Malware Monthly Update March - 2021

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M21-y05z1Gh0stRAT_38db1ea3Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.38db1ea30d13a611098c91721bd7daebhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 34471230c1fda37cce67aa5ae85dfb13310a0065f079eb35d05a410e91c99cde
SHA1: 1b4d01966deeb75a23f8c20fdd1a95f80f7fdc59
MD5: 38db1ea30d13a611098c91721bd7daeb
M21-jtgk1Gh0stRAT_a872d440Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.a872d44042b1ca69c033a89657d60c27https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 74daff7ba7d570971481bd23a433d1d98ba7e61216badad6c895d8f9ab512e96
SHA1: 1f29f52a933528ef57e4f9f0cb59234b63f4ba0f
MD5: a872d44042b1ca69c033a89657d60c27
M21-qq1m1Johnnie_a2701860Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.a27018604fc28b1b3becb277e770ba09https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: ad24d52cb8be574ab4d2a3746dd1bfb4584b2545cdcd07e6e078096ff0e78ab6
SHA1: 1ccc6546b2cae97b90a6beae5495b760581b466b
MD5: a27018604fc28b1b3becb277e770ba09
M21-vvq41Zegost_10d7b4f7Mixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.10d7b4f78c61a60f124b65233b2dd6c2https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: d96135894616742836f8c0520c4db3a925623dba9ae6e60dcfd10a299406ac3b
SHA1: 6ffff4d9b3120a12df2bfc96d8501f3f1a0f1660
MD5: 10d7b4f78c61a60f124b65233b2dd6c2
M21-kji81Cerber_dc82432aMixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.dc82432a6a69957fcc2e326fbd97924ahttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 9fa01de00a4e35f91029810e347598055a53cf9baeae6716cd088e25652912ee
SHA1: 06233168eb94af1e8ec800550423f06ffdb7f5f2
MD5: dc82432a6a69957fcc2e326fbd97924a
M21-ut371Expiro_0155baf3Mixed This strike sends a malware sample known as Expiro. Expiro also known as Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.0155baf3b793202061b0c43ca7c9cec2https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: e9bd0fd8a733b3d3839e92ecb6f31f69aafc3d4c8ea81230e197920d98f8be89
SHA1: f4957ec8a74f095f5829965de2818e29271f74b7
MD5: 0155baf3b793202061b0c43ca7c9cec2
M21-1ab31Gh0stRAT_c0835179Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.c083517967757144fafbb58bf094d240https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 50d9fb29eb06f9a965d43e0691e71044b691de7053215691d100793220980b8f
SHA1: a5eb291e56cb2f03dfd49e6c21b50c9ede5f91a9
MD5: c083517967757144fafbb58bf094d240
M21-hgh91HAFNIUMMixed This strike sends a malware sample known as HAFNIUM Webshell. This HAFNIUM Webshell malware is one of many that has been used in conjunction with Microsoft Exchange Server 0day attacks against a large number of entities primarily based in the United States. After initial infection these web shells are deployed, allowing attackers to steal data and perform further malicious functionality like command execution, file read/write capabilities and tunneling. The Webshell malware has been documented residing in one of several installation paths below.4b3039cf227c611c45d2242d1228a121https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
SHA256: b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
SHA1: 0ba9a76f55aaa495670d74d21850d0155ff5d6a5
MD5: 4b3039cf227c611c45d2242d1228a121
M21-04ru1Zbot_8ebb01a1Mixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.8ebb01a18e6a4766213809c2de63a5b1https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 8ac5cfda7819b7f982e0da37494baf2fac075a32cf245fa732ff3e18a2027038
SHA1: 39221a97108995a668735d85b08778f08055afc4
MD5: 8ebb01a18e6a4766213809c2de63a5b1
M21-a0yl1Johnnie_ac4c707dMixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.ac4c707dc7839f5f587225bfe3ec2fdehttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: b201a936c0dfb4f9d87e9667e4356ba0cf311c6695487c000c4664c4ae4aa773
SHA1: 735f7eade9b7356538d0e4df3792340ebc31b7aa
MD5: ac4c707dc7839f5f587225bfe3ec2fde
M21-gc2b1Remcos_5f48006dMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.5f48006dfa96344985342dbc60d87c95https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: b8189bf838099e9c6aebaa083abe32c23d5eeb2737467151fe58ef17cc919a9e
SHA1: 1ee3680a51194f9d65e2ff35e1bb8f7c5269f3b1
MD5: 5f48006dfa96344985342dbc60d87c95
M21-qgn21Johnnie_a338cd03Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.a338cd032054e9146ee5b8ebd99f9e58https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: b7483ac9d0804aa72996c24c8307d72d664cf5914df5f377e27667ba117dde8a
SHA1: 08d6a0b6b50da6af156cc96a65cedb520c247e66
MD5: a338cd032054e9146ee5b8ebd99f9e58
M21-tz5m1Zegost_eaddbf2dMixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.eaddbf2d17a8e690a58e195e35451222https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 0a23f7f118563e505bfa822035b533f3bbb2e0cbc102dfb2d3549ee79db2c74b
SHA1: f348bbfc07b18da345cdddfcc115673839fe674c
MD5: eaddbf2d17a8e690a58e195e35451222
M21-tdj81Cerber_ba2cb51aMixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.ba2cb51a7d5946eaee662404c55fc180https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 96a2b53b1ddf5c5c54053c7b635d95deacac03ffe22c710d2b0ff2388997bb18
SHA1: 7307e03403106218950029959ef9cc93108e164f
MD5: ba2cb51a7d5946eaee662404c55fc180
M21-efq61Cerber_20fece6dMixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.20fece6d01f396ae919275b8f48af3dehttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 387fccecd60cfd9a3f767983f4b9ca5572762434a7371a119b57bfdd079c88a2
SHA1: f659f2e3aa97a05e1d9ce2c698f9846dcdd22d38
MD5: 20fece6d01f396ae919275b8f48af3de
M21-6o0w1Remcos_6b171762Mixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.6b171762ebb3aa6d0dfd8df3dc97f3bfhttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 89de0738d31cdaca830f1e511eab1fb92f824d6da0b9e1a6ae2e3ef5419b1f0e
SHA1: 55834bf2224c6c82808fa19525356ba0be64ffef
MD5: 6b171762ebb3aa6d0dfd8df3dc97f3bf
M21-bg1f1Johnnie_dcf7af3eMixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.dcf7af3ecdaff092c3649383e9baecc4https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 31f400e041c61d1aa2337d6beb74a853a31ac6fe5c26af63e7b76123050e6265
SHA1: dc75456bd135064275b21e91be63772fbc0c2419
MD5: dcf7af3ecdaff092c3649383e9baecc4
M21-wcy91Remcos_b37cbd5bMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.b37cbd5bde82458f0c0ad7ab45db03c2https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 8d47d932cd5c29686d796320a2d14821df531ae1b0f839c5c887191448ecc777
SHA1: abdb829f7a09c6959015043801712a6cd2ab5809
MD5: b37cbd5bde82458f0c0ad7ab45db03c2
M21-djy41Johnnie_8e1b7f46Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.8e1b7f46cf344b314299c80919c1ef33https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: df75e5465189a11a4640c9e9bd30ae3aa37bb9f6c607fff2371351bf08a97412
SHA1: d4e34bf72e4d95f69304f90271567c9521fc3e40
MD5: 8e1b7f46cf344b314299c80919c1ef33
M21-9omf1Remcos_99548f77Mixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.99548f77a249924a7355728f3ba1c328https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
SHA1: 8bd6a8afb1f7749a1de864c6cbbf297ccdb83b1f
MD5: 99548f77a249924a7355728f3ba1c328
M21-isa71Gh0stRAT_f9c41e77Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.f9c41e775ffc495c2afaf795acc3d4ebhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 3c5ab72abf3efd72aa5c4f9528239e9cadd1066f74b53102cbd0e7366c1afded
SHA1: d06b9cc53ecf81494b9baf18b86386921bc18a23
MD5: f9c41e775ffc495c2afaf795acc3d4eb
M21-dziq1Cerber_360dde65Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.360dde65f7547c1b9993e31e2c72fdabhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 57da8c90d12de206331bddadee6b8bbbdab8648563830b1e553b9ed2baf0dc13
SHA1: 2ac979c82a0a9f7a71cc0bdba50f2f2e5d99a8c6
MD5: 360dde65f7547c1b9993e31e2c72fdab
M21-ly8g1Remcos_44be3e0aMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.44be3e0a09970a7d85d158e24963765bhttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: c8335dcc276062f714b7dcb5857a1773b5762ca763323537dde98fc81cce3f2f
SHA1: 234142561af893c9fad495cdea7684d008fe592a
MD5: 44be3e0a09970a7d85d158e24963765b
M21-a8c01Remcos_755ae12dMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.755ae12d9f12fc76f382ec1282faa029https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: eb75f663d2145a509ae8db9126cee9d77d4942f0e24044db324ac45f894b4197
SHA1: 0120cb07e334a8b0948238df3a86e55b1341e28f
MD5: 755ae12d9f12fc76f382ec1282faa029
M21-edsh1Gh0stRAT_0f6550a7Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.0f6550a771aef1df84f85e95ff7adb9bhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 7ba92ec4b7d80aafde49b343b950ac416efae8d1e8d88759a74e33d9837bf6c1
SHA1: 1f747e550225e06b4f2b8aba9a2967b61e631b53
MD5: 0f6550a771aef1df84f85e95ff7adb9b
M21-h6ye1Gh0stRAT_596fcbeaMixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.596fcbea1a5f3fa86bcf5039881aa576https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 2a657b5cfb584ae465b438df429968a2f15f06b70813705f6e2dc7beec0f29d0
SHA1: 5fc0af4f081fd3a0d910aa7b90a79e8216688758
MD5: 596fcbea1a5f3fa86bcf5039881aa576
M21-y4e81Remcos_a6725728Mixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.a6725728d876de2468707a0e2609edadhttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: a50c6bc01cacaf3c8bd51ac98b682501f25486ad25c43f2f3ce6cdcd98fab40f
SHA1: acbca76a0d8bfff78b29fa68b0acb78b6476d8df
MD5: a6725728d876de2468707a0e2609edad
M21-60h11Zegost_5bbc6e17Mixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.5bbc6e178e98a48301ba1c78671c89e5https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: eedb3753a1321c56557a8c51362cd6ed66d59360b4e12e78983c8659a299aeef
SHA1: 3b6ce47969f65f8f79588a60320f78db701c0c29
MD5: 5bbc6e178e98a48301ba1c78671c89e5
M21-8hi11HAFNIUMMixed This strike sends a malware sample known as HAFNIUM Webshell. This HAFNIUM Webshell malware is one of many that has been used in conjunction with Microsoft Exchange Server 0day attacks against a large number of entities primarily based in the United States. After initial infection these web shells are deployed, allowing attackers to steal data and perform further malicious functionality like command execution, file read/write capabilities and tunneling. The Webshell malware has been documented residing in one of several installation paths below.4ef04cba6bec2c3a164b9b755efbeb1chttps://blog.talosintelligence.com/2021/03/threat-advisory-hafnium-and-microsoft.html
SHA256: 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc
SHA1: 49644cbbb9d234bd4f7a47ed596c8bbfefd39065
MD5: 4ef04cba6bec2c3a164b9b755efbeb1c
M21-enn61Remcos_769fed4dMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.769fed4d63791d8a4b8ce332b916cd5ehttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: cbf9a46b64bd4c5122f5bdf7a50b8e635f9cd8792d124a2d818df1562074d916
SHA1: 60b248f84a2b504b247c988807717d8ea85649b8
MD5: 769fed4d63791d8a4b8ce332b916cd5e
M21-40l71Cerber_9d225abaMixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.9d225abad306db39bb37c6c4e9ccbe17https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: b02791ac42414f2879a49846bb34632c02cfc3cdd39809e59989913168f64b00
SHA1: a8d0fc2b578bac925863b9a345358dbfadf66363
MD5: 9d225abad306db39bb37c6c4e9ccbe17
M21-mqlt1Cerber_f633f7b4Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.f633f7b424983cef70eae8bcbf81ff19https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 9fe2b7cc0364ef640854594c02026f78d27af5a94faba8c22e86164668014d48
SHA1: 898f8c50f97d69c91d1673a28725970f28cc6129
MD5: f633f7b424983cef70eae8bcbf81ff19
M21-533b1Remcos_5b3b0765Mixed This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has random strings (lorem ipsum) appended at the end of the file.5b3b07657907de883d44735ac1c270dfhttps://attack.mitre.org/techniques/T1009/
SHA256: 9b93e7152e96c44741d2961b25d35bddb82c2cd2c1c0a91ecae17cdc248ed2a6
SHA1: f2071970fc15755ea397cd0eb59512739f687655
PARENTID: M21-a8c01
SSDEEP: 1536:wbQihzJ0RAQCAqTAj2jo8MG7m80PuYjuq:rkJsA5Aj2Umq
MD5: 5b3b07657907de883d44735ac1c270df
M21-ul9f1Gh0stRAT_b640f7edMixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.b640f7ed51715ed04cf89f794e5ae924https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 798fbc4fb65b81b4b94c582718074a82b02f6bee8e6e4f58186a1d923a989863
SHA1: 72c0fdbcdafd80d4a0c4611e940f8870cd76131a
MD5: b640f7ed51715ed04cf89f794e5ae924
M21-alk71Cerber_71785297Mixed This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber". The binary has the timestamp field updated in the PE file header.71785297665f915f985e52f395678c35https://attack.mitre.org/techniques/T1099/
SHA256: 534ca84f14a3938500572ef064713e0c54a03f998c2a21fc51617634d45a991d
SHA1: 7581a3646c6850fcb048e94959eea86bd3b87111
PARENTID: M21-fgfb1
SSDEEP: 12288:R2PtcpSGpXTPyduxsddfDhEvSKSmJLXj6hq:R2PtcUGpXryU+dd7KvShmJsq
MD5: 71785297665f915f985e52f395678c35
M21-xal31Johnnie_f4805a5aMixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.f4805a5a3e898264b8ed4b43de37b60bhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 3b5f97b5c404c22bad550e105a9154234d43c13e4b32f3738dd1d29d0b67e8cf
SHA1: 50ec9cace3353a1cf357a4cc8da0913aa2b5a143
MD5: f4805a5a3e898264b8ed4b43de37b60b
M21-zkh61Zegost_3ec0f08bMixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.3ec0f08b9a5e8cd350d60ea98b66bc6bhttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 36c65ee22789d37e92d6fbcc135eb6fd3a9cee15bb01727607ff65f06e29adbf
SHA1: 150d375eb4940dbec5d408798932c5163dd940b2
MD5: 3ec0f08b9a5e8cd350d60ea98b66bc6b
M21-zl0u1Zbot_fe2e0db4Mixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.fe2e0db42c21c90dcbdbe0983ab89276https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 81fb97b88520f85d7b8f23a119e410785a99646362bc532d034fb0e3ad581211
SHA1: 1280ec13477f13f2b9708b69cec0b1619bd4606a
MD5: fe2e0db42c21c90dcbdbe0983ab89276
M21-nx2y1HAFNIUMMixed This strike sends a malware sample known as HAFNIUM Webshell. This HAFNIUM Webshell malware is one of many that has been used in conjunction with Microsoft Exchange Server 0day attacks against a large number of entities primarily based in the United States. After initial infection these web shells are deployed, allowing attackers to steal data and perform further malicious functionality like command execution, file read/write capabilities and tunneling. The Webshell malware has been documented residing in one of several installation paths below.5544ba9ad1b56101b5d52b5270421d4ahttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
SHA256: 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
SHA1: fc6f5ce56166d9b4516ba207f3a653b722e1a8df
MD5: 5544ba9ad1b56101b5d52b5270421d4a
M21-c9jc1Remcos_179fc66aMixed This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has been packed using upx packer, with the default options.179fc66a0416442f19fe51271f5dfcfdhttps://attack.mitre.org/techniques/T1045/
SHA256: 8776dd843bb43d1a6336239192f357a4bd918033bc4784529856f3589d5db668
SHA1: 512c8fd7ad4804e403116504468c91140e2c1192
PARENTID: M21-a8c01
SSDEEP: 768:5hCIKPQ0nbAQEbZ12jV/HAsDDq1ur61Aa:SIjsbAQEDeV/Dyur61Aa
MD5: 179fc66a0416442f19fe51271f5dfcfd
M21-lw5i1Johnnie_e0079301Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.e0079301b101c37ff3e5b8f424e92faahttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: fd731b97e8ec6140e434e09a69903a718b2bcc99d33def43800acaaa7397b04c
SHA1: 4980f52cd80fd0262c8ca10c07b8498ad7e9d10e
MD5: e0079301b101c37ff3e5b8f424e92faa
M21-r0pi1Remcos_d006c280Mixed This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has random bytes appended at the end of the file.d006c28009f6706e5f5c10237b353229https://attack.mitre.org/techniques/T1009/
SHA256: 31067b35e0e621793905281fefa26fb9e467423501d893ccdfee98ceef6b3a65
SHA1: 4afcc554fbb391f307da93dd67b8c59311b90870
PARENTID: M21-a8c01
SSDEEP: 1536:wbQihzJ0RAQCAqTAj2jo8MG7m80PuYjua:rkJsA5Aj2Uma
MD5: d006c28009f6706e5f5c10237b353229
M21-helx1Johnnie_dc7e8f77Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.dc7e8f77cbbd7450502f7ffe563cb7bbhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: de7a7371e0113b3b8ca14ce1683824898ee5f3044caec9c550436d43bbd57cf5
SHA1: e2c2b40bcff550a35362127c6a0496600375093c
MD5: dc7e8f77cbbd7450502f7ffe563cb7bb
M21-353j1Zbot_8fd8d53cMixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.8fd8d53c05e3b556917a507ed6ec6b48https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 786c63680d8479cc659709f118c03c1785a700fc690861d851b63d46f4d14fa2
SHA1: 56e771057a4e336298b52bc08c54f282e1413f27
MD5: 8fd8d53c05e3b556917a507ed6ec6b48
M21-z8di1Johnnie_573c737aMixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.573c737af7ee30678c11ec775ce9bca9https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 31cc204b627e09a0cb4bc8b2091742c448837a9be8021d70cd84b308f16dec38
SHA1: d5fa20d2ba40706810a7c1278ea4c8addaa682a2
MD5: 573c737af7ee30678c11ec775ce9bca9
M21-kjas1HAFNIUMMixed This strike sends a malware sample known as HAFNIUM Webshell. This HAFNIUM Webshell malware is one of many that has been used in conjunction with Microsoft Exchange Server 0day attacks against a large number of entities primarily based in the United States. After initial infection these web shells are deployed, allowing attackers to steal data and perform further malicious functionality like command execution, file read/write capabilities and tunneling. The Webshell malware has been documented residing in one of several installation paths below.fe15fc6341baad2a111462854f96a2bchttps://blog.talosintelligence.com/2021/03/threat-advisory-hafnium-and-microsoft.html
SHA256: a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a
SHA1: 90cd4f920d48c05fd3cad8275223f596c6388cbd
MD5: fe15fc6341baad2a111462854f96a2bc
M21-jz5x1Zegost_461c6d64Mixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.461c6d648ad38eaf49feb08a5f7a34d8https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: c1d4338fb9c6697e129499664ea108524fb0fa4b2c46182dc87c4c2bb06358c5
SHA1: 71bff8528310cf83b5522d0d0505e5717baf5b73
MD5: 461c6d648ad38eaf49feb08a5f7a34d8
M21-c59q1Gh0stRAT_4793b3b8Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.4793b3b82cd0ad256572aff6109f78f5https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 010877d5ffefd651a6591f043e42c884c772a6caebc4874cd359015e2b742d27
SHA1: 085b51fbc4ccb45566e138433660c3b8e140f6d2
MD5: 4793b3b82cd0ad256572aff6109f78f5
M21-v6b21Johnnie_5a66dd86Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.5a66dd86de39a4eaf55ded4320a8ff43https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 017283a74e46d4d1e3e725cd56e1afeb1ee54068b7f71032db25fec31d68d1b2
SHA1: b0c16251083c5c03a1ebbbdd3e5f527437636ae6
MD5: 5a66dd86de39a4eaf55ded4320a8ff43
M21-tjb61Remcos_fba106adMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.fba106ad4a1e85d868858350f0aa8574https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 5b4a1cdb25a26b59a7debb9a800df48fc287c78e21fbd373cf59cd7aec08225f
SHA1: 61e6ed74c533038e5b5bf05d1b1e05ec7625c62d
MD5: fba106ad4a1e85d868858350f0aa8574
M21-3zhr1Gh0stRAT_65a69489Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.65a69489423b963beee69ad1b7644c49https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 1beb18be175e10331aa29066888d0c256afffc8b2dfb53bfb1596b11d5bf7f63
SHA1: a840c42973491c503716a98e6f150e6cd7e4799e
MD5: 65a69489423b963beee69ad1b7644c49
M21-x45i1Gh0stRAT_2b65b00aMixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.2b65b00a17cf1a52a6bd1514436681fdhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 23eefadaca3164a75bfe16cd4caad20a39a7c7c3a034b4d47c4e0b7913024b7f
SHA1: 92f3d38f49bbde9543833be71d32b92dcbd61c4c
MD5: 2b65b00a17cf1a52a6bd1514436681fd
M21-4uli1Remcos_31266fefMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.31266fefa52798b306939c3fc169c0eahttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: e5e57425094babc789cd69616394e888681f05992a1cb14073655172ae3221df
SHA1: bc9f848c8355b36e803beb76ea608222d9ad5be0
MD5: 31266fefa52798b306939c3fc169c0ea
M21-3xsc1Remcos_89affee5Mixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.89affee5f44a964e2cc9fcabeb5a1a0fhttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 9a12983c930602627ad459fba134a76ec4a419a103903155a54cc288a44bae35
SHA1: 3dfa04a9253488833610a3e3f906513c8e38796f
MD5: 89affee5f44a964e2cc9fcabeb5a1a0f
M21-srvj1Cerber_26deaff2Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.26deaff26ac1591b8bd7786f5f481ab2https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 94510d2d24fe42afb50d9d577ac315897fe510f2513ef15e53af70632aa98724
SHA1: 40e228abe10b3efeb903ed6d607a96f3b0c0b319
MD5: 26deaff26ac1591b8bd7786f5f481ab2
M21-wo991Johnnie_b522d0cfMixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.b522d0cf76121d9e4fcc1ba12718ce3chttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 3a3205b31ee1f99fb887ce5c7d724b8fae13dc9689ca0509489345f7a2f43647
SHA1: 76ca00608b28275b745d076e6babb17299e07149
MD5: b522d0cf76121d9e4fcc1ba12718ce3c
M21-hff61Remcos_5ff832b3Mixed This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has the timestamp field updated in the PE file header.5ff832b37c2e809c3b7cf09ab9c94a2dhttps://attack.mitre.org/techniques/T1099/
SHA256: b40ca1beec7a5b1ef23bf6f0ee890092495bf1d8e869062c7b11abc442306cfb
SHA1: f4321f29a4983c462096e25ce7e77acefe242e42
PARENTID: M21-a8c01
SSDEEP: 1536:zbQihzJ0RAQCAqTAj2jo8MG7m80PuYjub:IkJsA5Aj2Umb
MD5: 5ff832b37c2e809c3b7cf09ab9c94a2d
M21-oorw1Johnnie_ab5fa6b3Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.ab5fa6b31ab7c53af696f3c235675498https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 5992c6bba20eb7a5a6fc7d2d66c793b57d76bd0c78c39258c4fbd5d8dcf78403
SHA1: 88aadc3bbf97082acc61f8c77530d415f80b652b
MD5: ab5fa6b31ab7c53af696f3c235675498
M21-cshx1Zbot_b67643a6Mixed This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has the timestamp field updated in the PE file header.b67643a6adadf9d104309476df6e7234https://attack.mitre.org/techniques/T1099/
SHA256: dff2ca2baf92eabc572cd79b16f61119b18db5e498fa645f4effb0fffbbb625b
SHA1: ee57d1edd9a57776794a94f7ef853fb145554e61
PARENTID: M21-kb5m1
SSDEEP: 3072:QYDn8rjuO2aTOT4+UM9sQOvDyBPzGN/GZ2tu/TG4cxhILl+Z8bSnLq+0IXD:QInQju6r+UMIbu7GN/lcS4cxhTnLqK
MD5: b67643a6adadf9d104309476df6e7234
M21-ttbg1Zbot_68a18f08Mixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.68a18f089ca381727f149f727d03193ehttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 6bb31571dfbc84cb6286e9e57e781326792d1b218125b32a4a46a390aa173471
SHA1: e4b005018f9c2926509a9848d1c8781a82ca9036
MD5: 68a18f089ca381727f149f727d03193e
M21-70h01Gh0stRAT_16c59693Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.16c596936a8c80d6d8810257527f377dhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 0cfb39f94222726dbf26800c8d8135d8235088ea8ba61df14c483f0a128cba80
SHA1: 6a6e36671c676a02374aefb7833bf50967332afa
MD5: 16c596936a8c80d6d8810257527f377d
M21-dd091Johnnie_81c7f75dMixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.81c7f75dea4d7583fe012af46c343717https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: c2c7d89d7b4b3042052bcbaa5407d034c5d539721e1b8653231eddd754cc27fb
SHA1: aef44e0b8558e8687c614626d64467bdc56cc09c
MD5: 81c7f75dea4d7583fe012af46c343717
M21-mi4z1Remcos_52910f26Mixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.52910f268831cf97d5d3f561052be6e5https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: d6575780888ebc64ba8cc181c289c2193d68d658bb79fbad75cb014e5843fe0f
SHA1: 08e0a536de0cc2038655c500a43e42734c293f1d
MD5: 52910f268831cf97d5d3f561052be6e5
M21-yv051Cerber_a2c19fe2Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a2c19fe2ebdc074bf4c533cc929f2da9https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: f8f52a3aeb4a35b8a047153c7f38c5dce395a1ef2027b6334563f23c5ee4e419
SHA1: 3767a4b21325cd8e0c1092ac482e6af3916f1b49
MD5: a2c19fe2ebdc074bf4c533cc929f2da9
M21-idad1Remcos_305a77fbMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.305a77fbfb5624727c07ee5425e55e02https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 7e30717f2e9ba0317731b37c96d2412d36cd150f9ee35f952568e4ca855fe4f0
SHA1: 365b0f0a232979010682c3656aee4ca041542ad9
MD5: 305a77fbfb5624727c07ee5425e55e02
M21-iqag1Johnnie_7e1abfa8Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.7e1abfa80d07ed765c6325f18e024246https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 421431abe3f3bc0d459ca27b9f36e6ad9e5bc256a46a418b32b49bdcae394072
SHA1: 50c424827abbb6012fc02e500dd69b3d3878a680
MD5: 7e1abfa80d07ed765c6325f18e024246
M21-97md1Cerber_c80008dfMixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.c80008df5fa7cb0f90f41a151b35e653https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: bc299adf8792562681aede4dd15f81db7bf0103c9c965770cb8c3d0159afb2af
SHA1: 99b9b3b6fa31d170a51fcf163b1cbe6f130aecc1
MD5: c80008df5fa7cb0f90f41a151b35e653
M21-yh1y1Zbot_a26f582fMixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.a26f582f48d3b9f65e57254df0e6a3c1https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 9dffc20f428c686f9cb23e661e84a4685bc30753c974b93ae888b5fd4fd3839c
SHA1: 7995b4bb8fbb7714254be5241da97021319f26dc
MD5: a26f582f48d3b9f65e57254df0e6a3c1
M21-uhd81Zbot_13899a88Mixed This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has a random section name renamed according to the PE format specification.13899a886a4d9dec340f4c976203ce2ahttps://arxiv.org/abs/1801.08917
SHA256: 3d49bf7202514de8669c7c7310ad985d5e81c33460d99622c54a321a01cacba7
SHA1: e5e38758b611b69020712659b9d8135a0a76cda4
PARENTID: M21-kb5m1
SSDEEP: 3072:CYDn8rjuO2aTOT4+UM9sQOvDyBPzGN/GZ2tu/TG4cxhILl+Z8bSnLq+0IXD:CInQju6r+UMIbu7GN/lcS4cxhTnLqK
MD5: 13899a886a4d9dec340f4c976203ce2a
M21-hid91Cerber_17577ca7Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.17577ca743581e2ed7d4d26fc398f1aehttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 988d69b0cdc4a75aa26a8e058441bca37d5544731aaa41b14600b61e70341b73
SHA1: c92a1ac8469db106350c897d562de6b627f87c17
MD5: 17577ca743581e2ed7d4d26fc398f1ae
M21-jgv61Cerber_fe2ccd90Mixed This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.The binary has random contents appended in one of the existing sections in the PE file format.fe2ccd90af759a48ec678af945fb84c5https://arxiv.org/abs/1801.08917
SHA256: e4476e754f762a372f2ea220eb4a8266a25a16fe74eb930b8589441a0a4ce22f
SHA1: f153ac690d69e1ed400c458d2794690861008c2b
PARENTID: M21-fgfb1
SSDEEP: 12288:P2PtcpSGpXTPydtxsddfDhEvSKSmJLXj6hq:P2PtcUGpXryX+dd7KvShmJsq
MD5: fe2ccd90af759a48ec678af945fb84c5
M21-0t441Gh0stRAT_8f223f8fMixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.8f223f8fba761d9d15d1a842eaecedafhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 4a95c949eafaa51b2de503dcf241a12bead970842154b5371e6e0adc3c8f7772
SHA1: d49ade4329e3b3ce26f42cdf150774df61ebc4a8
MD5: 8f223f8fba761d9d15d1a842eaecedaf
M21-gfrr1Gh0stRAT_8acac9bcMixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.8acac9bca9605fc425aaeeba1d90c19ahttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 4149565f66311deef8fae44d164b73ab477ad59e372310ee713cce768fab9a63
SHA1: 658d074a6c313dcb7711c4ef42af282f71bbf1ad
MD5: 8acac9bca9605fc425aaeeba1d90c19a
M21-7q1d1Gh0stRAT_8068c7ceMixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.8068c7ce20d94bdf1d843c98e916a009https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 48153323aedf8b07e8a316dc3602c88caa45158e234eecc391c9ba8f35717768
SHA1: 8c2d5d68098fde1eed2a930d24a7e3b35f06e705
MD5: 8068c7ce20d94bdf1d843c98e916a009
M21-51j41Zbot_53398513Mixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.53398513c9b00ac5c9e11bc0ac41d1b6https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 99d874daee72df966dc53ffb6e32672bb3568ac3c58fb56cce34329cb3538137
SHA1: 02cfa3c62945f18fbba204355801341de0d54720
MD5: 53398513c9b00ac5c9e11bc0ac41d1b6
M21-3xcp1Gh0stRAT_cb107719Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.cb1077195da0ed778a3180ab0aaf4c92https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 1fec76e020199fb8aea686bbeda5cb851244d0acba405ea2ef887bfe27b7a91e
SHA1: 52d4d743a228a6ad86e9f7657135d938275b73b7
MD5: cb1077195da0ed778a3180ab0aaf4c92
M21-jfo01Cerber_b055cf6bMixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.b055cf6b4059ac70de7497ee0ae501c5https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: bf4876d6a6c55678b3930b2bf2f8a4bf9a98364fc274d649729848190a9375d5
SHA1: 83073b8b93019efc618535e783597d830bde1968
MD5: b055cf6b4059ac70de7497ee0ae501c5
M21-9ugu1Gh0stRAT_b170ba52Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.b170ba528f2ade834483f410b22fd910https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 08b333da19cb0a14d6d67de0aaf6cade6191dd01b5aaf08e248192c00f24cd2e
SHA1: 114c237d946aeb8ac724b375f8cf85319bb9742d
MD5: b170ba528f2ade834483f410b22fd910
M21-w5gb1Cerber_6f518175Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.6f5181752a3e47b0671cd8579143fe36https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: de7ceb985789e6bac83dc6ce4ddd66716fc646c83cf7a4886a5d35f7fe9c5481
SHA1: a9661da89b37e52f1eb72438ad9dc29fe918cd99
MD5: 6f5181752a3e47b0671cd8579143fe36
M21-wp3e1Zbot_45fca4d6Mixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.45fca4d6d8f0649b29b475a6ca4eb6cbhttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 8cef6afdfbe964f5839d1f616578a5a648d24152c483b4291c954585b612e53d
SHA1: 4bbe71af5501e41fc6b72e8b65f3645fe5b01f54
MD5: 45fca4d6d8f0649b29b475a6ca4eb6cb
M21-snkz1Johnnie_be0e6047Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.be0e6047078cdce823e27cfd0ff8a5eehttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 7e8df264b1aa78a5eff69c18bc45b62c37ee32929e2bf47a00bc2ad1959cc58c
SHA1: c2697ce8af49398d16d7fe1d4994fd36ee9ed379
MD5: be0e6047078cdce823e27cfd0ff8a5ee
M21-9tro1Remcos_21e43f1bMixed This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has a random section name renamed according to the PE format specification.21e43f1bec6e4eb7a86da442d462332chttps://arxiv.org/abs/1801.08917
SHA256: 304ebf5790f5759aac1ca27b69397aa1b13dfc6a6f2ca8995993e92ca7feaa70
SHA1: e7d697d2e9ceb1787b28f0fe804f55ac7dae30e0
PARENTID: M21-a8c01
SSDEEP: 1536:wbQihzJ0RAQCAqTAj2jo8MG7m80PuYjub:rkJsA5Aj2Umb
MD5: 21e43f1bec6e4eb7a86da442d462332c
M21-who71Zbot_e51be375Mixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.e51be375b6b37bc31fb815e35e8fa238https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: aeaa3ca819bb66d0b37c3431b1f2f06292f2ef5d087953d421bff33daea4d05a
SHA1: d1d0ff69e7c3eeb6497c1a4b3da18de2bb229d67
MD5: e51be375b6b37bc31fb815e35e8fa238
M21-kpmn1Cerber_ae7d7901Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.ae7d7901de45faca15a9575b702cea61https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 81c2c50ef0e6dc05d2c2bb6ae7fc284fcdd30e35a2470f123737113b51a04d83
SHA1: 0bd327f183d9cbfc31acbfdaf74c88ec04a0b639
MD5: ae7d7901de45faca15a9575b702cea61
M21-tvgh1Remcos_0471eeccMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.0471eeccce6c5f38967035375fd45316https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: dbbbf8a197a81a53158c3ea83feea35b23716df8f5ba7e92265484c157749943
SHA1: 8fbe8257a2660c4c05de779d0691fd3bd9d2cd1e
MD5: 0471eeccce6c5f38967035375fd45316
M21-huee1Zegost_9d4c308cMixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.9d4c308c78451e878ba18901b4a0df90https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: dbfb0576d8d5917bf4231a870525191f93915a97f255694184d94761e5887e05
SHA1: bd15e9de052cf94b232a8a19710f6d89ff2326ba
MD5: 9d4c308c78451e878ba18901b4a0df90
M21-u1pm1Zbot_0262db6cMixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.0262db6c1bd924b0718f7957c7e18a0chttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 72c4886dc019c3135205759375a6461d85288628c69d842c700bd867455810e0
SHA1: 3a9458d0df0561b7f4376caedaf219778a2737e0
MD5: 0262db6c1bd924b0718f7957c7e18a0c
M21-rsnr1Gh0stRAT_8fe74bf9Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.8fe74bf9a3b754612869be86468b432fhttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 45f6d29433ada10f19c88b0461b35285f4478fc73ee49c8ad7189acc0854370d
SHA1: c25e7f6cd92c8fa1c99c936e5a730d7386df4df7
MD5: 8fe74bf9a3b754612869be86468b432f
M21-nl4v1Cerber_271c2d2cMixed This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary has a random section name renamed according to the PE format specification.271c2d2c8487d35a5d40f5b15a4f8382https://arxiv.org/abs/1801.08917
SHA256: d51eb428e9ea9773495e1fd07a485fca103b284c682d866c9f01a37ed839007d
SHA1: 5f983bcd8f799b0eaf3f10aa3e182dd7ff3a21a5
PARENTID: M21-fgfb1
SSDEEP: 12288:J2PtcpSGpXTPyduxsddfDhEvSKSmJLXj6hq:J2PtcUGpXryU+dd7KvShmJsq
MD5: 271c2d2c8487d35a5d40f5b15a4f8382
M21-k10r1Zegost_72ab4d3fMixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.72ab4d3f08f9136464836d4b0d633ba3https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 15e497d04bd67acedf599fbdbcf16ce5f71e1ba0f1d001282b7e4bd6d9e3e8e9
SHA1: 08c2dbd24cbda8dfdc3b3d33d374b067dc2f4fd3
MD5: 72ab4d3f08f9136464836d4b0d633ba3
M21-h4v41Gh0stRAT_31a7ba62Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.31a7ba6276ad876d12d537c8f4076d14https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 61b4e4297ede515f3c632b5c55a06d7b9c7e5e42dd084a56c2aa385f6cf74efc
SHA1: 503f6ab9cb8376f7ff58f7decd82dba37f3e60d0
MD5: 31a7ba6276ad876d12d537c8f4076d14
M21-t1vi1Gh0stRAT_eba0031eMixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.eba0031e564ce3b9d7c37bb4f9648480https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 1228068d719215b7cad5ec1493521057e150a3850a6e9e9caa93dc406d500c6f
SHA1: e7426adf3c63d8ccac5e5339f6190917c3067454
MD5: eba0031e564ce3b9d7c37bb4f9648480
M21-fgfb1Cerber_fce00a14Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.fce00a14d4542ddada0bebf0a40cb7eahttps://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: da2ffc90fe2f322410c23093d0823070b7a1edd85f98e5ec2b9e9df66c70d1ba
SHA1: edd3368d9cf7c8d53ff1fa64c1bd304ee29dbb19
MD5: fce00a14d4542ddada0bebf0a40cb7ea
M21-gdng1Zegost_2a361689Mixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.2a361689bd76bb804dc4f9b2088c152fhttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 0aa9328fe3389516d2fd282e56138b9c130d368e82ea70dd9419667b19b191fb
SHA1: b25b36694be4a64d54482acc1ceb3108cfe7644b
MD5: 2a361689bd76bb804dc4f9b2088c152f
M21-u9xb1Zbot_ae999d4eMixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.ae999d4ee4684b297f66ffea7c38f611https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 7b7b3078f9ced8cd158ed3cf3c86c2a21425b88c717db7b064746ac7eeb20bca
SHA1: 11175d74151fdc9b8076aaca3cd2b43089fc2b7f
MD5: ae999d4ee4684b297f66ffea7c38f611
M21-naqa1Zegost_1cf31a4eMixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.1cf31a4eed8b843df39342fb99984f24https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: c89b76b189cb388e323df3f8055ccad897158c5b485afa01711b87fc47620255
SHA1: 33a6b73373563f2871164978f82b4cfdb7dc2b2c
MD5: 1cf31a4eed8b843df39342fb99984f24
M21-M18061Zegost_6c6181b4Mixed This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.6c6181b4a564254c0d5f16512632660chttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 3d6172eab86b890404efea00baa9f39de291ab1c31b65bce1d5a15419a2dab6e
SHA1: 8b70970984cc9f6cfacbdcdd49f4e53895fcd0bf
MD5: 6c6181b4a564254c0d5f16512632660c
M21-sdph1Zbot_4a245548Mixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.4a24554855308b574ae2327d733fc1f6https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 7155b2bf1f3f12bb43e2dc14e97d654c96632f015111bc5df1aa8a3092e3709b
SHA1: e768730b7a1f9a4a5c11e0732fefca9d1986c9b3
MD5: 4a24554855308b574ae2327d733fc1f6
M21-bhge1HAFNIUMMixed This strike sends a malware sample known as HAFNIUM Webshell. This HAFNIUM Webshell malware is one of many that has been used in conjunction with Microsoft Exchange Server 0day attacks against a large number of entities primarily based in the United States. After initial infection these web shells are deployed, allowing attackers to steal data and perform further malicious functionality like command execution, file read/write capabilities and tunneling. The Webshell malware has been documented residing in one of several installation paths below.1a7a85b0390b308b1801679e11567eachttps://blog.talosintelligence.com/2021/03/threat-advisory-hafnium-and-microsoft.html
SHA256: 406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928
SHA1: aea0999c6e5952ec04bf9ee717469250cddf8a6f
MD5: 1a7a85b0390b308b1801679e11567eac
M21-mktd1Gh0stRAT_bd3b1251Mixed This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.bd3b12515725e179f1e4678223066247https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 1535b2383a6c2be5adf2682b39ffd0b37c3c5abfacafd575e6895ba8e9faeb34
SHA1: 3df3bef7e918b575760097306b5dc88364423e37
MD5: bd3b12515725e179f1e4678223066247
M21-mf5t1Cerber_fb4af472Mixed This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber". The binary has random bytes appended at the end of the file.fb4af472afa96bd412d67b9080699494https://attack.mitre.org/techniques/T1009/
SHA256: 60383648c4b5d929c55f8ee9bfbb03329cba4e51065a333e03ac3a17d48b75e4
SHA1: ef7789ffe72c84a963b71269fb5887a072083dd3
PARENTID: M21-fgfb1
SSDEEP: 12288:b2PtcpSGpXTPyduxsddfDhEvSKSmJLXj6hs:b2PtcUGpXryU+dd7KvShmJss
MD5: fb4af472afa96bd412d67b9080699494
M21-ag2v1Cerber_a40ee742Mixed This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a40ee74258c0f9d49dc18bc4dd27df93https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 74fc7b703cecd047723d05e8654593f48d1801fa5fbd56b8a6330727da1b73be
SHA1: 85518e2675a7e3ab565812df1188e00ebcf85735
MD5: a40ee74258c0f9d49dc18bc4dd27df93
M21-9dr31Johnnie_00826892Mixed This strike sends a malware sample known as Johnnie. Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.0082689270c8db3432602ace4edb0ad2https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
SHA256: 505511c169de43c71e439a82ef3a821707e1b698382b4c41f05bcc3b9a14e5c7
SHA1: ca25c5caa56f0e4f5de44b47a13bd4a05bbf1f1e
MD5: 0082689270c8db3432602ace4edb0ad2
M21-dr8t1Remcos_b1fea42dMixed This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.b1fea42d2bec29cc100f5cd47262c1cfhttps://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: b87f1dc302e0bf49a65cd8fb24f8e44809d5488dce30257597a3856afb9f55c1
SHA1: 67395944e3b1d69d966e4f3e12801795435565ba
MD5: b1fea42d2bec29cc100f5cd47262c1cf
M21-kb5m1Zbot_376b9a6cMixed This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.376b9a6c75d6c7da8dc7c0e21338f7f4https://blog.talosintelligence.com/2021/03/threat-roundup-0312-0319.html
SHA256: 9f568cc3b8ebc6d459507dc82cbcbdf281f9026b0c3a102be356e42c414f0c0a
SHA1: d2c7ae3a6794e35a4cd00043cd4ded603c1f4b82
MD5: 376b9a6c75d6c7da8dc7c0e21338f7f4