Malware Monthly Update July - 2021 Release Notes

Malware Monthly Update July - 2021

Malware Strikes

Strike ID	Malware	Platform	Info	MD5	External References
M21-hzro1	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	024382eef9abab8edd804548f94b78fc	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: c4282e9040cdc1df92b722568a8b4c42ce9f6533fed0bd34b7fdbae264947784 SHA1: b69a5385d880f4d0acd3358df002aba42b12820f MD5: 024382eef9abab8edd804548f94b78fc
M21-syed1	REvil_a47cf00a	Windows	This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.	a47cf00aedf769d60d58bfe00c0b5421	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd SHA1: 656c4d285ea518d90c1b669b79af475db31e30b1 MD5: a47cf00aedf769d60d58bfe00c0b5421
M21-2klg1	Bandidos_038de761	Windows	This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.	038de761c002ae546870035be143a736	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 435fa80c1088c8e2b821cf86d5f5a6c2cebf41e3b12d067473c79ab5773d3862 SHA1: af1f08a0d2e0d40e99fcaba6c1c090b093ac0756 MD5: 038de761c002ae546870035be143a736
M21-xhga1	Bandidos_64acb89a	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification.	64acb89ad84db2d5f2bad354ad547417	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: d5ac969a01842b7f5e01aae02bfee66a8d70985b9935c8f4e346c8c7fb68f524 https://arxiv.org/abs/1801.08917 PARENTID: M21-2klg1 SSDEEP: 49152:y435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:yhEfwk18A SHA1: bc226a175b62eb6c022a97b2e1f0cf35e0b5f306 MD5: 64acb89ad84db2d5f2bad354ad547417
M21-ehw71	Formbook_4f631559	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	4f6315593f81cee989d2d2c376869e5a	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 9f086d1b80984ca1a1026f47f5d9a84dccf7a0b758bf46643a2d967f24ebaefb SHA1: ded97ce60117970dc4e715a1247cae62e0c119ba MD5: 4f6315593f81cee989d2d2c376869e5a
M21-77on1	Bandidos_3015f878	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header.	3015f8785e0aa11d0cc1eadfe6112916	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: c8c9fe06c5ad3b0041a7e04b7d1aa7df343a872a1b7f38bc58b76b58be759330 https://attack.mitre.org/techniques/T1099/ PARENTID: M21-wp9r1 SSDEEP: 24576:UEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:UEFQ6k0TVkQxPQo9 SHA1: 7af5e775abc01c8befce15b6aac0ef48aa528f7c MD5: 3015f8785e0aa11d0cc1eadfe6112916
M21-p9lw1	Bandidos_78cb7d1e	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file.	78cb7d1e62e3340825e8db41e752bdb8	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 3590b35fe256a567278c716fb25d2eb874c93928764820086553c2119e429f97 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-wp9r1 SSDEEP: 24576:5EZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSbp:5EFQ6k0TVkQxPQo9u SHA1: cf5ebfbde9fa159f7ebb699fe04b5a42b10ced28 MD5: 78cb7d1e62e3340825e8db41e752bdb8
M21-yljf1	Bandidos_86657996	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file.	866579961556526d991a5917a5adc665	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: c19ea1ace8cf4e46b4a46f5650efc7c6db0855b54fe2302a05d4c16a67d754a1 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-2klg1 SSDEEP: 49152:u435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnzT:uhEfwk18Ah SHA1: 163661d0286971eb3920038e3d68738be98b3f5b MD5: 866579961556526d991a5917a5adc665
M21-ml221	Hupigon_9c25b770	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	9c25b77077f44d79fc5366eb54b22bbd	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 2e1c1fe7a5c150297ae4a0bda84d89fba054acc8eb1b516be5153fbfe0e9e986 SHA1: 7b64e9d1ef65e090a0845d1abab600fae2e5d8d6 MD5: 9c25b77077f44d79fc5366eb54b22bbd
M21-ovts1	DarkSide_f587adbd	Windows	This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines in 2021 when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.	f587adbd83ff3f4d2985453cd45c7ab1	https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a SHA256: 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673 SHA1: 2715340f82426f840cf7e460f53a36fc3aad52aa MD5: f587adbd83ff3f4d2985453cd45c7ab1
M21-zycs1	LokiBot_495fff18	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	495fff18bc8c631e44c00b273d0742d2	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 234be2e9be73a8a2ff9da5a7231c37da2bb95fc229b7ddc24f5324576a5c34e1 SHA1: d6c516d97545bb74f307858f91b91596d20eda4c MD5: 495fff18bc8c631e44c00b273d0742d2
M21-cd5g1	LokiBot_589813a9	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	589813a949474184438f1b7117457913	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 59aed575bdae0ef8204a771d9d3282cc41880ed9c98305c02213e0b746117654 SHA1: 0fd1fb82e38760a819f506b8fbb85c9abaee2532 MD5: 589813a949474184438f1b7117457913
M21-5xer1	LockBit_889328e2	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	889328e2cf5f5d74531b9b0a25c1871c	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f SHA1: d14a6e699a1f0805bd1248c80c2dc9dfccf0f403 MD5: 889328e2cf5f5d74531b9b0a25c1871c
M21-xf2x1	REvil_8c26763d	Windows	This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has random strings (lorem ipsum) appended at the end of the file.	8c26763d51dcec8d6683558e395b7f17	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: fbc019520b3ce65a52507428ed30c8fb3285da3e059afc11951a3e97f62b7216 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-2zn41 SSDEEP: 1536:xxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GF:xtchTojrZxtMhiiZHjUyWr4X5FTDUq SHA1: d0638a70f6cf8e46f22279efa7d364b644207001 MD5: 8c26763d51dcec8d6683558e395b7f17
M21-oe031	LockBit_9a246bf3	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	9a246bf39f3fab9c2d45f1003bdc6b45	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78 SHA1: f05e71ed0e4a779fc30c3d732b07e15d56f8e3bc MD5: 9a246bf39f3fab9c2d45f1003bdc6b45
M21-c3kb1	Bandidos_998462a8	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format.	998462a846d496b57b30b5f39ee118b0	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: ee56f42edd410332cc062271a8a8c2caf659b643c648888c359993a761e3aff5 https://arxiv.org/abs/1801.08917 PARENTID: M21-2klg1 SSDEEP: 49152:d435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:dhEfwk18A SHA1: 4b8bf07db8a88b88a0eed09cc1fb535cb84c907b MD5: 998462a846d496b57b30b5f39ee118b0
M21-o4oe1	Hupigon_793c7c56	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	793c7c568ef53df8d3e838c1119b509e	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 8db5854db9f3c732edc0d4ef3540b0635848abb70abdfc29049ca25dc4776f07 SHA1: b74402bc23cb607cf6f2ff9ad4031f77b26e3b82 MD5: 793c7c568ef53df8d3e838c1119b509e
M21-or3m1	LokiBot_6c2cd24b	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	6c2cd24b96a7cf4f1a2d4e4ba2b05453	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: a49c4e4536a52bed7f8fdd16d8feb46a4e624472c9db4e60b0530ca070efd078 SHA1: a60787e3e509755f62558e812fa0a6ff76049ed8 MD5: 6c2cd24b96a7cf4f1a2d4e4ba2b05453
M21-y08v1	Bandidos_80bda1f2	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification.	80bda1f2647c16ed8050162359401c28	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 9b232918a9ed4112b3f2961b44945864bf1b90d7b232a4631e4529b7f611212c https://arxiv.org/abs/1801.08917 PARENTID: M21-i0lt1 SSDEEP: 24576:ffKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:fyytjKE3wh SHA1: d30fa1dfe5f4055b376d0a864424226426dce2d3 MD5: 80bda1f2647c16ed8050162359401c28
M21-1wov1	Formbook_fa710797	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	fa7107970a5b56d0d2c4b5692dbd9d33	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 058a2309d89e8b24502c3a7ba08882eacecafd2e2d419ddecbe91202f80504fe SHA1: 5ac23d9dd1e4313568682c43516ca69fa9373503 MD5: fa7107970a5b56d0d2c4b5692dbd9d33
M21-xbz51	LockBit_49250b4a	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	49250b4aa060299f0c8f67349c942d1c	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997 SHA1: 4d0e6d7af9a5edece5273f3c312fdd3b9c229409 MD5: 49250b4aa060299f0c8f67349c942d1c
M21-t5q81	Hupigon_58303826	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	58303826aae3c74a9465e4df449426ad	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 0fff1aa47eb2da56333fa309de651adf025ff8d80c62c95cddd91a2e88a6dbf1 SHA1: 180a448c1d5b59e77098eab4e028206dcdab7ba2 MD5: 58303826aae3c74a9465e4df449426ad
M21-upqr1	LockBit_c270ab0d	Windows	This strike sends a polymorphic malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.The binary has random strings (lorem ipsum) appended at the end of the file.	c270ab0d2922947d199777adabf851bc	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 5cee6787e8c736c14d708ab9e2afd25856e8be12bcc822dbd1c468c30de58d7c https://attack.mitre.org/techniques/T1009/ PARENTID: M21-h4xy1 SSDEEP: 1536:e/0JJMzS/5uJup2KN/Z9SQ2illYOcJngsxmZ50fBbjpAeuwCU:e/qJMq5uJupjSQ2+1ctgY5bjpp5 SHA1: 24581d8b4ec25345315bbbd782b888361968a19f MD5: c270ab0d2922947d199777adabf851bc
M21-zio51	Hupigon_a8e0c1a2	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	a8e0c1a24ef3690eb2c8c79ea8fc880a	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: a8964c9721dac56c6e77460f82e8c669012d3dbb9ee2629595facc13b1ea744d SHA1: ef7094a262ea9813e5b1bd3fdd82826dc6016ca5 MD5: a8e0c1a24ef3690eb2c8c79ea8fc880a
M21-3dqx1	Bandidos_4dc64170	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file.	4dc6417077e498a189e40dde2efd41da	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 18b86ad7c385110e6b72e588bf85f6ec6a8862317963c35560a2c0020b636480 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-i0lt1 SSDEEP: 24576:ofKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWWY:oyytjKE3whi SHA1: 15e6bed80f4b7efee0f20e0ed1575190a865241c MD5: 4dc6417077e498a189e40dde2efd41da
M21-dfou1	LockBit_5cc28691	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	5cc28691fdaa505b8f453e3500e3d690	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f SHA1: cb3fb57b5c70c3a2f30aa3af078bbb1cfdd1bf02 MD5: 5cc28691fdaa505b8f453e3500e3d690
M21-fd741	LockBit_0d03306e	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	0d03306ed6dd40407e8ae0fa3ffc181f	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 6fedf83e76d76c59c8ad0da4c5af28f23a12119779f793fd253231b5e3b00a1a SHA1: 39f5ec91f17f2dcee1c9fa124796439bc93a5120 MD5: 0d03306ed6dd40407e8ae0fa3ffc181f
M21-w70i1	LokiBot_32270e69	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	32270e6929682c0ae0fbd255ff1ed6d5	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: b2214c05ad28423bce386338706021ca62da02d368f0a56844a89a250b562ccd SHA1: 87e562b6f11720cd72a4c44e4ed3b1a0711d682e MD5: 32270e6929682c0ae0fbd255ff1ed6d5
M21-vf0g1	LokiBot_9ec2a2e6	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	9ec2a2e68f07d83c5904dde328c2f594	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 872f2db91242bcb9a559e485badafa100fddc0cffb41cfa4ca260a365b5f43f6 SHA1: 7ec6568a23ba57eb2bfee8ad47cacb7460874432 MD5: 9ec2a2e68f07d83c5904dde328c2f594
M21-83181	Bandidos_fc89c12d	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification.	fc89c12d2438bf86a0983305e9b76ff4	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 5123e6be3ccce331f20a6d81850a6b73147c09febd3ff3347fb6b2f32680adf9 https://arxiv.org/abs/1801.08917 PARENTID: M21-wp9r1 SSDEEP: 24576:yEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:yEFQ6k0TVkQxPQo9 SHA1: 30a68a861036fe74d4e5c2afc1ca4fd7b694940e MD5: fc89c12d2438bf86a0983305e9b76ff4
M21-e0ts1	LokiBot_f520c950	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	f520c950b540931fb502ad1fccc6e5ec	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 32a3bb3048012ecb5c4cd1e9c307606e31235b7cf66d10e40a3faf820dd12554 SHA1: a917643bbc7497ebf51c898e20e8a6ac16d1eae6 MD5: f520c950b540931fb502ad1fccc6e5ec
M21-khbz1	Hupigon_5e15f278	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	5e15f2784f98d21c45029623610e268a	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 47740a648c13c4288b829d3d3f2242f1d9730a8af5a907de716871e2590b56a1 SHA1: df053239071a8b1088d27eea647b42a623ff9ecf MD5: 5e15f2784f98d21c45029623610e268a
M21-gu481	LockBit_e4179bca	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	e4179bca5bf5b1fd51172d629f5521f8	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75 SHA1: 488e532e55100da68eaeee30ba342cc05810e296 MD5: e4179bca5bf5b1fd51172d629f5521f8
M21-be4c1	Bandidos_b89e1cb9	Mixed	This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the PDF.	b89e1cb9522fbf1a4b54450b0c0c8781	https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ SHA256: 2519475a0d1465481294801e07692ecdf21bbe864d0a973e06fb86398ba9dd61 SHA1: f384bdd63d3541c45fad9d82ef7f36f6c380d4dd MD5: b89e1cb9522fbf1a4b54450b0c0c8781
M21-f3na1	Hupigon_e921af12	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	e921af128394bc17536506a9ea7f1c13	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: d800487b23a227def3770c846e4d8954e777caca74d0d2697c4ee20decaa946e SHA1: 3bad123e07898791c3f4cec8df54f3ff79ba8bea MD5: e921af128394bc17536506a9ea7f1c13
M21-mmnr1	LockBit_5f504bb2	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	5f504bb22471157aafeb887b4412b5de	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51 SHA1: 04fcf62555cf2cfaf4ed2d0ac7e973b3215b2de7 MD5: 5f504bb22471157aafeb887b4412b5de
M21-xdgf1	Formbook_7c863257	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	7c863257a55bf029ffa58f2ed25ae22c	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 791bf882ea8aa1b2087f0882c7012170002fca93de56f191cbba27b2817a5007 SHA1: 096ba1fbd0ffd1d6067df44967a9127ee029855f MD5: 7c863257a55bf029ffa58f2ed25ae22c
M21-juue1	Formbook_857e3a6e	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	857e3a6ecbeada63ae04fc1471abffcd	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 00b6af7edaa2b00729733a14bc2bc9c73decdc9af3de09b958585ec309db6730 SHA1: 3ff58f110f17f513b0c17e58288ab1ac58640f6a MD5: 857e3a6ecbeada63ae04fc1471abffcd
M21-lla91	LokiBot_ddd0e23f	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	ddd0e23fed0e19f7cd079acc1d6e546c	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 92ddf9f9142148776671e1cceda92ec02ba5a846778f08c9179d7a1a89d2b576 SHA1: b6f0beeec5532a777dbe61726b2c5031bf6d80d1 MD5: ddd0e23fed0e19f7cd079acc1d6e546c
M21-0ac11	Formbook_800b669f	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	800b669f5722ce9be29327319cd98f03	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 1d84d1a99b7add79357e2b8470f97473ff2b7630853266a46f86b360dc23eb58 SHA1: 3f669fc8dc8713c807022539d5916641472337aa MD5: 800b669f5722ce9be29327319cd98f03
M21-700j1	Hupigon_1a979031	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	1a9790316f17c8a39dd67772f78ba2bd	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 122a04e621b147df461f23cdc10ff45d877c18a5eb97c64f3a33ff2d713c7139 SHA1: 01e7714ceccf7f156bf3eb5311b6679c6f05c459 MD5: 1a9790316f17c8a39dd67772f78ba2bd
M21-7kgh1	LockBit_a04a99d9	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	a04a99d946fb08b2f65ba664ad7faebd	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869 SHA1: 1fe7e2f8fbd98d6b5505fd9ee66da5b4f11720a1 MD5: a04a99d946fb08b2f65ba664ad7faebd
M21-a09j1	Formbook_4131d35e	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	4131d35ec6a865907eddcb8faa8cce33	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 7f98741e8dbf35c91d3a06b890343c392f90f43ada2765b9ebf5918581e35385 SHA1: eaf6e41431c6f4859133a6a49e483203c3ed49f5 MD5: 4131d35ec6a865907eddcb8faa8cce33
M21-yeks1	Formbook_4d3c739b	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	4d3c739bab68b3eea8cd032aef303525	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 4ea09532da8004377ffcdc400fc8e96c90a836cc83caa394a62bfd865c8e7425 SHA1: a3da1e48715faa85a3fd813c186f7484d4073036 MD5: 4d3c739bab68b3eea8cd032aef303525
M21-gqwj1	LokiBot_9a1f1689	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	9a1f1689b94d59c040af83f496ba5bbb	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 478ef5fa2a46f98298605b91bd4fe42cb244afba3b4782e18bb12f6a084b9609 SHA1: 2d7446e076b1ce495f65ec6ee1f520f22835edaf MD5: 9a1f1689b94d59c040af83f496ba5bbb
M21-62nr1	LockBit_207718c9	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	207718c939673a5f674ce51f402cfc06	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739 SHA1: 791f60a24f9b6589a2afed48b3ec17fad43bc1db MD5: 207718c939673a5f674ce51f402cfc06
M21-suhh1	Bandidos_808ffbe3	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format.	808ffbe38c037d877279779ea356e0a4	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 271f9ea13701efddee8d2c77080dcd54d02b2928d81a425963bb84bc0f56d6f5 https://arxiv.org/abs/1801.08917 PARENTID: M21-wp9r1 SSDEEP: 24576:wEZ4iqYQk5zZrikTtPUiwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:wEFQRk0TVkQxPQo9 SHA1: 832257a0c6a243da209e4a6bb8feb087d13e557d MD5: 808ffbe38c037d877279779ea356e0a4
M21-y75j1	Formbook_bea316e0	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	bea316e056c7db49d33b4fbfdc052504	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 85e2ee6d0a2fb9833421a85012326f028f291172b55ec3d0ce7c93464f238d58 SHA1: aae0ab12fa0cc86085e6d6354ad08edf6e988b07 MD5: bea316e056c7db49d33b4fbfdc052504
M21-pwf41	LockBit_1f4f6abf	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	1f4f6abfced4c347ba951a04c8d86982	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18 SHA1: a4c486b0926f55e99d12f749135612602cc4bf64 MD5: 1f4f6abfced4c347ba951a04c8d86982
M21-87ek1	Formbook_970841bd	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	970841bdc961619f7665e347ef1806b1	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 9e424316353fbc89681166a6ef69b2edd31739ae5d8d72a9ab7f516ce50c9b3c SHA1: d67e1162c3dc43dc6390bb08d9fb043b72bece44 MD5: 970841bdc961619f7665e347ef1806b1
M21-zs0s1	Hupigon_53b1c580	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	53b1c580939176a264a724ba4c2493bc	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: d18db2acffcf7dbd5d9ba8a3574b51b9d3d363dde772ab4232c4a59cf38116a5 SHA1: a7c282667b55d5c8ad3fd10c2f49f1cfe03d7a72 MD5: 53b1c580939176a264a724ba4c2493bc
M21-e76y1	Hupigon_df66e570	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	df66e570b2140d6bd39e75c7bbf26ed9	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 0887cf712624021a19c81f7d56fd7f962a0c81711888f1dfbebc4e8362e4a4d3 SHA1: 70b00bb6c86a32de6175cf7b0a4457d3d7009bb0 MD5: df66e570b2140d6bd39e75c7bbf26ed9
M21-o19a1	Formbook_8ec040b5	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	8ec040b599ca27c33a5503834d0b666f	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 439341e4b6ef8081dace5531a98a018c31ba3b83a8b58c248db3f9aaa6248e79 SHA1: 0702bd3d9c535fe5a17b0ebb07703135f888c3d0 MD5: 8ec040b599ca27c33a5503834d0b666f
M21-puta1	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	cafe07d8c34108007372bd8df42d9ef9	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: 6103e26f6f9d5fd895d9c06e1f5e141ce74d8ebda999cda6a58a4393de5ed094 SHA1: f137ab4384d071ab51c746f9de976aeea81fb2e6 MD5: cafe07d8c34108007372bd8df42d9ef9
M21-wa9s1	LokiBot_75aa607a	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	75aa607a9f8bf2af141de19a41b0bd94	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 9c260f46248c726184ce9eee75b5322d19e2cb82a0b8d51b32338b358b433168 SHA1: 56bd2e24a29e4328d1da2f16737679401267dda2 MD5: 75aa607a9f8bf2af141de19a41b0bd94
M21-gj2f1	Hupigon_05fa4098	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	05fa4098d6102c38982ed2bb55ac21d6	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 972507d6a5e780d3428e330fd1df06fc30d90a7a5079b5e22100a46ed4be5e99 SHA1: 0ff99b174bd201322ab68d382258998483fa2ae7 MD5: 05fa4098d6102c38982ed2bb55ac21d6
M21-stnz1	LokiBot_2c4b9f71	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	2c4b9f716576fd4687556af2aa882e1f	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 7f6713ee87745196c893023e32b845a9c2d16994d0913d222a4dad64268c6bd0 SHA1: 1f2851384d0eb2750b1c9a14dad293250f180c7c MD5: 2c4b9f716576fd4687556af2aa882e1f
M21-2lfa1	Bandidos_c1a93313	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the checksum removed in the PE file format.	c1a933139452f8672e4810333a3d43db	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 8a741eabfe6e3a2da048e253cdbbb23b07d9970ad177a4a960aab30e50ca2b78 https://arxiv.org/abs/1801.08917 PARENTID: M21-wp9r1 SSDEEP: 24576:wEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:wEFQ6k0TVkQxPQo9 SHA1: 7bf0ed9d4da54ab5f5e8ede94a0a292679213c98 MD5: c1a933139452f8672e4810333a3d43db
M21-4qzb1	Hupigon_7937c41d	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	7937c41d346e489bbe34bc996fc11455	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 24925d89fa4f576a7e76aefcf1c58e78cfad728e03d2b6b12d663bcacb1427e5 SHA1: 18d705fab9d43925897b73a3944c623e15463063 MD5: 7937c41d346e489bbe34bc996fc11455
M21-8i9y1	LockBit_c0cacc5b	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	c0cacc5bf97b854b6025fe0973dc076f	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a SHA1: 0cc92cccebed351b1b5e6b28082af5e00da28678 MD5: c0cacc5bf97b854b6025fe0973dc076f
M21-zzdj1	LokiBot_3d699bcf	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	3d699bcfc5b1f7f20ed2668c45e8ddcc	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 230a3f0ff1c9e59f20339884840ab9a55443ee8bde8c0a6abf136896339e78c3 SHA1: 8e5a166ca1828b69caf55ca4e89b9650b5aa047a MD5: 3d699bcfc5b1f7f20ed2668c45e8ddcc
M21-a14w1	LokiBot_f977b8f3	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	f977b8f3919dc992d6ffe3fd0505815a	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: b388b10e26fee484e4fd855a95e917a00e1dabe7f626636a45d235c8749e80ce SHA1: f7ce396d2d655220b87a762d42c88384771c2c0b MD5: f977b8f3919dc992d6ffe3fd0505815a
M21-bfr31	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	ebe7bf69eceb80d155d7a16b8c61e15c	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: 678bfbf5d73d6cf38532e11b11dbed17668d94711e2e2ea27311dd46490201b7 SHA1: 5c8b0a23360420c33fb89e100fb996215a795a1f MD5: ebe7bf69eceb80d155d7a16b8c61e15c
M21-ojyu1	LockBit_1fbef2a9	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	1fbef2a9007eb0e32fb586e0fca3f0e7	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335 SHA1: 3e86304198d1185a36834e59147fc767315d8678 MD5: 1fbef2a9007eb0e32fb586e0fca3f0e7
M21-sl6h1	Hupigon_1600de31	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	1600de312560e6b773d382413aa70e74	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 0c1f827e80c419173cb9d52ceb62a2e9d1a7388e296ab92d554d82c0ac935339 SHA1: be84852cd1897d65e79e3c669aeb8f0238e6e49b MD5: 1600de312560e6b773d382413aa70e74
M21-woo21	LockBit_0859a78b	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	0859a78bb06a77e7c6758276eafbefd9	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d SHA1: a72e18efa33f1e3438dbb4451c335d487cbd4082 MD5: 0859a78bb06a77e7c6758276eafbefd9
M21-yf5g1	REvil_835f242d	Windows	This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.	835f242dde220cc76ee5544119562268	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f SHA1: 8118474606a68c03581eef85a05a90275aa1ec24 MD5: 835f242dde220cc76ee5544119562268
M21-z93m1	REvil_ce1eefe4	Windows	This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has random contents appended in one of the existing sections in the PE file format.	ce1eefe48010f4946cf45ffd6c4bebfa	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: 1c72875191a80e6e69d6e6c2edda738ad206767979851cfbb18dc0398ea191e4 https://arxiv.org/abs/1801.08917 PARENTID: M21-2zn41 SSDEEP: 1536:Nxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GC:NtchTojrZxtMhiiZHjUyWr4X5FTDU SHA1: 18522badae740c53c22b0b05f58a233d390caab6 MD5: ce1eefe48010f4946cf45ffd6c4bebfa
M21-14uf1	Formbook_376dd288	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	376dd2886e40bf04651900326d436943	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 6d009d7e9c6efaf020a6336b3da9022ba552782794e36c112b67142a64394524 SHA1: 2a5cd3de009757e7d5521e0f746f0a0dddcdd39c MD5: 376dd2886e40bf04651900326d436943
M21-mj1g1	Hupigon_4c37493e	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	4c37493e8bd5bd0e734e252aa0be12e5	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 91fab5bfa3982e9ecc19cb3e82826706cf4c3ada3d3e0d7f0e222affd16aee8d SHA1: e9f3d9b59ca3c2b1528cce323e463b0174f02b60 MD5: 4c37493e8bd5bd0e734e252aa0be12e5
M21-qlr01	Babuk	Windows	This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has the timestamp field updated in the PE file header.	61bf40aa7be7bac60efcec70058af30b	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: 140bfc9a42927e502c03098d117b58b5b460177584981085a8f28f0065316197 https://attack.mitre.org/techniques/T1099/ PARENTID: M21-uph51 SSDEEP: 1536:Esxl39LgCRQ1+N+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hV:EsD9LgWy+N+srQLOJgY8Zp8LHD4XWaN7 SHA1: 45d4bba2b22cf749bb7d57996f76b58b17424540 MD5: 61bf40aa7be7bac60efcec70058af30b
M21-bqce1	Babuk	Windows	This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has random contents appended in one of the existing sections in the PE file format.	cb95970ab2c06f8695a4741fe055ec25	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: 65b6fdf2b035df1519ee661179ba6b2e699841fafcde4efd2af122d364294ed4 https://arxiv.org/abs/1801.08917 PARENTID: M21-zzq81 SSDEEP: 1536:IK36UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:IKLhZ5YesrQLOJgY8Zp8LHD4XWaNH71m SHA1: aade7e003de8cb530ebf80bb8a72f40a927772e6 MD5: cb95970ab2c06f8695a4741fe055ec25
M21-ot461	LokiBot_92ccd05c	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	92ccd05c0b161385f503bd62c2f87995	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 18366411246d9657db902a2d554f01318c29b943986d69c7834e5c48cdbdac1f SHA1: a669798255c6c96e020a302838ab708311c9e206 MD5: 92ccd05c0b161385f503bd62c2f87995
M21-5tad1	REvil_b7ba5484	Windows	This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.	b7ba5484a95ceec8374f49c21212853c	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: 94379bb2c305a5754d60ae3d27daf5f7f4758ed3dad21ee1969640fd9e84e83f SHA1: a942aec58910ad72eff293d926fe9943397eb1a7 MD5: b7ba5484a95ceec8374f49c21212853c
M21-esl01	Hupigon_8d7a6e0a	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	8d7a6e0a188f39c414d6b8e40880a9cf	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 03b0c0d7138eb07333b6561adb2f8c931a9a5df23773cdc743ac16eee97d2c72 SHA1: cdacd70f847e2dcabccaa29fd92e89b2b2d676ba MD5: 8d7a6e0a188f39c414d6b8e40880a9cf
M21-b61d1	Formbook_783a8f3a	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	783a8f3a3d9f1f92e310775bc1bc3bf3	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 66ce3bdcd391f238136f7b126f88bcbd6cebbebab1187083c4305bbb09ecfd55 SHA1: 423d3c2b4a235d0143a0d0177713f13073c4f5fc MD5: 783a8f3a3d9f1f92e310775bc1bc3bf3
M21-z0zi1	Bandidos_0f31bba7	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file.	0f31bba7e0fe074a70230e5504ab1bc0	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 17af5974523db986f957c30dd46f70d0505670c21e2fef49642315413ac9394f https://attack.mitre.org/techniques/T1009/ PARENTID: M21-2klg1 SSDEEP: 49152:u435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz0:uhEfwk18Ay SHA1: 9121403287fa121646fbdc5c99d3a38b1ba3b1e0 MD5: 0f31bba7e0fe074a70230e5504ab1bc0
M21-hl0o1	REvil_c3afcdff	Windows	This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.	c3afcdffa4aeeee56b80cf2fd3c9758c	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: 9b46d03b690bda0df57c0ebb8dae0aebdd1d131beb500242fa8fe59cb260eed1 SHA1: e405c212107696a579494a67531ca5877956fac0 MD5: c3afcdffa4aeeee56b80cf2fd3c9758c
M21-8cqv1	LockBit_5761ee98	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	5761ee98b1c2fea31b5408516a8929ea	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76 SHA1: 4d043df23e55088bfc04c14dfb9ddb329a703cc1 MD5: 5761ee98b1c2fea31b5408516a8929ea
M21-sfz31	REvil_eabb9030	Windows	This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the timestamp field updated in the PE file header.	eabb90300cc0e02299681a93ad1db181	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/ SHA256: 60c689eedae4c93f8fe79ff356108897662cd0283bb2657c92e41b08a4abea27 https://attack.mitre.org/techniques/T1099/ PARENTID: M21-x3mk1 SSDEEP: 24576:ZMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:mfF7k4pB/JYPIsAE SHA1: c84e3aac856dffe3e2831446e5461f7e205ee43b MD5: eabb90300cc0e02299681a93ad1db181
M21-jjwa1	Bandidos_eb5f7076	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format.	eb5f7076a810e1dcd7797545f05e5664	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: bed5b6da3511ebc6f6cc295e840997065940c8b2d933c05f2bc2a3f88d9aeb65 https://arxiv.org/abs/1801.08917 PARENTID: M21-i0lt1 SSDEEP: 24576:AfKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:AyytjKE3wh SHA1: d83dbde426b548e8bb9ebdceb7f9a9d6a57f7146 MD5: eb5f7076a810e1dcd7797545f05e5664
M21-fs4p1	Babuk	Windows	This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has the debug flag removed in the PE file format.	a8c465b971bb6ccfc517cf132a97f16d	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: 0a5e95ab38058c4adb8b7bb3ed416c31b59a93d531356f6a7545fffcaa16a826 https://arxiv.org/abs/1801.08917 PARENTID: M21-uph51 SSDEEP: 1536:Ysxl39LgCRQ1+N+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hV:YsD9LgWy+N+srQLOJgY8Zp8LHD4XWaN7 SHA1: 9bb397ce7c04cbf84858cd85f5ee9b3b42249d37 MD5: a8c465b971bb6ccfc517cf132a97f16d
M21-uph51	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	d6fc9e993c69aceb7a5501641fc823fa	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76 SHA1: 7839b437b279d3f0ec22a57df7ea84ad01322c17 MD5: d6fc9e993c69aceb7a5501641fc823fa
M21-2rdr1	LokiBot_0a698e88	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	0a698e8808618abeb1fbe9930d6d9fbc	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 2002aa11f9d36098b9546376a0e21d0fb05161c772831a9254d21324dc94e5a2 SHA1: 4a3c8e24f859de38025d4c8c162950eaa2e415b9 MD5: 0a698e8808618abeb1fbe9930d6d9fbc
M21-7lro1	Bandidos_06d613cc	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file.	06d613ccf59608145e0ef7235f9ff4c6	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 018a10ecea6b4315e863e4dedf88169330facf0cd8a3245d2415f2673b88c6d8 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-i0lt1 SSDEEP: 24576:ofKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWWY:oyytjKE3whC SHA1: 557f5ffc308635f71320c06fe5a1bfe16a96884c MD5: 06d613ccf59608145e0ef7235f9ff4c6
M21-zzq81	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	b8e5bd86046b596d8cf43843f433bb5d	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: bb31f235e86b0fda185e6580ef5327f80d6a6c754f78499e8647de5e229769cc SHA1: e4934d730f999bc2bc0e05fec3b9afe324d8a32b MD5: b8e5bd86046b596d8cf43843f433bb5d
M21-oej51	LokiBot_5e0f32cb	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	5e0f32cb907fa23b7d4dc8c684e9720b	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 82d97cc4feac447f269099b023427c00f457978c2c7131144872ce4e1b6fbaa5 SHA1: e42369d6191cf97afca367324a2dcf57550f25aa MD5: 5e0f32cb907fa23b7d4dc8c684e9720b
M21-ws2v1	Hupigon_1e9bbb20	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	1e9bbb205b4c79024fcc440bd1130726	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 4f6c2f4aa94bd6ce1311440e5ff3b70b1dd735269191cce1b6c646ecfc5c0847 SHA1: 022095d0e06eb9396104c85c1e4facbad552a71d MD5: 1e9bbb205b4c79024fcc440bd1130726
M21-0sqm1	Formbook_5742fec2	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	5742fec23905873e891ea7329acd3970	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: a7ad003a9a0d32f74833166178765af17cb09672095f96ad717b40983b2d4e49 SHA1: 5c665c1311b5d84d8eec0ae5bfeea30a177c9f18 MD5: 5742fec23905873e891ea7329acd3970
M21-y1hk1	LokiBot_43b38e77	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	43b38e775099053f93f72ac9ab5bfc25	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: a72771be7b1f90d039e9a6f489c32f85779c9fb9411a33cc2e9012bc0b77f5d5 SHA1: 7952572e99d48dabf53ae98d2e902f7e4135d1f2 MD5: 43b38e775099053f93f72ac9ab5bfc25
M21-7ci91	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	f0d4c7d334633a72a3c7bd722e12c378	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: 1f2edda243404918b78aa6123aa1fc5b18dd9506e4042c7a1547b565334527e1 SHA1: 5240f71f60c473b5f9ba100d2ce1d6effdbc08c1 MD5: f0d4c7d334633a72a3c7bd722e12c378
M21-y41s1	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	567c8369e6ab695c9d65a629d6f45710	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: 6d4ced2e85587e81d6a09b147ec7cccc054bc0fbb92afc39586de1b2bf57f812 SHA1: e755a778896378a5375785736063d4b6831a10b4 MD5: 567c8369e6ab695c9d65a629d6f45710
M21-pw5z1	Hupigon_d31fd664	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	d31fd6646d114a6c8b41772f82e3e38b	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 869f6286a05cabb5b45ee25a84ac2a77b21813fec04d85a585ec4f6133890a58 SHA1: 20af79b138d20e4cd35c81a292954a4f493263d1 MD5: d31fd6646d114a6c8b41772f82e3e38b
M21-z2ro1	Formbook_329f7e4e	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	329f7e4e00314e9cb074d15b2347df16	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 35ef714239b96dac502edee1da7c546039a67dfd31ff8751927cd4b9c86b83a7 SHA1: 6f80890e02149ad76e4c9ebf7b881acd92f7d08b MD5: 329f7e4e00314e9cb074d15b2347df16
M21-1ww11	Formbook_42e783c3	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	42e783c3fcea37f1ea7eaa89c45b31e6	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: a0f0cf9630816feae91a78847e7c2c95581e150d4d1c7804c9a88eef1d0393a5 SHA1: bc0a3dfcae3c5d954d7db8582a7ef0791fc75617 MD5: 42e783c3fcea37f1ea7eaa89c45b31e6
M21-4hk31	Hupigon_2b6f5cd3	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	2b6f5cd3688abd349f4cfb94164562cb	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 79b37f33abb6c24762b75c552ebe9e8e4a65f73d5abc87da06cf4e2a1e399bd0 SHA1: e249f08dda34e4e0c73973b077d39ff429501d1e MD5: 2b6f5cd3688abd349f4cfb94164562cb
M21-dre81	LokiBot_141c2a99	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	141c2a99ec6c365eebcfe39e8dd84be3	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 88fecf445479b1e72beb29df878e65c087deb1e9987ecde0ef9fe66d33c6f7e1 SHA1: f7be04cc45fc66587a546fb181310520e880ca48 MD5: 141c2a99ec6c365eebcfe39e8dd84be3
M21-bbom1	Bandidos_a09d7cb6	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header.	a09d7cb6933ebc776f1321b9e41599a6	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: c5ac72a41c0bcb35aea8362dbad638a7b64fbf361ca82bcd12031eb5b6407dec https://attack.mitre.org/techniques/T1099/ PARENTID: M21-i0lt1 SSDEEP: 24576:SfKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:SyytjKE3wh SHA1: 28eddbb3b05a00516b418c224798bf1244134ddd MD5: a09d7cb6933ebc776f1321b9e41599a6
M21-x3mk1	REvil_561cffba	Windows	This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.	561cffbaba71a6e8cc1cdceda990ead4	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/ SHA256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e SHA1: 5162f14d75e96edb914d1756349d6e11583db0b0 MD5: 561cffbaba71a6e8cc1cdceda990ead4
M21-531i1	Formbook_ed023da1	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	ed023da1556dcf73ce6657ae1642194a	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 73e2f69e19e575c987a9004886e42129fc259758f19a48badaa52fcb7f9925cb SHA1: 1c548d48108be141c8e6fbaedaefc24ac911c014 MD5: ed023da1556dcf73ce6657ae1642194a
M21-52zz1	LockBit_fd902870	Windows	This strike sends a polymorphic malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.The binary has the checksum removed in the PE file format.	fd902870de737723e6da1e0ba10f1385	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: e3d0df68fb6d028ffdd85bd0ebcb7ed04bc9c88c024c33ac0aaeb351f416b8bf https://arxiv.org/abs/1801.08917 PARENTID: M21-h4xy1 SSDEEP: 1536:T/0JJMzS/5uJup2KN/Z9SQ2illYOcJngsxmZ50fBbjpAeuwC:T/qJMq5uJupjSQ2+1ctgY5bjpp SHA1: 5f2fb4a4c47f8a9edf712bfe4898582d780478d3 MD5: fd902870de737723e6da1e0ba10f1385
M21-wp9r1	Bandidos_695ebe3e	Windows	This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.	695ebe3e45a89552d7dabbc2b972ed66	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057 SHA1: 89f1e932cc37e4515433696e3963bb3163cc4927 MD5: 695ebe3e45a89552d7dabbc2b972ed66
M21-ba5n1	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	4161cbe9722d98ffe53636e9efa874ca	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: b4be6b8acda97f36c448365751d5c9a9e1b91f47cedfde79e1de258413c3de71 SHA1: c81aa4a4a5ac0eb22b8e9bf3024f2cd3b4db7eaa MD5: 4161cbe9722d98ffe53636e9efa874ca
M21-7mji1	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	dfaa9121f4165a9f38a8406d82f0ab71	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: a2b5ebfc52a447cde255e1ec1ac8797ad49b156ed427df8c292d6aeb4dad5523 SHA1: b592c787d347287efe410a43555e218e9ccfab10 MD5: dfaa9121f4165a9f38a8406d82f0ab71
M21-v70w1	Formbook_49fa2aec	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	49fa2aecca84c2cccd83b20297143646	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 6111eeaab08838bc32e1f0ade3b5af96955c29d459a3702090369598a5a1d067 SHA1: d0cf9fb098f5a2fdc87b62ba9a794ecaa998e56b MD5: 49fa2aecca84c2cccd83b20297143646
M21-8mz41	LockBit_ec273b58	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	ec273b5841eadfc43b1908c9905e95a3	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677 SHA1: 71e7990c8c81ef6c4e265eae11030886c40cc8b0 MD5: ec273b5841eadfc43b1908c9905e95a3
M21-pz0i1	REvil_f81958d7	Windows	This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has a random section name renamed according to the PE format specification.	f81958d74101253e7d1f14fe4c6ff560	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/ SHA256: 9aa82c72004ae8617f94d8105dbdc8df2e092c75556ae63eb2fa009cd08ed9a5 https://arxiv.org/abs/1801.08917 PARENTID: M21-x3mk1 SSDEEP: 24576:1Mz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:ifF7k4pB/JYPIsAE SHA1: 82dde90c08793ebbc7b10b7204362a0ab92acf82 MD5: f81958d74101253e7d1f14fe4c6ff560
M21-h4xy1	LockBit_9fe9f4ee	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	9fe9f4ee717bae3a5c9fdf1d380e015d	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770 SHA1: 7df22f2fbe86a07070f262f94e233860b6ae66b2 MD5: 9fe9f4ee717bae3a5c9fdf1d380e015d
M21-qao81	LockBit_265d02e0	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	265d02e0a563bbdbdb2883add41ff4bb	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0 SHA1: 01890a3874787dcd74fc548d724b32ed9562abe4 MD5: 265d02e0a563bbdbdb2883add41ff4bb
M21-2zn41	REvil_94d08716	Windows	This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.	94d087166651c0020a9e6cc2fdacdc0c	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: 9b11711efed24b3c6723521a7d7eb4a52e4914db7420e278aa36e727459d59dd SHA1: 99be22569ba9b1e49d3fd36f65faa6795672fcc0 MD5: 94d087166651c0020a9e6cc2fdacdc0c
M21-2aer1	Formbook_6127f5d1	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	6127f5d1a39a07a6a33155f9181bd5c4	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 191db0df191fa868b366cd9b221708bbf46680102decb2fe5bd9838d4edb6db9 SHA1: d0ca2af22b935484a1ba7ac15692143f39da89c1 MD5: 6127f5d1a39a07a6a33155f9181bd5c4
M21-kxbt1	Formbook_ba6b36b0	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	ba6b36b03f1864c1adb63a87ae843ee3	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 70ae91fc903cf888459854bafc02aba096412e7d264a09720f9447d3d7bbf17c SHA1: 99f482b4e848401e261e232a33de2b43231a3ada MD5: ba6b36b03f1864c1adb63a87ae843ee3
M21-vc4l1	REvil_18786bfa	Windows	This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.	18786bfac1be0ddf23ff94c029ca4d63	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e SHA1: 3c2b0dcdb2a46fc1ec0a12a54309e35621caa925 MD5: 18786bfac1be0ddf23ff94c029ca4d63
M21-81av1	Formbook_8fd89c48	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	8fd89c48fdacb3ba7a8cb003917c24c3	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 61e1b56481c68ffcd7be4b30ec427401c7385af1a64451e221a17eb70b4d5819 SHA1: a909214d1a5eacb7f7ea172e652414f02fb15e27 MD5: 8fd89c48fdacb3ba7a8cb003917c24c3
M21-hrdx1	Bandidos_4ba8ccbd	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has been packed using upx packer, with the default options.	4ba8ccbd73a0951cab9c156fea290a70	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: ce98ad8035f3b5f107eb7e7e7fde5da34d7992806fbd85ab9ecc5a12ba342c1a https://attack.mitre.org/techniques/T1045/ PARENTID: M21-i0lt1 SSDEEP: 24576:mBUWzGugqni0QP8AxdXH4MNHr6NNWst+G7MQUEi/fpm69NnSNzWCYigO:mBU56SP8AX5Wyf/kIN5FM SHA1: 435b060140b839362e6c0c89473d77d9693f8bd1 MD5: 4ba8ccbd73a0951cab9c156fea290a70
M21-onpp1	LockBit_12351122	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	123511227718f17b3dec5431d5ae87f3	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877 SHA1: 307088ae7027b55541311fd70a9337ff3709fccf MD5: 123511227718f17b3dec5431d5ae87f3
M21-yr5o1	LockBit_83b0fca1	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	83b0fca1bd3190c5badcea4d507b8c95	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871 SHA1: 4e4d24f5d231434b9b0219fd7c5142c0c2ca1f08 MD5: 83b0fca1bd3190c5badcea4d507b8c95
M21-qrxb1	LockBit_612a58fd	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	612a58fd67717e45d091ed3c353c3263	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d SHA1: f6e8feb1eb645e122de8bded0360ee9ecdafc823 MD5: 612a58fd67717e45d091ed3c353c3263
M21-60421	Hupigon_5ed9157b	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	5ed9157b529b233195ba77a6c0f60807	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 363963520775929cb355a9e6adf0e7f710b4c6ab10e24522563b71e7cb0ec9ec SHA1: 31dbeb25d8014ae05e253d44ea84d28772c046f6 MD5: 5ed9157b529b233195ba77a6c0f60807
M21-a6k51	Hupigon_787230e2	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	787230e27a9cd49f59429a8b86636877	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: bea6048a599c5eed9d491f3b275f03447dd39231cbc76c1efe1cea68c37034aa SHA1: f31f572759d99716e5230d14088138f81804a05b MD5: 787230e27a9cd49f59429a8b86636877
M21-xz9m1	LokiBot_59b388de	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	59b388dee247bcecd66795063b0c02d7	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 068dcc146fde443d327076ea1375496429539466ee8ff38a9b3d8c9c284b3327 SHA1: c7b4f39139d85a38ce087f8bb2ca3c154a1f2df2 MD5: 59b388dee247bcecd66795063b0c02d7
M21-3ei71	Formbook_440e6d38	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	440e6d387a6a202fb695171cdd90e9f0	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 351ff4900300a3012cf567aadc1e025e27b385cd677ea9152517bdd271447326 SHA1: 4428ff59802d290047a86c62aebc21985562b927 MD5: 440e6d387a6a202fb695171cdd90e9f0
M21-ejxa1	REvil_ffedad13	Windows	This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the timestamp field updated in the PE file header.	ffedad13fbd2cf0996cf728e8c1b4c11	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: b52b2677c639e92fdd9985181bfdd2471072672911c0f74682e0dfede230fd29 https://attack.mitre.org/techniques/T1099/ PARENTID: M21-yf5g1 SSDEEP: 24576:WJdzXxcwKjqd7kHeSyG/z35JCxvKtl9dfkV:AYg7aBgw9dfkV SHA1: bfa28c6c8ef21fe277eb68feeb4d4ce79a83a8ad MD5: ffedad13fbd2cf0996cf728e8c1b4c11
M21-yg181	Hupigon_df65acf3	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	df65acf337ed114181b3c38deb258de5	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: d6100a3d983ed3af8c27aca8303b0d48b14f1db3729c3458051e1b4b7e5a85b5 SHA1: f5c58f185abe09bbf5b8ca4c88941c743f940d28 MD5: df65acf337ed114181b3c38deb258de5
M21-nmor1	Hupigon_d6a6b2f9	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	d6a6b2f9bd1a53e3789bcf5b4865aa81	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: bc2183e23a1d6fc2c3f61d89a52d0ffa5f82e691e4fffd9c7363f3c98fdddbe1 SHA1: 18ac7adb0981e67756a56b95d8582f4cbf2bc7fd MD5: d6a6b2f9bd1a53e3789bcf5b4865aa81
M21-72up1	Formbook_ed588185	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	ed588185aacf2a9ea91b31af93642256	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 4b9450d76929aabf8390ad818fd3d40a735d76d679b0f4cfb58ff60ced2ee6fd SHA1: c745ab22991ec1fd49c5ddf5fc3eadefab032e17 MD5: ed588185aacf2a9ea91b31af93642256
M21-dfah1	Hupigon_78860c61	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	78860c61167bb648a081ab7371638247	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 00aed8bbca1c733cf29cb67c1d05b9f10cb4b2f44b3f88780fc478fc5aed2b79 SHA1: aac289a5d3e44f19e399ef63845b47642aded0c1 MD5: 78860c61167bb648a081ab7371638247
M21-w5hl1	LockBit_8ab03752	Windows	This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.	8ab0375228416b89becff72a0ae40654	https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/ SHA256: 5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db SHA1: 75f06b636efe53360287c0ff1f51ea7de1e7c8b5 MD5: 8ab0375228416b89becff72a0ae40654
M21-k4qr1	LokiBot_574ea378	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	574ea37878e74bbcf646402baf723ee4	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 63f3585c6d2914d6060f7bdef809063eaea115da6c7ada28cbac8f9f796d9cfa SHA1: 6f7ae2e1b875ff0b1610e33d4b824921fc318cf7 MD5: 574ea37878e74bbcf646402baf723ee4
M21-fj3a1	LokiBot_393264b4	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	393264b41d8cb7b93d7cc3e079556eff	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 9c425b2930a33567fb81e1a170f4a36222b19ac8b7be4f9d7fbe6e765f385fa3 SHA1: 1e15510afb6e09d236a1396f05c18381f0b6b982 MD5: 393264b41d8cb7b93d7cc3e079556eff
M21-2zln1	Hupigon_a52d0b02	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	a52d0b02fc623f4d0ada0e5c5432c559	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 608a3f4ac2cefa53738e7aca0a0e5f0530a66984414e9f100f134af4039b47c9 SHA1: f5d8eaba3d2fa10770072d13bd15a76e36795bdf MD5: a52d0b02fc623f4d0ada0e5c5432c559
M21-d7s81	Babuk	Windows	This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.	eacfeff2add22da202bc6ba34308989e	https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ SHA256: 54c82ad27174fd6ed72793b1ccf9d26613eb572960e847a63538420c69d06c5b SHA1: 7b41f9077fba77d9a3115c3e8142c3f15c81d84a MD5: eacfeff2add22da202bc6ba34308989e
M21-i0lt1	Bandidos_10c4865e	Windows	This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.	10c4865edac377dc12f14905c8bb3a46	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 51367cf1a79f11c5801c47f1fbe68c765c1e90602cb7ff49dc00af5e2701c9d5 SHA1: 124abf42098e644d172d9ea69b05af8ec45d6e49 MD5: 10c4865edac377dc12f14905c8bb3a46
M21-sdq21	Bandidos_2d9afda2	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header.	2d9afda2d563179aa8230116f916d227	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 505832595c9eaa4670a8a52f19b661a60399db365c737299935fc34ea0b5be35 https://attack.mitre.org/techniques/T1099/ PARENTID: M21-2klg1 SSDEEP: 49152:j435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:jhEfwk18A SHA1: cf6e54cf5aba6ea885b407e577c5842f82380fc2 MD5: 2d9afda2d563179aa8230116f916d227
M21-9ycf1	Formbook_a815304b	Windows	This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.	a815304b1a9d216a410082490224e4d8	https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html SHA256: 2f3ed7f2aa896961026bad2904d961dd8c45f30264a6ffdf9635aecdcfb3557b SHA1: f8b33169fa1f8ee09fcb0238990fd1836613ae43 MD5: a815304b1a9d216a410082490224e4d8
M21-kge51	Bandidos_bb861561	Windows	This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file.	bb8615619a3363acd508ca02384c1ead	https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/ https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html SHA256: 23cf8153cef986bb493b90c48bddc4d304016b043059dc4958bd769726354005 https://attack.mitre.org/techniques/T1009/ PARENTID: M21-wp9r1 SSDEEP: 24576:5EZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSbk:5EFQ6k0TVkQxPQo9X SHA1: ed58d82a9e3b4dbad3f2a6068eaab66a6774013b MD5: bb8615619a3363acd508ca02384c1ead
M21-s46d1	LokiBot_d59102dc	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	d59102dcc956a859de8d5c6545b30bfd	https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html SHA256: 52dc80bfa7b84b98a0bc7dda49a01497e7b7deeb50850d14182895aa12e23092 SHA1: 7242662ebc8e38ce2ad7adf58485fa7dc0f4cf05 MD5: d59102dcc956a859de8d5c6545b30bfd
M21-1s781	REvil_f31b13a0	Windows	This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has a random section name renamed according to the PE format specification.	f31b13a0c700a35bc36376da03419df9	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack SHA256: 4e5657a23fb37961c73c6aac9fbe0723b3faeb13267d1b268e0ad4a6bee19b89 https://arxiv.org/abs/1801.08917 PARENTID: M21-2zn41 SSDEEP: 1536:Vxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GC:VtchTojrZxtMhiiZHjUyWr4X5FTDU SHA1: 0629a47aa2995513531dd29d2a90d7690df93a16 MD5: f31b13a0c700a35bc36376da03419df9
M21-y65s1	REvil_f6e2317b	Windows	This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the checksum removed in the PE file format.	f6e2317b5ed7878efd7e1160b3bfc93d	https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/ SHA256: e898ca8d6f82544edbdd52d96ff1f4ac810e6f366a3d6e2b4c4dcc5bd139111e https://arxiv.org/abs/1801.08917 PARENTID: M21-x3mk1 SSDEEP: 24576:5Mz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:GfF7k4pB/JYPIsAE SHA1: 4fc08a7a467e611abc3f561348bb45dc7d1e3db6 MD5: f6e2317b5ed7878efd7e1160b3bfc93d
M21-28yz1	Hupigon_d8b33080	Windows	This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.	d8b33080023b54bebedaa8b29a2f088c	https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html SHA256: 75c4cab4fd1de9ca44db0c3cd51c8d9dfa156ab2205a85924487c10965a12754 SHA1: 39ad2552b7215228f20b2f5953899f7bc4f6795f MD5: d8b33080023b54bebedaa8b29a2f088c