cebfd4a89ba2f1f100825153f172717adc35f12a9d3ca98d1b25a1d7f6f0SHA1: fa144f94e417bf59c5506929067ea0c3a718f391PARENTID: M21-hg921SSDEEP: 1536:800PmIpeN4kwTkFtUOKGBTk/W0fzW9t07ij+2v5OMUtvz4ag0I3mz03ANBxLR0J:8XPeJ/UwyRfzuDj+2k1B60I3mzLDR0JMD5: 3c9d6dd012f71a9d021227ef35c593d4 |
M21-gu2w1 | DarkComet_aaf9800c | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | aaf9800c6ebda965c676c580dee47186 | https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.htmlSHA256: d4f8550b614995e44044bd2b83f4955bd60b9ec5ff4d7bfc3e0af4e04bbee535SHA1: c8e0bfb453a7ae4230b8ea3c350011f59f240eceMD5: aaf9800c6ebda965c676c580dee47186 |
M21-xkm81 | DoppelPaymer_2d49243c | Windows |
This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc. Most recently Kia Motor Company has suffered an attack from DoppelPaymer with the attackers requesting a $27 Milliion dollar ransom. | 2d49243c9ee70e4998362082c98e1819 | https://siliconangle.com/2021/02/17/kia-motors-america-allegedly-struck-doppelpaymer-ransomware-attack/SHA256: c66157a916c7f874bd381a775b8eede422eb59819872fdffafc5649eefa76373SHA1: c863a8baad7dcb7337b42aabcbe12ce7b2147f52MD5: 2d49243c9ee70e4998362082c98e1819 |
M21-egl51 | Trickbot_78896e48 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 78896e48b0e9033f04096ec7eb2a9eee | https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: e270893e964120a11f48c888cd127959d3e60961fc7c8d7e58e4a13d58aff8f4SHA1: b1f7f71b5f7fee1cf38e2591e50cb181f7bd5353MD5: 78896e48b0e9033f04096ec7eb2a9eee |
M21-6fip1 | Redline_4a7186b7 | Windows |
This strike sends a malware sample known as Redline. Redline is an information-stealer malware written in . | 4a7186b73bb3dfa1ee69a25d2a6ad958 | FRhttps://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.htmlSHA256: d1db7d5b29bdde7c9e1e7899d1867eba946e961c95e0d9867dbbdfc63d7b81daSHA1: c251e1f329c5701a93aadd7943651c758976ac17MD5: 4a7186b73bb3dfa1ee69a25d2a6ad958 |
M21-9kn51 | Buer_845c6f85 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has a random section name renamed according to the PE format specification. | 845c6f85f2a58dee6c49ed47ab052662 | https://arxiv.org/abs/1801.08917SHA256: 3d9eb8a9420591153b2560f7f6c999935448f3e33c4d4c4fbc31b9a78cbe6776PARENTID: M21-ffky1SSDEEP: 3072:sJAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:fboNIn+I+51/gSHA1: 56ed430ea70c6f03d771c5ece6fdaa21d7bfdfc7MD5: 845c6f85f2a58dee6c49ed47ab052662 |
M21-p6gb1 | Ruskill_1d1bccd2 | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 1d1bccd23b7cf435334f34766ffb6858 | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 065d25b7577fe097ba6c789428b370eec7967256db2c43cf1cc95ec197805dd1SHA1: 655cdc1bb1c74b95dc5220ac895dbcc399530475MD5: 1d1bccd23b7cf435334f34766ffb6858 |
M21-voul1 | Buer_d1b2c5f7 | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has random strings (lorem ipsum) appended at the end of the file. | d1b2c5f79f39a646bbd29f9aebbc57e9 | https://attack.mitre.org/techniques/T1009/SHA256: f334b1a002b0204533f671729c33752d813e1a0d7816c8588c075a73aa52bb97PARENTID: M21-nkhl1SSDEEP: 3072:taLJO81NCCCoyq+IuvD/9QrCBrOg8T8O81NCCCoyq+IuvD/9QrCBrOg8TOg/PDg7:2GqEDuqEDtgzgMFjMVAKy7X7SuiapQSHA1: a8482072ce3a953f9764b620d25db8a45ae492a5MD5: d1b2c5f79f39a646bbd29f9aebbc57e9 |
M21-ffky1 | Buer_285e5729 | Windows |
This strike sends a malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery. | 285e57297f578e565dc814301149edbf | https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplacehttps://twitter.com/VK_Intel/status/1359688058069790722SHA256: 197163b6eb2114f3b565391f43b44fb8d61531a23758e35b11ef0dc44d349e90SHA1: 1b7a5c582d56646a0e51b3296e69e9f61b3ffa0dMD5: 285e57297f578e565dc814301149edbf |
M21-00es1 | Buer_1292fd2e | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has a new section added in the PE file format with random contents. | 1292fd2e94145944fc89568de433ea78 | https://arxiv.org/abs/1801.08917SHA256: d44f0005202bf35c13fbc4d397a5422bc04af75c1bed2708f446591f43341899PARENTID: M21-ffky1SSDEEP: 3072:2JAbotnxd8Rt+Q+i17+H3UQ+CYZ4H/dWgG+9Q:NboNIn+I+51/gSHA1: 17951cdd0f2b19d2e54ab0e0a8ad65ea807d3a80MD5: 1292fd2e94145944fc89568de433ea78 |
M21-q6yp1 | Buer_733098ca | Windows |
This strike sends a polymorphic malware sample known as Buer. Buer is a first stage downloader that is used to deploy other various forms of malware like ransomware to its intended victim. It is sold as a ready to go solution in underground marketplaces for parties looking for a malware that can provide modular options for delivery.The binary has been packed using upx packer, with the default options. | 733098cad6d135345bc00f37cdca52c5 | https://attack.mitre.org/techniques/T1045/SHA256: 96c7d4846b05d45d474e3e10df3691f19b6365a607e384b3cc3d14133700f162PARENTID: M21-ffky1SSDEEP: 3072:eGoAKhyKshZlQwPevcQlxeub1wn/LVv/txcCxQy:ZZtQxcuL1KlxcCSHA1: bda10f0c4aad411401ae5fe5fa8234730bff8d9dMD5: 733098cad6d135345bc00f37cdca52c5 |
M21-0bfd1 | Ruskill_52479cdd | Windows |
This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks. | 52479cdd528eaeb80b34602492607c8f | https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.htmlSHA256: 3d241bc13f8b401bfc9cd9e76a61e306c63be399bee6fb251b91e7d4b472cf1fSHA1: dc1932bf26a004dea909b1bfb159f3613a785cdfMD5: 52479cdd528eaeb80b34602492607c8f |