M21-hzro1 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | 024382eef9abab8edd804548f94b78fc | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: c4282e9040cdc1df92b722568a8b4c42ce9f6533fed0bd34b7fdbae264947784SHA1: b69a5385d880f4d0acd3358df002aba42b12820fMD5: 024382eef9abab8edd804548f94b78fc |
M21-syed1 | REvil_a47cf00a | Windows |
This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers. | a47cf00aedf769d60d58bfe00c0b5421 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759ddSHA1: 656c4d285ea518d90c1b669b79af475db31e30b1MD5: a47cf00aedf769d60d58bfe00c0b5421 |
M21-2klg1 | Bandidos_038de761 | Windows |
This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper. | 038de761c002ae546870035be143a736 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 435fa80c1088c8e2b821cf86d5f5a6c2cebf41e3b12d067473c79ab5773d3862SHA1: af1f08a0d2e0d40e99fcaba6c1c090b093ac0756MD5: 038de761c002ae546870035be143a736 |
M21-xhga1 | Bandidos_64acb89a | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification. | 64acb89ad84db2d5f2bad354ad547417 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: d5ac969a01842b7f5e01aae02bfee66a8d70985b9935c8f4e346c8c7fb68f524https://arxiv.org/abs/1801.08917PARENTID: M21-2klg1SSDEEP: 49152:y435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:yhEfwk18ASHA1: bc226a175b62eb6c022a97b2e1f0cf35e0b5f306MD5: 64acb89ad84db2d5f2bad354ad547417 |
M21-ehw71 | Formbook_4f631559 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 4f6315593f81cee989d2d2c376869e5a | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 9f086d1b80984ca1a1026f47f5d9a84dccf7a0b758bf46643a2d967f24ebaefbSHA1: ded97ce60117970dc4e715a1247cae62e0c119baMD5: 4f6315593f81cee989d2d2c376869e5a |
M21-77on1 | Bandidos_3015f878 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header. | 3015f8785e0aa11d0cc1eadfe6112916 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: c8c9fe06c5ad3b0041a7e04b7d1aa7df343a872a1b7f38bc58b76b58be759330https://attack.mitre.org/techniques/T1099/PARENTID: M21-wp9r1SSDEEP: 24576:UEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:UEFQ6k0TVkQxPQo9SHA1: 7af5e775abc01c8befce15b6aac0ef48aa528f7cMD5: 3015f8785e0aa11d0cc1eadfe6112916 |
M21-p9lw1 | Bandidos_78cb7d1e | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file. | 78cb7d1e62e3340825e8db41e752bdb8 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 3590b35fe256a567278c716fb25d2eb874c93928764820086553c2119e429f97https://attack.mitre.org/techniques/T1009/PARENTID: M21-wp9r1SSDEEP: 24576:5EZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSbp:5EFQ6k0TVkQxPQo9uSHA1: cf5ebfbde9fa159f7ebb699fe04b5a42b10ced28MD5: 78cb7d1e62e3340825e8db41e752bdb8 |
M21-yljf1 | Bandidos_86657996 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file. | 866579961556526d991a5917a5adc665 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: c19ea1ace8cf4e46b4a46f5650efc7c6db0855b54fe2302a05d4c16a67d754a1https://attack.mitre.org/techniques/T1009/PARENTID: M21-2klg1SSDEEP: 49152:u435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnzT:uhEfwk18AhSHA1: 163661d0286971eb3920038e3d68738be98b3f5bMD5: 866579961556526d991a5917a5adc665 |
M21-ml221 | Hupigon_9c25b770 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 9c25b77077f44d79fc5366eb54b22bbd | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 2e1c1fe7a5c150297ae4a0bda84d89fba054acc8eb1b516be5153fbfe0e9e986SHA1: 7b64e9d1ef65e090a0845d1abab600fae2e5d8d6MD5: 9c25b77077f44d79fc5366eb54b22bbd |
M21-ovts1 | DarkSide_f587adbd | Windows |
This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines in 2021 when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target. | f587adbd83ff3f4d2985453cd45c7ab1 | https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189aSHA256: 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673SHA1: 2715340f82426f840cf7e460f53a36fc3aad52aaMD5: f587adbd83ff3f4d2985453cd45c7ab1 |
M21-zycs1 | LokiBot_495fff18 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 495fff18bc8c631e44c00b273d0742d2 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 234be2e9be73a8a2ff9da5a7231c37da2bb95fc229b7ddc24f5324576a5c34e1SHA1: d6c516d97545bb74f307858f91b91596d20eda4cMD5: 495fff18bc8c631e44c00b273d0742d2 |
M21-cd5g1 | LokiBot_589813a9 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 589813a949474184438f1b7117457913 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 59aed575bdae0ef8204a771d9d3282cc41880ed9c98305c02213e0b746117654SHA1: 0fd1fb82e38760a819f506b8fbb85c9abaee2532MD5: 589813a949474184438f1b7117457913 |
M21-5xer1 | LockBit_889328e2 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 889328e2cf5f5d74531b9b0a25c1871c | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915fSHA1: d14a6e699a1f0805bd1248c80c2dc9dfccf0f403MD5: 889328e2cf5f5d74531b9b0a25c1871c |
M21-xf2x1 | REvil_8c26763d | Windows |
This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has random strings (lorem ipsum) appended at the end of the file. | 8c26763d51dcec8d6683558e395b7f17 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: fbc019520b3ce65a52507428ed30c8fb3285da3e059afc11951a3e97f62b7216https://attack.mitre.org/techniques/T1009/PARENTID: M21-2zn41SSDEEP: 1536:xxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GF:xtchTojrZxtMhiiZHjUyWr4X5FTDUqSHA1: d0638a70f6cf8e46f22279efa7d364b644207001MD5: 8c26763d51dcec8d6683558e395b7f17 |
M21-oe031 | LockBit_9a246bf3 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 9a246bf39f3fab9c2d45f1003bdc6b45 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78SHA1: f05e71ed0e4a779fc30c3d732b07e15d56f8e3bcMD5: 9a246bf39f3fab9c2d45f1003bdc6b45 |
M21-c3kb1 | Bandidos_998462a8 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format. | 998462a846d496b57b30b5f39ee118b0 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: ee56f42edd410332cc062271a8a8c2caf659b643c648888c359993a761e3aff5https://arxiv.org/abs/1801.08917PARENTID: M21-2klg1SSDEEP: 49152:d435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:dhEfwk18ASHA1: 4b8bf07db8a88b88a0eed09cc1fb535cb84c907bMD5: 998462a846d496b57b30b5f39ee118b0 |
M21-o4oe1 | Hupigon_793c7c56 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 793c7c568ef53df8d3e838c1119b509e | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 8db5854db9f3c732edc0d4ef3540b0635848abb70abdfc29049ca25dc4776f07SHA1: b74402bc23cb607cf6f2ff9ad4031f77b26e3b82MD5: 793c7c568ef53df8d3e838c1119b509e |
M21-or3m1 | LokiBot_6c2cd24b | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 6c2cd24b96a7cf4f1a2d4e4ba2b05453 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: a49c4e4536a52bed7f8fdd16d8feb46a4e624472c9db4e60b0530ca070efd078SHA1: a60787e3e509755f62558e812fa0a6ff76049ed8MD5: 6c2cd24b96a7cf4f1a2d4e4ba2b05453 |
M21-y08v1 | Bandidos_80bda1f2 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification. | 80bda1f2647c16ed8050162359401c28 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 9b232918a9ed4112b3f2961b44945864bf1b90d7b232a4631e4529b7f611212chttps://arxiv.org/abs/1801.08917PARENTID: M21-i0lt1SSDEEP: 24576:ffKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:fyytjKE3whSHA1: d30fa1dfe5f4055b376d0a864424226426dce2d3MD5: 80bda1f2647c16ed8050162359401c28 |
M21-1wov1 | Formbook_fa710797 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | fa7107970a5b56d0d2c4b5692dbd9d33 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 058a2309d89e8b24502c3a7ba08882eacecafd2e2d419ddecbe91202f80504feSHA1: 5ac23d9dd1e4313568682c43516ca69fa9373503MD5: fa7107970a5b56d0d2c4b5692dbd9d33 |
M21-xbz51 | LockBit_49250b4a | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 49250b4aa060299f0c8f67349c942d1c | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997SHA1: 4d0e6d7af9a5edece5273f3c312fdd3b9c229409MD5: 49250b4aa060299f0c8f67349c942d1c |
M21-t5q81 | Hupigon_58303826 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 58303826aae3c74a9465e4df449426ad | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 0fff1aa47eb2da56333fa309de651adf025ff8d80c62c95cddd91a2e88a6dbf1SHA1: 180a448c1d5b59e77098eab4e028206dcdab7ba2MD5: 58303826aae3c74a9465e4df449426ad |
M21-upqr1 | LockBit_c270ab0d | Windows |
This strike sends a polymorphic malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.The binary has random strings (lorem ipsum) appended at the end of the file. | c270ab0d2922947d199777adabf851bc | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 5cee6787e8c736c14d708ab9e2afd25856e8be12bcc822dbd1c468c30de58d7chttps://attack.mitre.org/techniques/T1009/PARENTID: M21-h4xy1SSDEEP: 1536:e/0JJMzS/5uJup2KN/Z9SQ2illYOcJngsxmZ50fBbjpAeuwCU:e/qJMq5uJupjSQ2+1ctgY5bjpp5SHA1: 24581d8b4ec25345315bbbd782b888361968a19fMD5: c270ab0d2922947d199777adabf851bc |
M21-zio51 | Hupigon_a8e0c1a2 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | a8e0c1a24ef3690eb2c8c79ea8fc880a | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: a8964c9721dac56c6e77460f82e8c669012d3dbb9ee2629595facc13b1ea744dSHA1: ef7094a262ea9813e5b1bd3fdd82826dc6016ca5MD5: a8e0c1a24ef3690eb2c8c79ea8fc880a |
M21-3dqx1 | Bandidos_4dc64170 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file. | 4dc6417077e498a189e40dde2efd41da | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 18b86ad7c385110e6b72e588bf85f6ec6a8862317963c35560a2c0020b636480https://attack.mitre.org/techniques/T1009/PARENTID: M21-i0lt1SSDEEP: 24576:ofKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWWY:oyytjKE3whiSHA1: 15e6bed80f4b7efee0f20e0ed1575190a865241cMD5: 4dc6417077e498a189e40dde2efd41da |
M21-dfou1 | LockBit_5cc28691 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 5cc28691fdaa505b8f453e3500e3d690 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3fSHA1: cb3fb57b5c70c3a2f30aa3af078bbb1cfdd1bf02MD5: 5cc28691fdaa505b8f453e3500e3d690 |
M21-fd741 | LockBit_0d03306e | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 0d03306ed6dd40407e8ae0fa3ffc181f | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 6fedf83e76d76c59c8ad0da4c5af28f23a12119779f793fd253231b5e3b00a1aSHA1: 39f5ec91f17f2dcee1c9fa124796439bc93a5120MD5: 0d03306ed6dd40407e8ae0fa3ffc181f |
M21-w70i1 | LokiBot_32270e69 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 32270e6929682c0ae0fbd255ff1ed6d5 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: b2214c05ad28423bce386338706021ca62da02d368f0a56844a89a250b562ccdSHA1: 87e562b6f11720cd72a4c44e4ed3b1a0711d682eMD5: 32270e6929682c0ae0fbd255ff1ed6d5 |
M21-vf0g1 | LokiBot_9ec2a2e6 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 9ec2a2e68f07d83c5904dde328c2f594 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 872f2db91242bcb9a559e485badafa100fddc0cffb41cfa4ca260a365b5f43f6SHA1: 7ec6568a23ba57eb2bfee8ad47cacb7460874432MD5: 9ec2a2e68f07d83c5904dde328c2f594 |
M21-83181 | Bandidos_fc89c12d | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification. | fc89c12d2438bf86a0983305e9b76ff4 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 5123e6be3ccce331f20a6d81850a6b73147c09febd3ff3347fb6b2f32680adf9https://arxiv.org/abs/1801.08917PARENTID: M21-wp9r1SSDEEP: 24576:yEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:yEFQ6k0TVkQxPQo9SHA1: 30a68a861036fe74d4e5c2afc1ca4fd7b694940eMD5: fc89c12d2438bf86a0983305e9b76ff4 |
M21-e0ts1 | LokiBot_f520c950 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | f520c950b540931fb502ad1fccc6e5ec | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 32a3bb3048012ecb5c4cd1e9c307606e31235b7cf66d10e40a3faf820dd12554SHA1: a917643bbc7497ebf51c898e20e8a6ac16d1eae6MD5: f520c950b540931fb502ad1fccc6e5ec |
M21-khbz1 | Hupigon_5e15f278 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 5e15f2784f98d21c45029623610e268a | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 47740a648c13c4288b829d3d3f2242f1d9730a8af5a907de716871e2590b56a1SHA1: df053239071a8b1088d27eea647b42a623ff9ecfMD5: 5e15f2784f98d21c45029623610e268a |
M21-gu481 | LockBit_e4179bca | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | e4179bca5bf5b1fd51172d629f5521f8 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75SHA1: 488e532e55100da68eaeee30ba342cc05810e296MD5: e4179bca5bf5b1fd51172d629f5521f8 |
M21-be4c1 | Bandidos_b89e1cb9 | Mixed |
This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the PDF. | b89e1cb9522fbf1a4b54450b0c0c8781 | https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/SHA256: 2519475a0d1465481294801e07692ecdf21bbe864d0a973e06fb86398ba9dd61SHA1: f384bdd63d3541c45fad9d82ef7f36f6c380d4ddMD5: b89e1cb9522fbf1a4b54450b0c0c8781 |
M21-f3na1 | Hupigon_e921af12 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | e921af128394bc17536506a9ea7f1c13 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: d800487b23a227def3770c846e4d8954e777caca74d0d2697c4ee20decaa946eSHA1: 3bad123e07898791c3f4cec8df54f3ff79ba8beaMD5: e921af128394bc17536506a9ea7f1c13 |
M21-mmnr1 | LockBit_5f504bb2 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 5f504bb22471157aafeb887b4412b5de | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51SHA1: 04fcf62555cf2cfaf4ed2d0ac7e973b3215b2de7MD5: 5f504bb22471157aafeb887b4412b5de |
M21-xdgf1 | Formbook_7c863257 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 7c863257a55bf029ffa58f2ed25ae22c | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 791bf882ea8aa1b2087f0882c7012170002fca93de56f191cbba27b2817a5007SHA1: 096ba1fbd0ffd1d6067df44967a9127ee029855fMD5: 7c863257a55bf029ffa58f2ed25ae22c |
M21-juue1 | Formbook_857e3a6e | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 857e3a6ecbeada63ae04fc1471abffcd | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 00b6af7edaa2b00729733a14bc2bc9c73decdc9af3de09b958585ec309db6730SHA1: 3ff58f110f17f513b0c17e58288ab1ac58640f6aMD5: 857e3a6ecbeada63ae04fc1471abffcd |
M21-lla91 | LokiBot_ddd0e23f | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | ddd0e23fed0e19f7cd079acc1d6e546c | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 92ddf9f9142148776671e1cceda92ec02ba5a846778f08c9179d7a1a89d2b576SHA1: b6f0beeec5532a777dbe61726b2c5031bf6d80d1MD5: ddd0e23fed0e19f7cd079acc1d6e546c |
M21-0ac11 | Formbook_800b669f | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 800b669f5722ce9be29327319cd98f03 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 1d84d1a99b7add79357e2b8470f97473ff2b7630853266a46f86b360dc23eb58SHA1: 3f669fc8dc8713c807022539d5916641472337aaMD5: 800b669f5722ce9be29327319cd98f03 |
M21-700j1 | Hupigon_1a979031 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 1a9790316f17c8a39dd67772f78ba2bd | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 122a04e621b147df461f23cdc10ff45d877c18a5eb97c64f3a33ff2d713c7139SHA1: 01e7714ceccf7f156bf3eb5311b6679c6f05c459MD5: 1a9790316f17c8a39dd67772f78ba2bd |
M21-7kgh1 | LockBit_a04a99d9 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | a04a99d946fb08b2f65ba664ad7faebd | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869SHA1: 1fe7e2f8fbd98d6b5505fd9ee66da5b4f11720a1MD5: a04a99d946fb08b2f65ba664ad7faebd |
M21-a09j1 | Formbook_4131d35e | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 4131d35ec6a865907eddcb8faa8cce33 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 7f98741e8dbf35c91d3a06b890343c392f90f43ada2765b9ebf5918581e35385SHA1: eaf6e41431c6f4859133a6a49e483203c3ed49f5MD5: 4131d35ec6a865907eddcb8faa8cce33 |
M21-yeks1 | Formbook_4d3c739b | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 4d3c739bab68b3eea8cd032aef303525 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 4ea09532da8004377ffcdc400fc8e96c90a836cc83caa394a62bfd865c8e7425SHA1: a3da1e48715faa85a3fd813c186f7484d4073036MD5: 4d3c739bab68b3eea8cd032aef303525 |
M21-gqwj1 | LokiBot_9a1f1689 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 9a1f1689b94d59c040af83f496ba5bbb | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 478ef5fa2a46f98298605b91bd4fe42cb244afba3b4782e18bb12f6a084b9609SHA1: 2d7446e076b1ce495f65ec6ee1f520f22835edafMD5: 9a1f1689b94d59c040af83f496ba5bbb |
M21-62nr1 | LockBit_207718c9 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 207718c939673a5f674ce51f402cfc06 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739SHA1: 791f60a24f9b6589a2afed48b3ec17fad43bc1dbMD5: 207718c939673a5f674ce51f402cfc06 |
M21-suhh1 | Bandidos_808ffbe3 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format. | 808ffbe38c037d877279779ea356e0a4 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 271f9ea13701efddee8d2c77080dcd54d02b2928d81a425963bb84bc0f56d6f5https://arxiv.org/abs/1801.08917PARENTID: M21-wp9r1SSDEEP: 24576:wEZ4iqYQk5zZrikTtPUiwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:wEFQRk0TVkQxPQo9SHA1: 832257a0c6a243da209e4a6bb8feb087d13e557dMD5: 808ffbe38c037d877279779ea356e0a4 |
M21-y75j1 | Formbook_bea316e0 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | bea316e056c7db49d33b4fbfdc052504 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 85e2ee6d0a2fb9833421a85012326f028f291172b55ec3d0ce7c93464f238d58SHA1: aae0ab12fa0cc86085e6d6354ad08edf6e988b07MD5: bea316e056c7db49d33b4fbfdc052504 |
M21-pwf41 | LockBit_1f4f6abf | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 1f4f6abfced4c347ba951a04c8d86982 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18SHA1: a4c486b0926f55e99d12f749135612602cc4bf64MD5: 1f4f6abfced4c347ba951a04c8d86982 |
M21-87ek1 | Formbook_970841bd | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 970841bdc961619f7665e347ef1806b1 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 9e424316353fbc89681166a6ef69b2edd31739ae5d8d72a9ab7f516ce50c9b3cSHA1: d67e1162c3dc43dc6390bb08d9fb043b72bece44MD5: 970841bdc961619f7665e347ef1806b1 |
M21-zs0s1 | Hupigon_53b1c580 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 53b1c580939176a264a724ba4c2493bc | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: d18db2acffcf7dbd5d9ba8a3574b51b9d3d363dde772ab4232c4a59cf38116a5SHA1: a7c282667b55d5c8ad3fd10c2f49f1cfe03d7a72MD5: 53b1c580939176a264a724ba4c2493bc |
M21-e76y1 | Hupigon_df66e570 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | df66e570b2140d6bd39e75c7bbf26ed9 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 0887cf712624021a19c81f7d56fd7f962a0c81711888f1dfbebc4e8362e4a4d3SHA1: 70b00bb6c86a32de6175cf7b0a4457d3d7009bb0MD5: df66e570b2140d6bd39e75c7bbf26ed9 |
M21-o19a1 | Formbook_8ec040b5 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 8ec040b599ca27c33a5503834d0b666f | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 439341e4b6ef8081dace5531a98a018c31ba3b83a8b58c248db3f9aaa6248e79SHA1: 0702bd3d9c535fe5a17b0ebb07703135f888c3d0MD5: 8ec040b599ca27c33a5503834d0b666f |
M21-puta1 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | cafe07d8c34108007372bd8df42d9ef9 | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: 6103e26f6f9d5fd895d9c06e1f5e141ce74d8ebda999cda6a58a4393de5ed094SHA1: f137ab4384d071ab51c746f9de976aeea81fb2e6MD5: cafe07d8c34108007372bd8df42d9ef9 |
M21-wa9s1 | LokiBot_75aa607a | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 75aa607a9f8bf2af141de19a41b0bd94 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 9c260f46248c726184ce9eee75b5322d19e2cb82a0b8d51b32338b358b433168SHA1: 56bd2e24a29e4328d1da2f16737679401267dda2MD5: 75aa607a9f8bf2af141de19a41b0bd94 |
M21-gj2f1 | Hupigon_05fa4098 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 05fa4098d6102c38982ed2bb55ac21d6 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 972507d6a5e780d3428e330fd1df06fc30d90a7a5079b5e22100a46ed4be5e99SHA1: 0ff99b174bd201322ab68d382258998483fa2ae7MD5: 05fa4098d6102c38982ed2bb55ac21d6 |
M21-stnz1 | LokiBot_2c4b9f71 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 2c4b9f716576fd4687556af2aa882e1f | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 7f6713ee87745196c893023e32b845a9c2d16994d0913d222a4dad64268c6bd0SHA1: 1f2851384d0eb2750b1c9a14dad293250f180c7cMD5: 2c4b9f716576fd4687556af2aa882e1f |
M21-2lfa1 | Bandidos_c1a93313 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the checksum removed in the PE file format. | c1a933139452f8672e4810333a3d43db | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 8a741eabfe6e3a2da048e253cdbbb23b07d9970ad177a4a960aab30e50ca2b78https://arxiv.org/abs/1801.08917PARENTID: M21-wp9r1SSDEEP: 24576:wEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:wEFQ6k0TVkQxPQo9SHA1: 7bf0ed9d4da54ab5f5e8ede94a0a292679213c98MD5: c1a933139452f8672e4810333a3d43db |
M21-4qzb1 | Hupigon_7937c41d | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 7937c41d346e489bbe34bc996fc11455 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 24925d89fa4f576a7e76aefcf1c58e78cfad728e03d2b6b12d663bcacb1427e5SHA1: 18d705fab9d43925897b73a3944c623e15463063MD5: 7937c41d346e489bbe34bc996fc11455 |
M21-8i9y1 | LockBit_c0cacc5b | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | c0cacc5bf97b854b6025fe0973dc076f | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8aSHA1: 0cc92cccebed351b1b5e6b28082af5e00da28678MD5: c0cacc5bf97b854b6025fe0973dc076f |
M21-zzdj1 | LokiBot_3d699bcf | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 3d699bcfc5b1f7f20ed2668c45e8ddcc | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 230a3f0ff1c9e59f20339884840ab9a55443ee8bde8c0a6abf136896339e78c3SHA1: 8e5a166ca1828b69caf55ca4e89b9650b5aa047aMD5: 3d699bcfc5b1f7f20ed2668c45e8ddcc |
M21-a14w1 | LokiBot_f977b8f3 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | f977b8f3919dc992d6ffe3fd0505815a | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: b388b10e26fee484e4fd855a95e917a00e1dabe7f626636a45d235c8749e80ceSHA1: f7ce396d2d655220b87a762d42c88384771c2c0bMD5: f977b8f3919dc992d6ffe3fd0505815a |
M21-bfr31 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | ebe7bf69eceb80d155d7a16b8c61e15c | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: 678bfbf5d73d6cf38532e11b11dbed17668d94711e2e2ea27311dd46490201b7SHA1: 5c8b0a23360420c33fb89e100fb996215a795a1fMD5: ebe7bf69eceb80d155d7a16b8c61e15c |
M21-ojyu1 | LockBit_1fbef2a9 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 1fbef2a9007eb0e32fb586e0fca3f0e7 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335SHA1: 3e86304198d1185a36834e59147fc767315d8678MD5: 1fbef2a9007eb0e32fb586e0fca3f0e7 |
M21-sl6h1 | Hupigon_1600de31 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 1600de312560e6b773d382413aa70e74 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 0c1f827e80c419173cb9d52ceb62a2e9d1a7388e296ab92d554d82c0ac935339SHA1: be84852cd1897d65e79e3c669aeb8f0238e6e49bMD5: 1600de312560e6b773d382413aa70e74 |
M21-woo21 | LockBit_0859a78b | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 0859a78bb06a77e7c6758276eafbefd9 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4dSHA1: a72e18efa33f1e3438dbb4451c335d487cbd4082MD5: 0859a78bb06a77e7c6758276eafbefd9 |
M21-yf5g1 | REvil_835f242d | Windows |
This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers. | 835f242dde220cc76ee5544119562268 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411fSHA1: 8118474606a68c03581eef85a05a90275aa1ec24MD5: 835f242dde220cc76ee5544119562268 |
M21-z93m1 | REvil_ce1eefe4 | Windows |
This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has random contents appended in one of the existing sections in the PE file format. | ce1eefe48010f4946cf45ffd6c4bebfa | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: 1c72875191a80e6e69d6e6c2edda738ad206767979851cfbb18dc0398ea191e4https://arxiv.org/abs/1801.08917PARENTID: M21-2zn41SSDEEP: 1536:Nxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GC:NtchTojrZxtMhiiZHjUyWr4X5FTDUSHA1: 18522badae740c53c22b0b05f58a233d390caab6MD5: ce1eefe48010f4946cf45ffd6c4bebfa |
M21-14uf1 | Formbook_376dd288 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 376dd2886e40bf04651900326d436943 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 6d009d7e9c6efaf020a6336b3da9022ba552782794e36c112b67142a64394524SHA1: 2a5cd3de009757e7d5521e0f746f0a0dddcdd39cMD5: 376dd2886e40bf04651900326d436943 |
M21-mj1g1 | Hupigon_4c37493e | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 4c37493e8bd5bd0e734e252aa0be12e5 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 91fab5bfa3982e9ecc19cb3e82826706cf4c3ada3d3e0d7f0e222affd16aee8dSHA1: e9f3d9b59ca3c2b1528cce323e463b0174f02b60MD5: 4c37493e8bd5bd0e734e252aa0be12e5 |
M21-qlr01 | Babuk | Windows |
This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has the timestamp field updated in the PE file header. | 61bf40aa7be7bac60efcec70058af30b | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: 140bfc9a42927e502c03098d117b58b5b460177584981085a8f28f0065316197https://attack.mitre.org/techniques/T1099/PARENTID: M21-uph51SSDEEP: 1536:Esxl39LgCRQ1+N+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hV:EsD9LgWy+N+srQLOJgY8Zp8LHD4XWaN7SHA1: 45d4bba2b22cf749bb7d57996f76b58b17424540MD5: 61bf40aa7be7bac60efcec70058af30b |
M21-bqce1 | Babuk | Windows |
This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has random contents appended in one of the existing sections in the PE file format. | cb95970ab2c06f8695a4741fe055ec25 | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: 65b6fdf2b035df1519ee661179ba6b2e699841fafcde4efd2af122d364294ed4https://arxiv.org/abs/1801.08917PARENTID: M21-zzq81SSDEEP: 1536:IK36UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:IKLhZ5YesrQLOJgY8Zp8LHD4XWaNH71mSHA1: aade7e003de8cb530ebf80bb8a72f40a927772e6MD5: cb95970ab2c06f8695a4741fe055ec25 |
M21-ot461 | LokiBot_92ccd05c | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 92ccd05c0b161385f503bd62c2f87995 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 18366411246d9657db902a2d554f01318c29b943986d69c7834e5c48cdbdac1fSHA1: a669798255c6c96e020a302838ab708311c9e206MD5: 92ccd05c0b161385f503bd62c2f87995 |
M21-5tad1 | REvil_b7ba5484 | Windows |
This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers. | b7ba5484a95ceec8374f49c21212853c | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: 94379bb2c305a5754d60ae3d27daf5f7f4758ed3dad21ee1969640fd9e84e83fSHA1: a942aec58910ad72eff293d926fe9943397eb1a7MD5: b7ba5484a95ceec8374f49c21212853c |
M21-esl01 | Hupigon_8d7a6e0a | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 8d7a6e0a188f39c414d6b8e40880a9cf | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 03b0c0d7138eb07333b6561adb2f8c931a9a5df23773cdc743ac16eee97d2c72SHA1: cdacd70f847e2dcabccaa29fd92e89b2b2d676baMD5: 8d7a6e0a188f39c414d6b8e40880a9cf |
M21-b61d1 | Formbook_783a8f3a | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 783a8f3a3d9f1f92e310775bc1bc3bf3 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 66ce3bdcd391f238136f7b126f88bcbd6cebbebab1187083c4305bbb09ecfd55SHA1: 423d3c2b4a235d0143a0d0177713f13073c4f5fcMD5: 783a8f3a3d9f1f92e310775bc1bc3bf3 |
M21-z0zi1 | Bandidos_0f31bba7 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file. | 0f31bba7e0fe074a70230e5504ab1bc0 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 17af5974523db986f957c30dd46f70d0505670c21e2fef49642315413ac9394fhttps://attack.mitre.org/techniques/T1009/PARENTID: M21-2klg1SSDEEP: 49152:u435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz0:uhEfwk18AySHA1: 9121403287fa121646fbdc5c99d3a38b1ba3b1e0MD5: 0f31bba7e0fe074a70230e5504ab1bc0 |
M21-hl0o1 | REvil_c3afcdff | Windows |
This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers. | c3afcdffa4aeeee56b80cf2fd3c9758c | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: 9b46d03b690bda0df57c0ebb8dae0aebdd1d131beb500242fa8fe59cb260eed1SHA1: e405c212107696a579494a67531ca5877956fac0MD5: c3afcdffa4aeeee56b80cf2fd3c9758c |
M21-8cqv1 | LockBit_5761ee98 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 5761ee98b1c2fea31b5408516a8929ea | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76SHA1: 4d043df23e55088bfc04c14dfb9ddb329a703cc1MD5: 5761ee98b1c2fea31b5408516a8929ea |
M21-sfz31 | REvil_eabb9030 | Windows |
This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the timestamp field updated in the PE file header. | eabb90300cc0e02299681a93ad1db181 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/SHA256: 60c689eedae4c93f8fe79ff356108897662cd0283bb2657c92e41b08a4abea27https://attack.mitre.org/techniques/T1099/PARENTID: M21-x3mk1SSDEEP: 24576:ZMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:mfF7k4pB/JYPIsAESHA1: c84e3aac856dffe3e2831446e5461f7e205ee43bMD5: eabb90300cc0e02299681a93ad1db181 |
M21-jjwa1 | Bandidos_eb5f7076 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format. | eb5f7076a810e1dcd7797545f05e5664 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: bed5b6da3511ebc6f6cc295e840997065940c8b2d933c05f2bc2a3f88d9aeb65https://arxiv.org/abs/1801.08917PARENTID: M21-i0lt1SSDEEP: 24576:AfKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:AyytjKE3whSHA1: d83dbde426b548e8bb9ebdceb7f9a9d6a57f7146MD5: eb5f7076a810e1dcd7797545f05e5664 |
M21-fs4p1 | Babuk | Windows |
This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has the debug flag removed in the PE file format. | a8c465b971bb6ccfc517cf132a97f16d | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: 0a5e95ab38058c4adb8b7bb3ed416c31b59a93d531356f6a7545fffcaa16a826https://arxiv.org/abs/1801.08917PARENTID: M21-uph51SSDEEP: 1536:Ysxl39LgCRQ1+N+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hV:YsD9LgWy+N+srQLOJgY8Zp8LHD4XWaN7SHA1: 9bb397ce7c04cbf84858cd85f5ee9b3b42249d37MD5: a8c465b971bb6ccfc517cf132a97f16d |
M21-uph51 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | d6fc9e993c69aceb7a5501641fc823fa | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76SHA1: 7839b437b279d3f0ec22a57df7ea84ad01322c17MD5: d6fc9e993c69aceb7a5501641fc823fa |
M21-2rdr1 | LokiBot_0a698e88 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 0a698e8808618abeb1fbe9930d6d9fbc | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 2002aa11f9d36098b9546376a0e21d0fb05161c772831a9254d21324dc94e5a2SHA1: 4a3c8e24f859de38025d4c8c162950eaa2e415b9MD5: 0a698e8808618abeb1fbe9930d6d9fbc |
M21-7lro1 | Bandidos_06d613cc | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file. | 06d613ccf59608145e0ef7235f9ff4c6 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 018a10ecea6b4315e863e4dedf88169330facf0cd8a3245d2415f2673b88c6d8https://attack.mitre.org/techniques/T1009/PARENTID: M21-i0lt1SSDEEP: 24576:ofKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWWY:oyytjKE3whCSHA1: 557f5ffc308635f71320c06fe5a1bfe16a96884cMD5: 06d613ccf59608145e0ef7235f9ff4c6 |
M21-zzq81 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | b8e5bd86046b596d8cf43843f433bb5d | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: bb31f235e86b0fda185e6580ef5327f80d6a6c754f78499e8647de5e229769ccSHA1: e4934d730f999bc2bc0e05fec3b9afe324d8a32bMD5: b8e5bd86046b596d8cf43843f433bb5d |
M21-oej51 | LokiBot_5e0f32cb | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 5e0f32cb907fa23b7d4dc8c684e9720b | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 82d97cc4feac447f269099b023427c00f457978c2c7131144872ce4e1b6fbaa5SHA1: e42369d6191cf97afca367324a2dcf57550f25aaMD5: 5e0f32cb907fa23b7d4dc8c684e9720b |
M21-ws2v1 | Hupigon_1e9bbb20 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 1e9bbb205b4c79024fcc440bd1130726 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 4f6c2f4aa94bd6ce1311440e5ff3b70b1dd735269191cce1b6c646ecfc5c0847SHA1: 022095d0e06eb9396104c85c1e4facbad552a71dMD5: 1e9bbb205b4c79024fcc440bd1130726 |
M21-0sqm1 | Formbook_5742fec2 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 5742fec23905873e891ea7329acd3970 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: a7ad003a9a0d32f74833166178765af17cb09672095f96ad717b40983b2d4e49SHA1: 5c665c1311b5d84d8eec0ae5bfeea30a177c9f18MD5: 5742fec23905873e891ea7329acd3970 |
M21-y1hk1 | LokiBot_43b38e77 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 43b38e775099053f93f72ac9ab5bfc25 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: a72771be7b1f90d039e9a6f489c32f85779c9fb9411a33cc2e9012bc0b77f5d5SHA1: 7952572e99d48dabf53ae98d2e902f7e4135d1f2MD5: 43b38e775099053f93f72ac9ab5bfc25 |
M21-7ci91 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | f0d4c7d334633a72a3c7bd722e12c378 | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: 1f2edda243404918b78aa6123aa1fc5b18dd9506e4042c7a1547b565334527e1SHA1: 5240f71f60c473b5f9ba100d2ce1d6effdbc08c1MD5: f0d4c7d334633a72a3c7bd722e12c378 |
M21-y41s1 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | 567c8369e6ab695c9d65a629d6f45710 | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: 6d4ced2e85587e81d6a09b147ec7cccc054bc0fbb92afc39586de1b2bf57f812SHA1: e755a778896378a5375785736063d4b6831a10b4MD5: 567c8369e6ab695c9d65a629d6f45710 |
M21-pw5z1 | Hupigon_d31fd664 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | d31fd6646d114a6c8b41772f82e3e38b | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 869f6286a05cabb5b45ee25a84ac2a77b21813fec04d85a585ec4f6133890a58SHA1: 20af79b138d20e4cd35c81a292954a4f493263d1MD5: d31fd6646d114a6c8b41772f82e3e38b |
M21-z2ro1 | Formbook_329f7e4e | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 329f7e4e00314e9cb074d15b2347df16 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 35ef714239b96dac502edee1da7c546039a67dfd31ff8751927cd4b9c86b83a7SHA1: 6f80890e02149ad76e4c9ebf7b881acd92f7d08bMD5: 329f7e4e00314e9cb074d15b2347df16 |
M21-1ww11 | Formbook_42e783c3 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 42e783c3fcea37f1ea7eaa89c45b31e6 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: a0f0cf9630816feae91a78847e7c2c95581e150d4d1c7804c9a88eef1d0393a5SHA1: bc0a3dfcae3c5d954d7db8582a7ef0791fc75617MD5: 42e783c3fcea37f1ea7eaa89c45b31e6 |
M21-4hk31 | Hupigon_2b6f5cd3 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 2b6f5cd3688abd349f4cfb94164562cb | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 79b37f33abb6c24762b75c552ebe9e8e4a65f73d5abc87da06cf4e2a1e399bd0SHA1: e249f08dda34e4e0c73973b077d39ff429501d1eMD5: 2b6f5cd3688abd349f4cfb94164562cb |
M21-dre81 | LokiBot_141c2a99 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 141c2a99ec6c365eebcfe39e8dd84be3 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 88fecf445479b1e72beb29df878e65c087deb1e9987ecde0ef9fe66d33c6f7e1SHA1: f7be04cc45fc66587a546fb181310520e880ca48MD5: 141c2a99ec6c365eebcfe39e8dd84be3 |
M21-bbom1 | Bandidos_a09d7cb6 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header. | a09d7cb6933ebc776f1321b9e41599a6 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: c5ac72a41c0bcb35aea8362dbad638a7b64fbf361ca82bcd12031eb5b6407dechttps://attack.mitre.org/techniques/T1099/PARENTID: M21-i0lt1SSDEEP: 24576:SfKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:SyytjKE3whSHA1: 28eddbb3b05a00516b418c224798bf1244134dddMD5: a09d7cb6933ebc776f1321b9e41599a6 |
M21-x3mk1 | REvil_561cffba | Windows |
This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers. | 561cffbaba71a6e8cc1cdceda990ead4 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/SHA256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1eSHA1: 5162f14d75e96edb914d1756349d6e11583db0b0MD5: 561cffbaba71a6e8cc1cdceda990ead4 |
M21-531i1 | Formbook_ed023da1 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | ed023da1556dcf73ce6657ae1642194a | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 73e2f69e19e575c987a9004886e42129fc259758f19a48badaa52fcb7f9925cbSHA1: 1c548d48108be141c8e6fbaedaefc24ac911c014MD5: ed023da1556dcf73ce6657ae1642194a |
M21-52zz1 | LockBit_fd902870 | Windows |
This strike sends a polymorphic malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.The binary has the checksum removed in the PE file format. | fd902870de737723e6da1e0ba10f1385 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: e3d0df68fb6d028ffdd85bd0ebcb7ed04bc9c88c024c33ac0aaeb351f416b8bfhttps://arxiv.org/abs/1801.08917PARENTID: M21-h4xy1SSDEEP: 1536:T/0JJMzS/5uJup2KN/Z9SQ2illYOcJngsxmZ50fBbjpAeuwC:T/qJMq5uJupjSQ2+1ctgY5bjppSHA1: 5f2fb4a4c47f8a9edf712bfe4898582d780478d3MD5: fd902870de737723e6da1e0ba10f1385 |
M21-wp9r1 | Bandidos_695ebe3e | Windows |
This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper. | 695ebe3e45a89552d7dabbc2b972ed66 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057SHA1: 89f1e932cc37e4515433696e3963bb3163cc4927MD5: 695ebe3e45a89552d7dabbc2b972ed66 |
M21-ba5n1 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | 4161cbe9722d98ffe53636e9efa874ca | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: b4be6b8acda97f36c448365751d5c9a9e1b91f47cedfde79e1de258413c3de71SHA1: c81aa4a4a5ac0eb22b8e9bf3024f2cd3b4db7eaaMD5: 4161cbe9722d98ffe53636e9efa874ca |
M21-7mji1 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | dfaa9121f4165a9f38a8406d82f0ab71 | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: a2b5ebfc52a447cde255e1ec1ac8797ad49b156ed427df8c292d6aeb4dad5523SHA1: b592c787d347287efe410a43555e218e9ccfab10MD5: dfaa9121f4165a9f38a8406d82f0ab71 |
M21-v70w1 | Formbook_49fa2aec | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 49fa2aecca84c2cccd83b20297143646 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 6111eeaab08838bc32e1f0ade3b5af96955c29d459a3702090369598a5a1d067SHA1: d0cf9fb098f5a2fdc87b62ba9a794ecaa998e56bMD5: 49fa2aecca84c2cccd83b20297143646 |
M21-8mz41 | LockBit_ec273b58 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | ec273b5841eadfc43b1908c9905e95a3 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677SHA1: 71e7990c8c81ef6c4e265eae11030886c40cc8b0MD5: ec273b5841eadfc43b1908c9905e95a3 |
M21-pz0i1 | REvil_f81958d7 | Windows |
This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has a random section name renamed according to the PE format specification. | f81958d74101253e7d1f14fe4c6ff560 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/SHA256: 9aa82c72004ae8617f94d8105dbdc8df2e092c75556ae63eb2fa009cd08ed9a5https://arxiv.org/abs/1801.08917PARENTID: M21-x3mk1SSDEEP: 24576:1Mz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:ifF7k4pB/JYPIsAESHA1: 82dde90c08793ebbc7b10b7204362a0ab92acf82MD5: f81958d74101253e7d1f14fe4c6ff560 |
M21-h4xy1 | LockBit_9fe9f4ee | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 9fe9f4ee717bae3a5c9fdf1d380e015d | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770SHA1: 7df22f2fbe86a07070f262f94e233860b6ae66b2MD5: 9fe9f4ee717bae3a5c9fdf1d380e015d |
M21-qao81 | LockBit_265d02e0 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 265d02e0a563bbdbdb2883add41ff4bb | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0SHA1: 01890a3874787dcd74fc548d724b32ed9562abe4MD5: 265d02e0a563bbdbdb2883add41ff4bb |
M21-2zn41 | REvil_94d08716 | Windows |
This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers. | 94d087166651c0020a9e6cc2fdacdc0c | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: 9b11711efed24b3c6723521a7d7eb4a52e4914db7420e278aa36e727459d59ddSHA1: 99be22569ba9b1e49d3fd36f65faa6795672fcc0MD5: 94d087166651c0020a9e6cc2fdacdc0c |
M21-2aer1 | Formbook_6127f5d1 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 6127f5d1a39a07a6a33155f9181bd5c4 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 191db0df191fa868b366cd9b221708bbf46680102decb2fe5bd9838d4edb6db9SHA1: d0ca2af22b935484a1ba7ac15692143f39da89c1MD5: 6127f5d1a39a07a6a33155f9181bd5c4 |
M21-kxbt1 | Formbook_ba6b36b0 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | ba6b36b03f1864c1adb63a87ae843ee3 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 70ae91fc903cf888459854bafc02aba096412e7d264a09720f9447d3d7bbf17cSHA1: 99f482b4e848401e261e232a33de2b43231a3adaMD5: ba6b36b03f1864c1adb63a87ae843ee3 |
M21-vc4l1 | REvil_18786bfa | Windows |
This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers. | 18786bfac1be0ddf23ff94c029ca4d63 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98eSHA1: 3c2b0dcdb2a46fc1ec0a12a54309e35621caa925MD5: 18786bfac1be0ddf23ff94c029ca4d63 |
M21-81av1 | Formbook_8fd89c48 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 8fd89c48fdacb3ba7a8cb003917c24c3 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 61e1b56481c68ffcd7be4b30ec427401c7385af1a64451e221a17eb70b4d5819SHA1: a909214d1a5eacb7f7ea172e652414f02fb15e27MD5: 8fd89c48fdacb3ba7a8cb003917c24c3 |
M21-hrdx1 | Bandidos_4ba8ccbd | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has been packed using upx packer, with the default options. | 4ba8ccbd73a0951cab9c156fea290a70 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: ce98ad8035f3b5f107eb7e7e7fde5da34d7992806fbd85ab9ecc5a12ba342c1ahttps://attack.mitre.org/techniques/T1045/PARENTID: M21-i0lt1SSDEEP: 24576:mBUWzGugqni0QP8AxdXH4MNHr6NNWst+G7MQUEi/fpm69NnSNzWCYigO:mBU56SP8AX5Wyf/kIN5FMSHA1: 435b060140b839362e6c0c89473d77d9693f8bd1MD5: 4ba8ccbd73a0951cab9c156fea290a70 |
M21-onpp1 | LockBit_12351122 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 123511227718f17b3dec5431d5ae87f3 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877SHA1: 307088ae7027b55541311fd70a9337ff3709fccfMD5: 123511227718f17b3dec5431d5ae87f3 |
M21-yr5o1 | LockBit_83b0fca1 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 83b0fca1bd3190c5badcea4d507b8c95 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871SHA1: 4e4d24f5d231434b9b0219fd7c5142c0c2ca1f08MD5: 83b0fca1bd3190c5badcea4d507b8c95 |
M21-qrxb1 | LockBit_612a58fd | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 612a58fd67717e45d091ed3c353c3263 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38dSHA1: f6e8feb1eb645e122de8bded0360ee9ecdafc823MD5: 612a58fd67717e45d091ed3c353c3263 |
M21-60421 | Hupigon_5ed9157b | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 5ed9157b529b233195ba77a6c0f60807 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 363963520775929cb355a9e6adf0e7f710b4c6ab10e24522563b71e7cb0ec9ecSHA1: 31dbeb25d8014ae05e253d44ea84d28772c046f6MD5: 5ed9157b529b233195ba77a6c0f60807 |
M21-a6k51 | Hupigon_787230e2 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 787230e27a9cd49f59429a8b86636877 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: bea6048a599c5eed9d491f3b275f03447dd39231cbc76c1efe1cea68c37034aaSHA1: f31f572759d99716e5230d14088138f81804a05bMD5: 787230e27a9cd49f59429a8b86636877 |
M21-xz9m1 | LokiBot_59b388de | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 59b388dee247bcecd66795063b0c02d7 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 068dcc146fde443d327076ea1375496429539466ee8ff38a9b3d8c9c284b3327SHA1: c7b4f39139d85a38ce087f8bb2ca3c154a1f2df2MD5: 59b388dee247bcecd66795063b0c02d7 |
M21-3ei71 | Formbook_440e6d38 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | 440e6d387a6a202fb695171cdd90e9f0 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 351ff4900300a3012cf567aadc1e025e27b385cd677ea9152517bdd271447326SHA1: 4428ff59802d290047a86c62aebc21985562b927MD5: 440e6d387a6a202fb695171cdd90e9f0 |
M21-ejxa1 | REvil_ffedad13 | Windows |
This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the timestamp field updated in the PE file header. | ffedad13fbd2cf0996cf728e8c1b4c11 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: b52b2677c639e92fdd9985181bfdd2471072672911c0f74682e0dfede230fd29https://attack.mitre.org/techniques/T1099/PARENTID: M21-yf5g1SSDEEP: 24576:WJdzXxcwKjqd7kHeSyG/z35JCxvKtl9dfkV:AYg7aBgw9dfkVSHA1: bfa28c6c8ef21fe277eb68feeb4d4ce79a83a8adMD5: ffedad13fbd2cf0996cf728e8c1b4c11 |
M21-yg181 | Hupigon_df65acf3 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | df65acf337ed114181b3c38deb258de5 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: d6100a3d983ed3af8c27aca8303b0d48b14f1db3729c3458051e1b4b7e5a85b5SHA1: f5c58f185abe09bbf5b8ca4c88941c743f940d28MD5: df65acf337ed114181b3c38deb258de5 |
M21-nmor1 | Hupigon_d6a6b2f9 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | d6a6b2f9bd1a53e3789bcf5b4865aa81 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: bc2183e23a1d6fc2c3f61d89a52d0ffa5f82e691e4fffd9c7363f3c98fdddbe1SHA1: 18ac7adb0981e67756a56b95d8582f4cbf2bc7fdMD5: d6a6b2f9bd1a53e3789bcf5b4865aa81 |
M21-72up1 | Formbook_ed588185 | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | ed588185aacf2a9ea91b31af93642256 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 4b9450d76929aabf8390ad818fd3d40a735d76d679b0f4cfb58ff60ced2ee6fdSHA1: c745ab22991ec1fd49c5ddf5fc3eadefab032e17MD5: ed588185aacf2a9ea91b31af93642256 |
M21-dfah1 | Hupigon_78860c61 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | 78860c61167bb648a081ab7371638247 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 00aed8bbca1c733cf29cb67c1d05b9f10cb4b2f44b3f88780fc478fc5aed2b79SHA1: aac289a5d3e44f19e399ef63845b47642aded0c1MD5: 78860c61167bb648a081ab7371638247 |
M21-w5hl1 | LockBit_8ab03752 | Windows |
This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network. | 8ab0375228416b89becff72a0ae40654 | https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdfhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/SHA256: 5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26dbSHA1: 75f06b636efe53360287c0ff1f51ea7de1e7c8b5MD5: 8ab0375228416b89becff72a0ae40654 |
M21-k4qr1 | LokiBot_574ea378 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 574ea37878e74bbcf646402baf723ee4 | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 63f3585c6d2914d6060f7bdef809063eaea115da6c7ada28cbac8f9f796d9cfaSHA1: 6f7ae2e1b875ff0b1610e33d4b824921fc318cf7MD5: 574ea37878e74bbcf646402baf723ee4 |
M21-fj3a1 | LokiBot_393264b4 | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 393264b41d8cb7b93d7cc3e079556eff | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 9c425b2930a33567fb81e1a170f4a36222b19ac8b7be4f9d7fbe6e765f385fa3SHA1: 1e15510afb6e09d236a1396f05c18381f0b6b982MD5: 393264b41d8cb7b93d7cc3e079556eff |
M21-2zln1 | Hupigon_a52d0b02 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | a52d0b02fc623f4d0ada0e5c5432c559 | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 608a3f4ac2cefa53738e7aca0a0e5f0530a66984414e9f100f134af4039b47c9SHA1: f5d8eaba3d2fa10770072d13bd15a76e36795bdfMD5: a52d0b02fc623f4d0ada0e5c5432c559 |
M21-d7s81 | Babuk | Windows |
This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker. | eacfeff2add22da202bc6ba34308989e | https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/SHA256: 54c82ad27174fd6ed72793b1ccf9d26613eb572960e847a63538420c69d06c5bSHA1: 7b41f9077fba77d9a3115c3e8142c3f15c81d84aMD5: eacfeff2add22da202bc6ba34308989e |
M21-i0lt1 | Bandidos_10c4865e | Windows |
This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper. | 10c4865edac377dc12f14905c8bb3a46 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 51367cf1a79f11c5801c47f1fbe68c765c1e90602cb7ff49dc00af5e2701c9d5SHA1: 124abf42098e644d172d9ea69b05af8ec45d6e49MD5: 10c4865edac377dc12f14905c8bb3a46 |
M21-sdq21 | Bandidos_2d9afda2 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header. | 2d9afda2d563179aa8230116f916d227 | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 505832595c9eaa4670a8a52f19b661a60399db365c737299935fc34ea0b5be35https://attack.mitre.org/techniques/T1099/PARENTID: M21-2klg1SSDEEP: 49152:j435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:jhEfwk18ASHA1: cf6e54cf5aba6ea885b407e577c5842f82380fc2MD5: 2d9afda2d563179aa8230116f916d227 |
M21-9ycf1 | Formbook_a815304b | Windows |
This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target. | a815304b1a9d216a410082490224e4d8 | https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.htmlSHA256: 2f3ed7f2aa896961026bad2904d961dd8c45f30264a6ffdf9635aecdcfb3557bSHA1: f8b33169fa1f8ee09fcb0238990fd1836613ae43MD5: a815304b1a9d216a410082490224e4d8 |
M21-kge51 | Bandidos_bb861561 | Windows |
This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file. | bb8615619a3363acd508ca02384c1ead | https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/https://thehackernews.com/2021/07/experts-uncover-malware-attacks.htmlSHA256: 23cf8153cef986bb493b90c48bddc4d304016b043059dc4958bd769726354005https://attack.mitre.org/techniques/T1009/PARENTID: M21-wp9r1SSDEEP: 24576:5EZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSbk:5EFQ6k0TVkQxPQo9XSHA1: ed58d82a9e3b4dbad3f2a6068eaab66a6774013bMD5: bb8615619a3363acd508ca02384c1ead |
M21-s46d1 | LokiBot_d59102dc | Windows |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | d59102dcc956a859de8d5c6545b30bfd | https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.htmlSHA256: 52dc80bfa7b84b98a0bc7dda49a01497e7b7deeb50850d14182895aa12e23092SHA1: 7242662ebc8e38ce2ad7adf58485fa7dc0f4cf05MD5: d59102dcc956a859de8d5c6545b30bfd |
M21-1s781 | REvil_f31b13a0 | Windows |
This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has a random section name renamed according to the PE format specification. | f31b13a0c700a35bc36376da03419df9 | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackSHA256: 4e5657a23fb37961c73c6aac9fbe0723b3faeb13267d1b268e0ad4a6bee19b89https://arxiv.org/abs/1801.08917PARENTID: M21-2zn41SSDEEP: 1536:Vxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GC:VtchTojrZxtMhiiZHjUyWr4X5FTDUSHA1: 0629a47aa2995513531dd29d2a90d7690df93a16MD5: f31b13a0c700a35bc36376da03419df9 |
M21-y65s1 | REvil_f6e2317b | Windows |
This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the checksum removed in the PE file format. | f6e2317b5ed7878efd7e1160b3bfc93d | https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attackhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/SHA256: e898ca8d6f82544edbdd52d96ff1f4ac810e6f366a3d6e2b4c4dcc5bd139111ehttps://arxiv.org/abs/1801.08917PARENTID: M21-x3mk1SSDEEP: 24576:5Mz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:GfF7k4pB/JYPIsAESHA1: 4fc08a7a467e611abc3f561348bb45dc7d1e3db6MD5: f6e2317b5ed7878efd7e1160b3bfc93d |
M21-28yz1 | Hupigon_d8b33080 | Windows |
This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes. | d8b33080023b54bebedaa8b29a2f088c | https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.htmlSHA256: 75c4cab4fd1de9ca44db0c3cd51c8d9dfa156ab2205a85924487c10965a12754SHA1: 39ad2552b7215228f20b2f5953899f7bc4f6795fMD5: d8b33080023b54bebedaa8b29a2f088c |