Malware Monthly Update August - 2022

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M22-M8035DarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.851816aa8cf45ba769f0d9420acfb3e5https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 083acce46cb8cf35e37c778d1f4aee6814bca72d2874b793a47f9823f51df0fe
SHA1: 4178d5efa388caf2d0ffd4539cf285b1de5ffab6
MD5: 851816aa8cf45ba769f0d9420acfb3e5
M22-M8072Locky_8ea1078aWindows This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has random strings (lorem ipsum) appended at the end of the file.8ea1078ae6f7500c9c1f245d69a8ce30https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: cd12ae4ce6635643aa838c6cc4dac9df5f530bd198cb9199fd876e1a2959baa7
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M8015
SSDEEP: 12288:ZbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmcqi:ZbXbnpuZS0QkETutYQ8qmzi
SHA1: db58b2dd8b708c6d715f946134b41de149cde99e
MD5: 8ea1078ae6f7500c9c1f245d69a8ce30
M22-M8054DarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.cd49f7c3c4e82dee128eedea9879bc33https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 0a5dc3b6669cf31e8536c59fe1315918eb4ecfd87998445e2eeb8fed64bd2f2c
SHA1: 619bf90a8ea219e34bf57dda1a322914b9fa1c81
MD5: cd49f7c3c4e82dee128eedea9879bc33
M22-M8039DarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.8d8c551dd572a1dc158de239b37eaa9ahttps://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 5be86cfca25e295f88b5aab42a6f604d2f1bb97f3c73b01df664c137908e2ec4
SHA1: 6d4b4bcd107b09af37996c73a6448379a31aaac4
MD5: 8d8c551dd572a1dc158de239b37eaa9a
M22-M8057XtremeRAT_de66d12dWindows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.de66d12d576a1df764e09f4f51ba1388https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 6798aa4e8218c8783acab06e700b519eb31856ac0e46c6c82f5dfbf22e13ddb5
SHA1: 6748795727d076ea5093f17fc60639006ec45d45
MD5: de66d12d576a1df764e09f4f51ba1388
M22-M801cXtremeRAT_524e7e63Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.524e7e63d3431e870c08968410412996https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 593d60c61df90a5de77d5ee31815eafd3c2657f1581cdd7fe36e74f72956a7e3
SHA1: 08c75b21e44b7eb781e5500b1253d408a896fedf
MD5: 524e7e63d3431e870c08968410412996
M22-M8055RapperBot_ce1a9802Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.ce1a980265811fd257b36a449b987702https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4
SHA1: 335dadffad009212e3bc868ebe094b227e26407a
MD5: ce1a980265811fd257b36a449b987702
M22-M8003TrickBot_0a5281c9Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.0a5281c935c5791663b702895803719ehttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 28d1f82ea2f237ae643e442adae17449dadb8ad93397bf2299b0b53abeee45cb
SHA1: 69f95f11c8fac96bcc86e568842fe701a3259dfc
MD5: 0a5281c935c5791663b702895803719e
M22-M803aXtremeRAT_90a7c094Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.90a7c094e1541e288df6fe17d8af2201https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: c11cd59cb06cf9e1a9f95e3d78300a2aa8edf94ed7964b73ccb7135a5b23a7d6
SHA1: 87f52cc51e4b24929585b549a5e58148a66dc7d5
MD5: 90a7c094e1541e288df6fe17d8af2201
M22-M800dXtremeRAT_277609edWindows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.277609eded83e6f042e185c3d5740febhttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 00c5b7cc78f982e42062c84a8a5c1c5aaeea7276b0f00635d61e4bfdcf6ed4b2
SHA1: bb563b04b626e6c62cd79758097c12ea7b1a19ba
MD5: 277609eded83e6f042e185c3d5740feb
M22-M8078Dorkbot_fd964c0bWindows This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has random contents appended in one of the existing sections in the PE file format.fd964c0b89402a947716fdaddf0bf800https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: c8beacbb624c1ad136f0350d6841f9a4d11b9ce447997f8074174c1f029840c4
https://arxiv.org/abs/1801.08917
PARENTID: M22-M8046
SSDEEP: 6144:Sh/ikWGQrifBkvxVJF3NGwVl8SUKHdwU:GTJQWfYrJFfzzUGwU
SHA1: c1950ea4b1b94abfeb7e26a32dd9dc20ab984a58
MD5: fd964c0b89402a947716fdaddf0bf800
M22-M8038TrickBot_8cc0021eWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.8cc0021e091932f84851a0bf9c02860bhttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 01a4f86457a252ffc23117ba653a2093902d0160140a3fda03e3cb9595f6d652
SHA1: a7d3deea4daabbac5bc0209ed854d1224120a688
MD5: 8cc0021e091932f84851a0bf9c02860b
M22-M8037Dorkbot_8c5d180dWindows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.8c5d180d78d43ec8c0754273f13f13d2https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 29e771b03f40a6cd492b49826238364933a37c65bee5bf7990d711ff14d3511e
SHA1: 9681ad391c416840d35a40c5943b11eb9e66772a
MD5: 8c5d180d78d43ec8c0754273f13f13d2
M22-M805dTrickBot_ec58d221Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.ec58d22179604219c554c56e5551a33ahttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 23d19c57bacf51421505125da6917c815a1aa0d5c7346cf42c47f6667df0599d
SHA1: 8ea59a29d0cfd0abe0eca11f06b9239e311bfa58
MD5: ec58d22179604219c554c56e5551a33a
M22-M8031Locky_8048aa32Windows This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.8048aa3289909b0f544bf7819a150a48https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 8d62a963beb4ac49096277d54d3d6bc78c1142ff30b600b0373256eaa6b7a73c
SHA1: f7ad9416669ee5185c2cfc129de0c04cb0feb26b
MD5: 8048aa3289909b0f544bf7819a150a48
M22-M806bDorkbot_617acc95Windows This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has a random section name renamed according to the PE format specification.617acc95c26c60ef3b90df8f612f4da4https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: ca534b389a16c011aa2ca978d297c247e69888047ae3fa944602f3f0b2ecf2a2
https://arxiv.org/abs/1801.08917
PARENTID: M22-M8046
SSDEEP: 6144:0h/ikWGQrifBkvxVJF3NGwVl8SUKHdwUP:ATJQWfYrJFfzzUGwUP
SHA1: d0aee802f57a38cd87d9f27f6d60083af192f01f
MD5: 617acc95c26c60ef3b90df8f612f4da4
M22-M8029TrickBot_6c16b771Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.6c16b7715556744d54996256b431668ahttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 50543f06717e0d022a4b58043861f0a38ab82e068f07414adc5be142a66c6cec
SHA1: 9bc4cb7f8dbc3d81d8e6e4001288db662df143b6
MD5: 6c16b7715556744d54996256b431668a
M22-M8028TrickBot_6b553df5Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.6b553df50e52d6a374ca16adb25d2a53https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 1f14d617fd53588a36cd26c19e6f306fad28bac24140e9083986bb0cac607bc5
SHA1: d742d0cf7fa62e75b32f391a40995c52d87bc3ff
MD5: 6b553df50e52d6a374ca16adb25d2a53
M22-M804aLocky_b73d624cWindows This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.b73d624c91955ec6780053f5c6c1e552https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 1cdcb07c8a79bdb3faad6feae4b2720cec8dc8de0cfb1431502f91e8c9152e94
SHA1: 0a56f8d095ba7a347dffb02d18dd32ea69d1a6cc
MD5: b73d624c91955ec6780053f5c6c1e552
M22-M803cTrickBot_93d1113fWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.93d1113fa5b123b5cc537f1c74c81412https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 26851fc35426f83e70d1542cc4f00a3dd16222de418d2e0727a4ab9d5218c22b
SHA1: 1502e86be0fbb1cb8b735cb76f8baa954cc16456
MD5: 93d1113fa5b123b5cc537f1c74c81412
M22-M804dTrickBot_bc47b3abWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.bc47b3ab044ca04355bec9db0649606dhttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 0ef6c2cc035d61abd0f221d2bb8d6c0f5fc1e2e87cd5001f47861435fded326b
SHA1: 4577410c05509cacdf235ef79afa3454311e7363
MD5: bc47b3ab044ca04355bec9db0649606d
M22-M805aRapperBot_e4b3a9f9Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.e4b3a9f9e5e90ce3912665ffb7e0f6f8https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6
SHA1: 33cf1b18c99a43ea76c4b87c92b73a769acd24ad
MD5: e4b3a9f9e5e90ce3912665ffb7e0f6f8
M22-M8041Dorkbot_9d763334Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.9d763334a69c0c9ffcae3f99b4a3337dhttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 90853a92441d02881129621868f5a83d4fda693e6602a043dae622186b654a0d
SHA1: 3ba06121809b5059d28186691e980bc92ed00f07
MD5: 9d763334a69c0c9ffcae3f99b4a3337d
M22-M8063BugDrop_ffd517d2Mixed This strike sends a malware sample known as BugDrop. BugDrop is an Android malware that masquerades as a QR code scanner on the Google Play store. Its sole purpose is to bypass security measures used in the Google Play Store, and deploy a malicious payload, which is typically an Android Trojan.ffd517d24a3d09082159493d859d4767https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html
SHA256: 367ae87d74c4d45aec595bdccee83a2d38b8ceb71956c902716141f163987c8a
SHA1: e4c47125daa305c49bbd4ae1f945714b2685e94c
MD5: ffd517d24a3d09082159493d859d4767
M22-M802aDorkbot_6ce9013fWindows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.6ce9013ff2917fc2cb26fadf22df6bb9https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: af69bafe28d0df36ddba5768583cf25bd5cae24b312e17f607c77294b731f0dd
SHA1: 302705510231d77fd7a4d442f85e88db1920aad8
MD5: 6ce9013ff2917fc2cb26fadf22df6bb9
M22-M8045Dorkbot_a60ea31cWindows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.a60ea31cff0dbe199cbf6fbea03cc77dhttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 2bbac09df0fbb667c042f25c8d4810a08d6a3129a57ec70363debad39f917bd2
SHA1: 291d37d22feef1fa484c7b1859f284b91c62f033
MD5: a60ea31cff0dbe199cbf6fbea03cc77d
M22-M8009TrickBot_186d3ddbWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.186d3ddb5df74784da23a841ad7ae2dahttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 094f5c76889cd9f3f9357d72eda49a962eedc8457a77d586459dbd5968f85aef
SHA1: 9babd78342a45ab27c527ffcd546251c82092e47
MD5: 186d3ddb5df74784da23a841ad7ae2da
M22-M803fRapperBot_94c9ae3aLinux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.94c9ae3ab4319954a302d819e8a608echttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad
SHA1: 94d51c338af676e51cb22f8d169a5aa867259118
MD5: 94c9ae3ab4319954a302d819e8a608ec
M22-M8043TrickBot_a13af228Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a13af2286cd59a8963df5feb0a06412ehttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 3b5e722ae23b3656cfb17fcb9fd218b92c5e4f24c241c3f1c37bded99d92c035
SHA1: 4618b4ef94b069b870c8dd2604cba10ec81c6113
MD5: a13af2286cd59a8963df5feb0a06412e
M22-M801dDorkbot_535fb4c2Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.535fb4c2c630fc80bdcbc56895528027https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: b7d2ff1e59e0d30e46adf03d7a90dcc0ed83f2ff1e9b35702a70486954f1d3dd
SHA1: 1057ea5a9bf3b79438f1a2035c8a6c037bb198f5
MD5: 535fb4c2c630fc80bdcbc56895528027
M22-M8047RapperBot_ab96e594Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.ab96e594403ed957ed2ec6c992513abfhttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d
SHA1: 5aa801ffe8d362bcb64a0575aea778082a4ddc54
MD5: ab96e594403ed957ed2ec6c992513abf
M22-M8075Locky_cb93d5c8Windows This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary file has one more imports added in the import table.cb93d5c8daa92eb0280f3ff3535b8d93https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 41876efdb225d165ae4746a5d10494199bd399d01c23b257d9ac2d5a2a75f640
https://arxiv.org/abs/1702.05983
PARENTID: M22-M8015
SSDEEP: 12288:sbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmcCt:sbXbnpuZS0QkETutYQ8qmbt
SHA1: c42a4c652b6c5ef0a545278b0514e1c0560334c5
MD5: cb93d5c8daa92eb0280f3ff3535b8d93
M22-M8044Dorkbot_a42942f2Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.a42942f29b7e3084686d9c851ee53999https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: b478d67b97fa15e88d047c643232590d1c6c2d2179e330df5bdc78c4e56036ee
SHA1: ba448f458d7df2f022208098920fad1d4e5c5aae
MD5: a42942f29b7e3084686d9c851ee53999
M22-M8023RapperBot_5e10e46cLinux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.5e10e46ccd75627df169976de506029dhttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5
SHA1: 52489a148462acc8b8633c09f3ba3ce5e9f27063
MD5: 5e10e46ccd75627df169976de506029d
M22-M802eRapperBot_75181839Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.75181839d4eca01c095f5976cfe06f71https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
SHA1: e8f05a1c719b0348a490afd6b0c213b53d9835ca
MD5: 75181839d4eca01c095f5976cfe06f71
M22-M800fDorkbot_2cfa385aWindows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.2cfa385a368304e57a7a3918e53401cchttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 4faa3a69a429a598863c9369d0b4d572fa01b5bbf567b0d76f5a42f596430003
SHA1: 0f0b06d64cd6f594ed1ce651afacb26919d6c0bb
MD5: 2cfa385a368304e57a7a3918e53401cc
M22-M8056TrickBot_ddf00820Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.ddf00820caa8c37f4fc691e6195a3a76https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 2d05858c463ea267870ff964d9f9779def1ca711586dcfea58745ebe6675ff1f
SHA1: e690ccd3b88df7f13d2294e0fed8e27f35bd8645
MD5: ddf00820caa8c37f4fc691e6195a3a76
M22-M8070Dorkbot_89fecc6dWindows This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has random bytes appended at the end of the file.89fecc6df87d3a9ec5efe7deded2560ehttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: a0780263595cc6be8e01051e9195c36d54dcb38ff360d5ffcd46b6da0d2ae297
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M8046
SSDEEP: 6144:Sh/ikWGQrifBkvxVJF3NGwVl8SUKHdwUI:GTJQWfYrJFfzzUGwUI
SHA1: 57bd25129f7a27245c56aadc04ef5d36d94474dd
MD5: 89fecc6df87d3a9ec5efe7deded2560e
M22-M8050Dorkbot_c35270cfWindows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.c35270cfbadd4cff99be4fd906ed4b49https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 1e358ccc5c00767b2d7518ad5b34639c172a33118f691b6e989c0da4a4067781
SHA1: c15f4fcbc753e8ebf689c7112a68371bb4456194
MD5: c35270cfbadd4cff99be4fd906ed4b49
M22-M8026TrickBot_66d07e5cWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.66d07e5c7d5acb931603325b7e064d47https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 12eb4eb5dd38c776ec50166596c5e4ffda47108ce709990ae84a33a3a91776ed
SHA1: 3cfe64e7408092dafd5a917563952dbd44d6d740
MD5: 66d07e5c7d5acb931603325b7e064d47
M22-M8006RapperBot_1318afe2Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.1318afe218cf3a86f71aa6936df33ee7https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8
SHA1: d9c3051c61aedd87c530123ece2fdc5123f04ec8
MD5: 1318afe218cf3a86f71aa6936df33ee7
M22-M8067Dorkbot_27d4b49aWindows This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary file has one more imports added in the import table.27d4b49aa7890f825e97fdafb1c99b2ahttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 53100100ef19da2ad5acf6384f0ce6211258ba9415bf838f6362ea924898355f
https://arxiv.org/abs/1702.05983
PARENTID: M22-M8046
SSDEEP: 6144:4h/ikWGQrifBkvxVJFLNGwVl8SUKHdwU:UTJQWfYrJFDzzUGwU
SHA1: ae127468e340258a1ba9ae96998aa9082e096cf6
MD5: 27d4b49aa7890f825e97fdafb1c99b2a
M22-M803eTrickBot_949e4fddWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.949e4fddcd7de77db26dcdaf532bf79ahttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 04d4ecf05a7bcc6ca0f318bacaa6087ea1e5badc14ca9eebec52aaff791718bc
SHA1: 60432d41180f42e9d8268150e6be7f67f635c779
MD5: 949e4fddcd7de77db26dcdaf532bf79a
M22-M805eRapperBot_ee73067cLinux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.ee73067c97e7015dc3f805fd3f66f3dbhttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb
SHA1: bbd8f413be3abe8df87cd2ed6c58e68f4bb505ce
MD5: ee73067c97e7015dc3f805fd3f66f3db
M22-M806cDarkTortillaWindows This strike sends a polymorphic malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.The binary has a random section name renamed according to the PE format specification.6312c27d72dfca46e9dc99030ce5e944https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: a03365c8420c28d02e372ed1dc1d22969bffbe0f70a8083279a31d101a638ed0
https://arxiv.org/abs/1801.08917
PARENTID: M22-M8039
SSDEEP: 24576:oCldODAffhnEeMv+gVDMMgqT8Mw14AIdP/EE9:tjXhnEVv+gVg7qQMwc/E2
SHA1: b6029b975f1e30d0aba4e2cd860f40d5699bede8
MD5: 6312c27d72dfca46e9dc99030ce5e944
M22-M802bDarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.6e91ad0972e104a277505104abe39d1ehttps://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: b3754c6ecc445e9a3b37c5ebe68adb9630ca4aa89a8e8515468f39ae8131f141
SHA1: 261d699c3bb1a0042b88a45ed340f2d86149464f
MD5: 6e91ad0972e104a277505104abe39d1e
M22-M8011RapperBot_30ce66faLinux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.30ce66fa45abddf278dbb3eccf87ddadhttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae
SHA1: 4b6524d0a3f1ffeac80c1251ad63601274896eb0
MD5: 30ce66fa45abddf278dbb3eccf87ddad
M22-M8013TrickBot_32dfe14fWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.32dfe14fe473b36a31751b333f82c9e1https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 2549d2a70d146340d14d981ecd9c33ce384bc743d4ed258f1eb9740c30792429
SHA1: 1cb4fd30a8abe7db4274d5e781021085628f6c57
MD5: 32dfe14fe473b36a31751b333f82c9e1
M22-M8040XtremeRAT_977f45e5Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.977f45e5cb09032ec6b9cb4a357c40a3https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 10f0a0f8b51964b8a3fc497040601a48fe0493a7e4010ee89e61068cc8e2d92d
SHA1: 75aacaf9d2c546cbb902b88da5d2826f60dbceb1
MD5: 977f45e5cb09032ec6b9cb4a357c40a3
M22-M805bRapperBot_e70f70c9Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.e70f70c91670ac3fc8d3d7963f6fb8a6https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42
SHA1: 8b9f2892a5fe32fe4ffe65c97b7ba0bb2f58bcf9
MD5: e70f70c91670ac3fc8d3d7963f6fb8a6
M22-M800bDorkbot_23788137Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.237881374e70bbe9f94bbf80a5e78580https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 1d0d652abf31a5b4f9ecf5ee6d201b4d31e977f6fc769a34cd34a5468e362e14
SHA1: 60e8e54544c14eda7b91ca7335faad76e9d0e166
MD5: 237881374e70bbe9f94bbf80a5e78580
M22-M8066XtremeRAT_05d580a8Windows This strike sends a polymorphic malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.The binary has random strings (lorem ipsum) appended at the end of the file.05d580a868e5ff141cbf373fbf0bb344https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 168cf1a3755a0291e2f429b0e1ea812a9469a6210b5d701b534f0961f0e0b513
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M8021
SSDEEP: 384:uWBhtbQs2FrJ6nz0xxuXR3OfN9SG9PESZKisPTdH2gSC+GCgX7RHCyFwb5RmJNtq:tbO6nz0fQZeN9D5wPTCpyrQ0vtBIx2U
SHA1: 6ef35eaad0ad3eb6fcde27e4517a48a4b6a11d76
MD5: 05d580a868e5ff141cbf373fbf0bb344
M22-M8053TrickBot_cafe04d2Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.cafe04d25daaedcb880a433768e0bb96https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 3f32a6229d93292633dc3c9af4dcf7360463cd9fcc72bfc68bfc68afa666316d
SHA1: 5e1549e504c1b7b6324da5b89ed4d5bd05dee13c
MD5: cafe04d25daaedcb880a433768e0bb96
M22-M8068Locky_28b5e374Windows This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has been packed using upx packer, with the default options.28b5e37490d59e2d5dff1c1a429263bfhttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: a1fb47eb45b37b76fc4acd2a1475dc81e0526489241eb89887a7c3ecd4d6d951
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M8015
SSDEEP: 12288:NeoRLYW6cph0Zo27laUgc/fMb4PqQ2+4RWXygXCYx70hH4frZoxR:NjBPT0Zo2xa+/fTV2+ukyG7cH4fryR
SHA1: 712ba1621cae1df0e146279a9b08199748a7abb3
MD5: 28b5e37490d59e2d5dff1c1a429263bf
M22-M806aTrickBot_5d9d5845Windows This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has a random section name renamed according to the PE format specification.5d9d5845db1526c160a1cc0791cfa49chttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: b396284c80bc4b860be00321e710751ed44ba4899a85e85b8e5fe4e7a7ab2bda
https://arxiv.org/abs/1801.08917
PARENTID: M22-M8061
SSDEEP: 384:n5yqVLBSl0/x+fIDD0HEqsiKS6qFbrCEg3WplnXsaNJawcudoD7UzKDgRAF5iFmH:ng8+c+qqsiKS6RWprnbcuyD7UpRAuIG6
SHA1: 55c09a8a54c8f41e8002a0144a5d54d40a46f058
MD5: 5d9d5845db1526c160a1cc0791cfa49c
M22-M801bDorkbot_4f2fcaffWindows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.4f2fcaff3b068ee744b80db7474f8043https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 84055ce5bc4ef2bdf486e82e444e5665c73f4fe627a8734edc463b59f443bfcc
SHA1: 831c5667c28e437d50c6cd687904aaba29a010a5
MD5: 4f2fcaff3b068ee744b80db7474f8043
M22-M8017XtremeRAT_44096609Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.44096609059132b91abf2e16adce45c7https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 05316395bee1b9759134e86ecf28413d197c95cc6c25bb96a3fd957adfb767fe
SHA1: 142c859c111cd7dd3bff8ee44ff19f59f723f8b2
MD5: 44096609059132b91abf2e16adce45c7
M22-M803bRapperBot_927b2162Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.927b2162032a3a89a6e17f9769155985https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865
SHA1: 40434f00734ccd0d55edd135c50b7595de2bc66b
MD5: 927b2162032a3a89a6e17f9769155985
M22-M8069Dorkbot_4e3a397fWindows This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has the timestamp field updated in the PE file header.4e3a397fa3e835cf6bb5ca23268cb11ahttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: b09bcb7658ae1b8a59e1ae7307c7fccfcd5d885e180103206a8f3c86db9dc9fa
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M8046
SSDEEP: 6144:Qh/ikWGQrifBkvxVJF3NGwVl8SUKHdwUP:MTJQWfYrJFfzzUGwUP
SHA1: cfa0f48aace027fc5b5efb3b004d532631e6b368
MD5: 4e3a397fa3e835cf6bb5ca23268cb11a
M22-M8022RapperBot_5d7d2618Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.5d7d2618e09ea3c84f5a484553e0ea65https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04
SHA1: 679010f52909c909bde9aa34645c5ac0044df453
MD5: 5d7d2618e09ea3c84f5a484553e0ea65
M22-M8058Dorkbot_e2a567c0Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.e2a567c007c4446356a8b4c170eaa73dhttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 1c21c85c814609bc6db76824eda6333b2d26be11f8736bbb7397e97ad95c9f2e
SHA1: bf0141a7a1a936c7514cb2effce1417c5298283f
MD5: e2a567c007c4446356a8b4c170eaa73d
M22-M806eDorkbot_7866127dWindows This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has random strings (lorem ipsum) appended at the end of the file.7866127daac6c9b5be81d2e01cc2f3f5https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 06e2bb61d73fc1881713f8b66d0effebbbd3342e19a74bbf00b4a7d67253658a
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M8046
SSDEEP: 6144:Sh/ikWGQrifBkvxVJF3NGwVl8SUKHdwUG:GTJQWfYrJFfzzUGwUG
SHA1: 91dd3bc2ae1a63b0550f6e1c6cd155247400a9c9
MD5: 7866127daac6c9b5be81d2e01cc2f3f5
M22-M8012TrickBot_31e45c28Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.31e45c2854f8b176b718b5393c4e848dhttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 39d4446bb6b1c8cbf319fe02f1316897f22a6b00633af1b7e6159dbd7b837556
SHA1: 85fddc2389ae28ce51290eb98a3269641853f123
MD5: 31e45c2854f8b176b718b5393c4e848d
M22-M800cTrickBot_26b8e22fWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.26b8e22f42fd00707aa625ec383731d9https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 0c25f673e25e8c9bb066ae56c41a83e28ef40a9da8327c9f7cd09f663b9a4614
SHA1: 720a15636ae6b9f970a76e01a1f6c9cfd5bbdca0
MD5: 26b8e22f42fd00707aa625ec383731d9
M22-M801aBugDrop_4b3c99aeMixed This strike sends a malware sample known as BugDrop. BugDrop is an Android malware that masquerades as a QR code scanner on the Google Play store. Its sole purpose is to bypass security measures used in the Google Play Store, and deploy a malicious payload, which is typically an Android Trojan.4b3c99ae792e7389c43102060633b4cchttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html
SHA256: 214a576b46241bdf76bb4dbeacc7a456905eacd345fc515e0b38d6976c271168
SHA1: a7a2fbb022e391618f8f62acf07c7d4681f98775
MD5: 4b3c99ae792e7389c43102060633b4cc
M22-M800aRapperBot_1bdfcca7Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.1bdfcca7b35ad31a41fba5d6dc88b276https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62
SHA1: 4f00520407a40ef18f144b4ac2c03657bc7a65b6
MD5: 1bdfcca7b35ad31a41fba5d6dc88b276
M22-M8073XtremeRAT_9338a39bWindows This strike sends a polymorphic malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.The binary has random bytes appended at the end of the file.9338a39bcc5077aa5b3e42d27624c41ehttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 1c16e57ed04588506a6efb5881cf43b2709097b8ce490f373e35a9c3de2d1f96
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M8021
SSDEEP: 384:uWBhtbQs2FrJ6nz0xxuXR3OfN9SG9PESZKisPTdH2gSC+GCgX7RHCyFwb5RmJNtn:tbO6nz0fQZeN9D5wPTCpyrQ0vtBIxZC
SHA1: 6280634e6c85a314e6d7000bef7c8be8cc6d3e3d
MD5: 9338a39bcc5077aa5b3e42d27624c41e
M22-M806dDarkTortillaWindows This strike sends a polymorphic malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.The binary has the timestamp field updated in the PE file header.76d32fe38d0b95c1736133b944b08e56https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 4b77fca60e7007d606a13fb2407613f99e3645f3bf63f9607b52503a459594b1
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M8039
SSDEEP: 24576:ECldODAffhnEeMv+gVDMMgqT8Mw14AIdP/EE9:xjXhnEVv+gVg7qQMwc/E2
SHA1: ec1b3eea02ab96855a0be2b441b49dd44d17c147
MD5: 76d32fe38d0b95c1736133b944b08e56
M22-M8015Locky_37321e84Windows This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.37321e84039a822ec547de8a9aad48a9https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 9be2a26538acb1111657ab79c6680d7f8bde43f5a6e51f38c674967e21d69627
SHA1: e5c62aa15a3925c9b21cbd6775fabb1447866db2
MD5: 37321e84039a822ec547de8a9aad48a9
M22-M8024RapperBot_64e0ddc2Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.64e0ddc2aa51350b355434ffd1a4d6b6https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010
SHA1: c8e50331f951ea848b36a35751988b9f00336071
MD5: 64e0ddc2aa51350b355434ffd1a4d6b6
M22-M8042RapperBot_9d8cd6a7Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.9d8cd6a75e40c2022abca1e58c88b40fhttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a
SHA1: d68e46e4cd4f8fc7af2b82be7e3dea9be3ade56a
MD5: 9d8cd6a75e40c2022abca1e58c88b40f
M22-M8062Dorkbot_ff68ff41Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.ff68ff41082fc943576fb8412c620836https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 0ff57cf4b79588ba6c721f78a042e79a8c4e4eb6544dad9147c6918efc0a9bfd
SHA1: e4419ca2992e02f15da075e288e9254661531b4f
MD5: ff68ff41082fc943576fb8412c620836
M22-M8074Dorkbot_c8e632b8Windows This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has the checksum removed in the PE file format.c8e632b867a715c2174bb3743d600372https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: db362fde2e95a7d7141b9afc04b514b870e3795ad2a7642d4a58d5b3ce3d4902
https://arxiv.org/abs/1801.08917
PARENTID: M22-M8046
SSDEEP: 6144:Sh/ikWGQrifBkvxVJF3NGwVl8SUKHdwU:GTJQWfYrJFfzzUGwU
SHA1: a53acce63610c37f32c08a6b787c72ecde4dc7a3
MD5: c8e632b867a715c2174bb3743d600372
M22-M8001TrickBot_01df6398Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.01df63985a519b2d6447998cceada56bhttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 2184130eb8a891000fee1e343a5634531d72e05a7893fbafd6d53e52350bae19
SHA1: 7cfdfb3d1c4e94e8077e71076717ab11a532e693
MD5: 01df63985a519b2d6447998cceada56b
M22-M8027TrickBot_6adb52f5Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.6adb52f5787df2e229c6f7efa79b2ab8https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 3a0c89d07193ae260ced7a04873117af0213c43407248d2ff7edf95bd3b32421
SHA1: e7cf92476ec514ad24183894ea6fa75506e5fd38
MD5: 6adb52f5787df2e229c6f7efa79b2ab8
M22-M8016Dorkbot_3ec31a62Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.3ec31a620bb155b175f1dca19d7f3abfhttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: adbbf9cf8048f45fce2ad9fb1d681ea9334813a442d6d5b051cd11285fc71154
SHA1: 8110191c59c56341b5a55f6ffdf05d3d3f1c2971
MD5: 3ec31a620bb155b175f1dca19d7f3abf
M22-M8034DarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.84872b60072011eab8940f3b49bdb582https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 5e03556be992d23088a3c49d24c45b1c21cd275bffb4e536348e8128d50374b6
SHA1: 3da0f44d45a1d6676d52ce691d2f6d754eb3097e
MD5: 84872b60072011eab8940f3b49bdb582
M22-M8033DarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.827258f907c5087f498c413d28e2203ehttps://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 55d7d9bd9d4a511417033b6c14ce93f962d6a6e6c6414f0cb7e455baee1d3ab7
SHA1: 5e0cb6076002b11a39636e07a217b493835e5bce
MD5: 827258f907c5087f498c413d28e2203e
M22-M8025RapperBot_669a8e06Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.669a8e0683154f594a110d129d96a068https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02
SHA1: 781160ca6c18a0875dc2c3269cfa97398f36f27c
MD5: 669a8e0683154f594a110d129d96a068
M22-M8036XtremeRAT_893dfc59Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.893dfc59f925b9b05f1a79617e21b124https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 33ed0e091cc5ccc71d0a9d37c4f82d73f3959ffcd55f9c2f8660e7e13f68393e
SHA1: 0625a0e6dfacc0b641cbb1d19678059c0f1ae938
MD5: 893dfc59f925b9b05f1a79617e21b124
M22-M8014Dorkbot_34f8aa91Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.34f8aa917d5e78b3bbc66682d993e992https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 9bf72ac43dcab3750686c49abbf1b0835505186a37187b6435539ea871dfd829
SHA1: f233c876731ed07fd44025adaaac2ab7f17bce99
MD5: 34f8aa917d5e78b3bbc66682d993e992
M22-M8032XtremeRAT_80908cd8Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.80908cd8528f54634517e0de99af18cehttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 9906c6c6ce2eb7199023bbfcff346303f08dab61f475da22fe358f0e09d083bd
SHA1: 7be3ebf06bb43aef243189029cc70052ea22a74e
MD5: 80908cd8528f54634517e0de99af18ce
M22-M8046Dorkbot_aa108570Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.aa108570154f9c81cc9e2be856f15222https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: caf84844a5809c4e1c513299792f95ca26a87c40dc70627e8bddf5b65775206e
SHA1: 8a8aa7c79691690406d3b7a682cc9e5e79876d96
MD5: aa108570154f9c81cc9e2be856f15222
M22-M800eDorkbot_2c8b2adbWindows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.2c8b2adbe648f04b658aa9f3f4ab7ccchttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 32ac146ea9c7899e04a57c42d48407468323b46a40462febfb0453e27466ed11
SHA1: b4b5528e51a2460f85192e3246fe8b33a4426289
MD5: 2c8b2adbe648f04b658aa9f3f4ab7ccc
M22-M8010RapperBot_2e974038Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.2e9740382e75ebb7c8f4a0cdf2c36500https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5
SHA1: 3f563eb47e096ff02f43795f8e4964f217c3b8f4
MD5: 2e9740382e75ebb7c8f4a0cdf2c36500
M22-M804cDorkbot_b901c4d9Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.b901c4d9c76b378adb8919ae3dfa932chttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: c254f12058d6367578b877c09bd219abcc583003db8d15d270ab284bad923234
SHA1: 4b45826622f545c6513d78180948dc1a132a488c
MD5: b901c4d9c76b378adb8919ae3dfa932c
M22-M802cRapperBot_6faeac8fLinux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.6faeac8f2269c3d86606b34de90607fdhttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96
SHA1: 213f50b0bf255e5a309faad55ae81775a10ac949
MD5: 6faeac8f2269c3d86606b34de90607fd
M22-M8077Locky_fd28fdf1Windows This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has random bytes appended at the end of the file.fd28fdf16988f3400f266cc945b7fa79https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 1f1f8c733edb1393821b3f2743073446b6db29da6e0803423747d7527b9c2d61
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M8015
SSDEEP: 12288:ZbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmcqi:ZbXbnpuZS0QkETutYQ8qmzi
SHA1: ee53a20e29c940da567fa57adb5cd59de5d24476
MD5: fd28fdf16988f3400f266cc945b7fa79
M22-M803dDarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.93fe6600c51014d7d6c2afedf8398f92https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 45ef054bca2ae4d67e6623bf28ff75e5d178924602674c654e1b569aa74601cd
SHA1: 8f7340704745f3d53b284c101e93c42f8d4c2adc
MD5: 93fe6600c51014d7d6c2afedf8398f92
M22-M805fDorkbot_f42c2687Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.f42c2687a386ea74defec16a76be7b85https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 90b11cecdac4d67db66c36a3f692361425eaf99c3f243c107e884091d209ee8b
SHA1: a259f9b9248e49609a3ed163743a0138c11234ee
MD5: f42c2687a386ea74defec16a76be7b85
M22-M8064Locky_0158743fWindows This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has a random section name renamed according to the PE format specification.0158743f2c7571a83669159121daed44https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: f6702ed5dbfa259d6d6ef564cf7c641967fe33b5b44548f96898baf85464210f
https://arxiv.org/abs/1801.08917
PARENTID: M22-M8015
SSDEEP: 12288:KbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmcq:KbXbnpuZS0QkETutYQ8qmz
SHA1: 8ccd09a9f32a778068176ec69fb6e93f9aa96326
MD5: 0158743f2c7571a83669159121daed44
M22-M8071TrickBot_8ce80634Windows This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The Parent binary was packed using upx, hence this binary is the unpacked version generated using upx -d.8ce80634966cd3e73d24cc48b83cfe0ehttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 55b67b43bd2796b595edc77ae2e43f22d8e0d819da4058481a185027ef366efc
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M8061
SSDEEP: 768:wo/AW4Q75gzGhlqHVBpQ/86WsakxWvrQMKHNAGRAjh6:d/AW4Kgz6MrCk1sakxWcMKtAGeh6
SHA1: 0e81dc8ff02019402e01bf9a5c57915bdcded6f5
MD5: 8ce80634966cd3e73d24cc48b83cfe0e
M22-M805cRapperBot_e94c6fa4Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.e94c6fa46fb3ad76973a221fa75c9557https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73
SHA1: 05b1fb3ff5f7c9e8f3eac6fb2ba3f974848ca241
MD5: e94c6fa46fb3ad76973a221fa75c9557
M22-M8002TrickBot_07c5e05bWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.07c5e05b52e1bcc7492266b46982f9e5https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 4f47c12806778d27afa43905ebb5b2079a451da93237899167d6420333cfe9a8
SHA1: acded7cdf4101534e49d1a07ac8aa5141fdbd1b9
MD5: 07c5e05b52e1bcc7492266b46982f9e5
M22-M8007Dorkbot_14cd9f53Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.14cd9f533c23959b26089a0f3da47ebehttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 0ce367d545da1ed522fe364fdafc4bf39f1aa9aa326d0413c104132464c4b0f5
SHA1: 0e098fd91a137ec3ceddfad869ee8d3f83c91c11
MD5: 14cd9f533c23959b26089a0f3da47ebe
M22-M8059Dorkbot_e2ffab46Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.e2ffab464f6be4b25d126ff9d1c51449https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 1a15e5ebecd8f3025b89a1ee2149311bd0883bc62928092980604cecddf5718f
SHA1: 351f6790a46ac86d9d84f4702aadc6a8e007873e
MD5: e2ffab464f6be4b25d126ff9d1c51449
M22-M802fDorkbot_79ac3809Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.79ac3809d107b030fefa02775bb26cb5https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 1487cbb9c1025017bf767b8f9feab2bcdd9f500cd4bed79ca334c4eda4df1d71
SHA1: 2245a329b8e686ce14973f029bbcd39e6c730d22
MD5: 79ac3809d107b030fefa02775bb26cb5
M22-M8005XtremeRAT_0df4f4f5Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.0df4f4f5d006c793efd0cfa500a3e16dhttps://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 62243f0a6f197f167173d12b985b2bbd4a8f98864eb4f99c77e28a9f561f4b0d
SHA1: 864ceb0305d57da302c120a53cc34457bdad8bb1
MD5: 0df4f4f5d006c793efd0cfa500a3e16d
M22-M8076Locky_f4b19b8aWindows This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has random contents appended in one of the existing sections in the PE file format.f4b19b8a9fa2c1a3ac71e0d95acce031https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 7b10a3318784c4f828d29119270003a3bfe2eb95d925f4d60ac8bf3cf1ca856e
https://arxiv.org/abs/1801.08917
PARENTID: M22-M8015
SSDEEP: 12288:ZbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmci:ZbXbnpuZS0QkETutYQ8qmP
SHA1: edaf8f3243e38f90217281beb45bb345468d3b6c
MD5: f4b19b8a9fa2c1a3ac71e0d95acce031
M22-M801eRapperBot_5630ee34Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.5630ee34393ce22d317c3a11a91b5bb2https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
SHA1: 4698a9f872bde68f504e875cf02c87cd53a4b445
MD5: 5630ee34393ce22d317c3a11a91b5bb2
M22-M8018XtremeRAT_440db648Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.440db648da97e821dd5c124708fea7d1https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: d20e8dd51f00f03a0aacfcc4989d86411e2bc6c6f0a91961f420a056a86eef07
SHA1: 80b40f8aa032260deec9538a009f8d20a7b5d822
MD5: 440db648da97e821dd5c124708fea7d1
M22-M8008TrickBot_16ceee4bWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.16ceee4be1b477e97fd9046b40d7d65bhttps://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 04a8a18b801bf158717c49444c3148f56fb1c23b6781b589106b848fad13557f
SHA1: 4bf204c8ab278c172931f299ba352a3c9bdda9af
MD5: 16ceee4be1b477e97fd9046b40d7d65b
M22-M802dRapperBot_72c70d37Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.72c70d37a714ecf026cdea998c36a069https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26
SHA1: 887da60a3146abc39b33bdedadbba1e0818e37ba
MD5: 72c70d37a714ecf026cdea998c36a069
M22-M806fDarkTortillaWindows This strike sends a polymorphic malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.The binary has random strings (lorem ipsum) appended at the end of the file.7b31ea74f3666a5c53683df6b6c98539https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 636baa7d092f454a4b02bf19f51cba1ef29c6b68233236309240d19846961af3
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M8039
SSDEEP: 24576:1CldODAffhnEeMv+gVDMMgqT8Mw14AIdP/EEc:wjXhnEVv+gVg7qQMwc/EX
SHA1: 9e1c87292a1abe7f1c8e76a6cbc581167a06e87f
MD5: 7b31ea74f3666a5c53683df6b6c98539
M22-M804bDorkbot_b8c9fdf0Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.b8c9fdf04315e62badffe4ca393de3b5https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 57d6deb95dad820da83a96f691230e6927f02bd7dc81fd22117a84ce1ff983b1
SHA1: 920e0805026df4dc0a68c63aed9680ce27b0bc22
MD5: b8c9fdf04315e62badffe4ca393de3b5
M22-M8048Dorkbot_ae4bf237Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.ae4bf237bdcb56fc66d4ab3f7eefc647https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 3ab978d7ba8cadbfa40ce0d1b6acb6922d6f7b2d8322f420bf03db0c44d94755
SHA1: 0a8128ab953d6106c15094c7a9b45c8d2b3ff981
MD5: ae4bf237bdcb56fc66d4ab3f7eefc647
M22-M8020RapperBot_5ab947f7Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.5ab947f7cae22fa65398c591e1aed268https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31
SHA1: 5c5066d748f0ef4ef8fe4125434dd20cee566d65
MD5: 5ab947f7cae22fa65398c591e1aed268
M22-M8052TrickBot_c7cbc36fWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.c7cbc36f31fcd55b87796f18cb009606https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 08a004e94ce71ee0d239e38242283544f530996f4785924f85616040b278bef4
SHA1: a993ce3b83dd3abf6c99245807db38820de25269
MD5: c7cbc36f31fcd55b87796f18cb009606
M22-M8049XtremeRAT_aecd2075Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.aecd2075262f2e69c38eb9c4fc933c80https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 3e5302bb99e282cd9303eda70e64589529704b3c2edee6637cb040887b02f42f
SHA1: 739c020921a6dbd8ce67f809f50d41d48126500f
MD5: aecd2075262f2e69c38eb9c4fc933c80
M22-M801fRapperBot_5a2fe024Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.5a2fe024029c7b8894885ded5f08e42ehttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b
SHA1: 564ce63b3939e10fd8ae3df1bc764083582707bc
MD5: 5a2fe024029c7b8894885ded5f08e42e
M22-M8065TrickBot_0455b17eWindows This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random contents appended in one of the existing sections in the PE file format.0455b17ef0b235a3c4dcc9a66e5305e2https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: d4caa22b1136bb71d7df50ff5682664fd9e4bec78fbe99fd8d8d8bbf7678870a
https://arxiv.org/abs/1801.08917
PARENTID: M22-M8061
SSDEEP: 384:a5yqVLBSl0/x+fIDD0HEqsiKS6qFbrCEg3WplnXsaNJawcudoD7UzKDgRAF5iFmH:ag8+c+qqsiKS6RWprnbcuyD7UpRAuIG6
SHA1: 4b6c97d0e2a3c8481417955bc5e0049ff41a14c9
MD5: 0455b17ef0b235a3c4dcc9a66e5305e2
M22-M8019RapperBot_46da0686Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.46da0686e0ad65ee44f4cac5f6558ec9https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad
SHA1: a425cb48d07623849036ae664af9c0c5d39673c6
MD5: 46da0686e0ad65ee44f4cac5f6558ec9
M22-M804eRapperBot_bda8d5c2Linux This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready.bda8d5c2665f47877ab571728f07c65ahttps://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html
SHA256: 77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5
SHA1: d833bcb845db2ca88e0ae6cb72961b4a1ed6a21a
MD5: bda8d5c2665f47877ab571728f07c65a
M22-M8004TrickBot_0b183d62Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.0b183d6240d02bb57638033917e11e48https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 2d1e5cc0f414d6cc94ec251605c68c32c442740e129d7af97f8293844aecca6a
SHA1: 125553420253090e13d753b0150a01f8b7f92502
MD5: 0b183d6240d02bb57638033917e11e48
M22-M8021XtremeRAT_5d057c13Windows This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.5d057c1380096eefa294ffcec51575c1https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: d8df5b44e3469d7a7c0ffc4dba88d34bff093cf4453500074a54b837d50d93c6
SHA1: 05dec5b58bce525068893c3689b2f990a89a8429
MD5: 5d057c1380096eefa294ffcec51575c1
M22-M8060DarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.f44695a8febb2a35576a59fa984629d2https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: 53b3b37b7d1e40c80fcda2c424cd837379ac2ce93023de6c22ba3e2d94679671
SHA1: 37ec57e5da46dc1990941a1bb3ffab9e74db346a
MD5: f44695a8febb2a35576a59fa984629d2
M22-M8051DarkTortillaWindows This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.c37aae0ff565a2e44f144f837b750279https://www.secureworks.com/research/darktortilla-malware-analysis
SHA256: a0b96236bfd79d2ebeadb8e3deb9448af3ec8edd1ea9672b7ad4793934bb4c47
SHA1: dde386911b091e894746b0f12d88a1fd18761fb9
MD5: c37aae0ff565a2e44f144f837b750279
M22-M8030TrickBot_7c3b350dWindows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.7c3b350d98f0826e01dcbdf95d123477https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 30636b11d051121251b2051971223e6e294dfaf917338239deb5b8edf5bce20b
SHA1: 2b22f40683dd133774c61aff7c42a2e211cff181
MD5: 7c3b350d98f0826e01dcbdf95d123477
M22-M8061TrickBot_ff63ddb4Windows This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.ff63ddb40ec2e11d7bd734aa4b6f7191https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.html
SHA256: 513125bc77c78f24fc6a29a125c0d5373d5b365f476ba496f90d8dc952fd4441
SHA1: d64624749481ed97632051237d9fb394bcb07295
MD5: ff63ddb40ec2e11d7bd734aa4b6f7191
M22-M804fDorkbot_bec351f6Windows This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.bec351f63f70e048f5319f8f5a386bf0https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.html
SHA256: 94b5e03c8c149c8065dcf1a3696ca0c0801f6932e3a6b73985081dd36bb04194
SHA1: 160b248a9856461675b92aedc86ecbf9ce81dfce
MD5: bec351f63f70e048f5319f8f5a386bf0