M22-M8035 | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | 851816aa8cf45ba769f0d9420acfb3e5 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 083acce46cb8cf35e37c778d1f4aee6814bca72d2874b793a47f9823f51df0feSHA1: 4178d5efa388caf2d0ffd4539cf285b1de5ffab6MD5: 851816aa8cf45ba769f0d9420acfb3e5 |
M22-M8072 | Locky_8ea1078a | Windows |
This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has random strings (lorem ipsum) appended at the end of the file. | 8ea1078ae6f7500c9c1f245d69a8ce30 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: cd12ae4ce6635643aa838c6cc4dac9df5f530bd198cb9199fd876e1a2959baa7https://attack.mitre.org/techniques/T1009/PARENTID: M22-M8015SSDEEP: 12288:ZbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmcqi:ZbXbnpuZS0QkETutYQ8qmziSHA1: db58b2dd8b708c6d715f946134b41de149cde99eMD5: 8ea1078ae6f7500c9c1f245d69a8ce30 |
M22-M8054 | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | cd49f7c3c4e82dee128eedea9879bc33 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 0a5dc3b6669cf31e8536c59fe1315918eb4ecfd87998445e2eeb8fed64bd2f2cSHA1: 619bf90a8ea219e34bf57dda1a322914b9fa1c81MD5: cd49f7c3c4e82dee128eedea9879bc33 |
M22-M8039 | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | 8d8c551dd572a1dc158de239b37eaa9a | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 5be86cfca25e295f88b5aab42a6f604d2f1bb97f3c73b01df664c137908e2ec4SHA1: 6d4b4bcd107b09af37996c73a6448379a31aaac4MD5: 8d8c551dd572a1dc158de239b37eaa9a |
M22-M8057 | XtremeRAT_de66d12d | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | de66d12d576a1df764e09f4f51ba1388 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 6798aa4e8218c8783acab06e700b519eb31856ac0e46c6c82f5dfbf22e13ddb5SHA1: 6748795727d076ea5093f17fc60639006ec45d45MD5: de66d12d576a1df764e09f4f51ba1388 |
M22-M801c | XtremeRAT_524e7e63 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 524e7e63d3431e870c08968410412996 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 593d60c61df90a5de77d5ee31815eafd3c2657f1581cdd7fe36e74f72956a7e3SHA1: 08c75b21e44b7eb781e5500b1253d408a896fedfMD5: 524e7e63d3431e870c08968410412996 |
M22-M8055 | RapperBot_ce1a9802 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | ce1a980265811fd257b36a449b987702 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4SHA1: 335dadffad009212e3bc868ebe094b227e26407aMD5: ce1a980265811fd257b36a449b987702 |
M22-M8003 | TrickBot_0a5281c9 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 0a5281c935c5791663b702895803719e | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 28d1f82ea2f237ae643e442adae17449dadb8ad93397bf2299b0b53abeee45cbSHA1: 69f95f11c8fac96bcc86e568842fe701a3259dfcMD5: 0a5281c935c5791663b702895803719e |
M22-M803a | XtremeRAT_90a7c094 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 90a7c094e1541e288df6fe17d8af2201 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: c11cd59cb06cf9e1a9f95e3d78300a2aa8edf94ed7964b73ccb7135a5b23a7d6SHA1: 87f52cc51e4b24929585b549a5e58148a66dc7d5MD5: 90a7c094e1541e288df6fe17d8af2201 |
M22-M800d | XtremeRAT_277609ed | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 277609eded83e6f042e185c3d5740feb | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 00c5b7cc78f982e42062c84a8a5c1c5aaeea7276b0f00635d61e4bfdcf6ed4b2SHA1: bb563b04b626e6c62cd79758097c12ea7b1a19baMD5: 277609eded83e6f042e185c3d5740feb |
M22-M8078 | Dorkbot_fd964c0b | Windows |
This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has random contents appended in one of the existing sections in the PE file format. | fd964c0b89402a947716fdaddf0bf800 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: c8beacbb624c1ad136f0350d6841f9a4d11b9ce447997f8074174c1f029840c4https://arxiv.org/abs/1801.08917PARENTID: M22-M8046SSDEEP: 6144:Sh/ikWGQrifBkvxVJF3NGwVl8SUKHdwU:GTJQWfYrJFfzzUGwUSHA1: c1950ea4b1b94abfeb7e26a32dd9dc20ab984a58MD5: fd964c0b89402a947716fdaddf0bf800 |
M22-M8038 | TrickBot_8cc0021e | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 8cc0021e091932f84851a0bf9c02860b | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 01a4f86457a252ffc23117ba653a2093902d0160140a3fda03e3cb9595f6d652SHA1: a7d3deea4daabbac5bc0209ed854d1224120a688MD5: 8cc0021e091932f84851a0bf9c02860b |
M22-M8037 | Dorkbot_8c5d180d | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 8c5d180d78d43ec8c0754273f13f13d2 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 29e771b03f40a6cd492b49826238364933a37c65bee5bf7990d711ff14d3511eSHA1: 9681ad391c416840d35a40c5943b11eb9e66772aMD5: 8c5d180d78d43ec8c0754273f13f13d2 |
M22-M805d | TrickBot_ec58d221 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | ec58d22179604219c554c56e5551a33a | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 23d19c57bacf51421505125da6917c815a1aa0d5c7346cf42c47f6667df0599dSHA1: 8ea59a29d0cfd0abe0eca11f06b9239e311bfa58MD5: ec58d22179604219c554c56e5551a33a |
M22-M8031 | Locky_8048aa32 | Windows |
This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. | 8048aa3289909b0f544bf7819a150a48 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 8d62a963beb4ac49096277d54d3d6bc78c1142ff30b600b0373256eaa6b7a73cSHA1: f7ad9416669ee5185c2cfc129de0c04cb0feb26bMD5: 8048aa3289909b0f544bf7819a150a48 |
M22-M806b | Dorkbot_617acc95 | Windows |
This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has a random section name renamed according to the PE format specification. | 617acc95c26c60ef3b90df8f612f4da4 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: ca534b389a16c011aa2ca978d297c247e69888047ae3fa944602f3f0b2ecf2a2https://arxiv.org/abs/1801.08917PARENTID: M22-M8046SSDEEP: 6144:0h/ikWGQrifBkvxVJF3NGwVl8SUKHdwUP:ATJQWfYrJFfzzUGwUPSHA1: d0aee802f57a38cd87d9f27f6d60083af192f01fMD5: 617acc95c26c60ef3b90df8f612f4da4 |
M22-M8029 | TrickBot_6c16b771 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 6c16b7715556744d54996256b431668a | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 50543f06717e0d022a4b58043861f0a38ab82e068f07414adc5be142a66c6cecSHA1: 9bc4cb7f8dbc3d81d8e6e4001288db662df143b6MD5: 6c16b7715556744d54996256b431668a |
M22-M8028 | TrickBot_6b553df5 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 6b553df50e52d6a374ca16adb25d2a53 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 1f14d617fd53588a36cd26c19e6f306fad28bac24140e9083986bb0cac607bc5SHA1: d742d0cf7fa62e75b32f391a40995c52d87bc3ffMD5: 6b553df50e52d6a374ca16adb25d2a53 |
M22-M804a | Locky_b73d624c | Windows |
This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. | b73d624c91955ec6780053f5c6c1e552 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 1cdcb07c8a79bdb3faad6feae4b2720cec8dc8de0cfb1431502f91e8c9152e94SHA1: 0a56f8d095ba7a347dffb02d18dd32ea69d1a6ccMD5: b73d624c91955ec6780053f5c6c1e552 |
M22-M803c | TrickBot_93d1113f | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 93d1113fa5b123b5cc537f1c74c81412 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 26851fc35426f83e70d1542cc4f00a3dd16222de418d2e0727a4ab9d5218c22bSHA1: 1502e86be0fbb1cb8b735cb76f8baa954cc16456MD5: 93d1113fa5b123b5cc537f1c74c81412 |
M22-M804d | TrickBot_bc47b3ab | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | bc47b3ab044ca04355bec9db0649606d | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 0ef6c2cc035d61abd0f221d2bb8d6c0f5fc1e2e87cd5001f47861435fded326bSHA1: 4577410c05509cacdf235ef79afa3454311e7363MD5: bc47b3ab044ca04355bec9db0649606d |
M22-M805a | RapperBot_e4b3a9f9 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | e4b3a9f9e5e90ce3912665ffb7e0f6f8 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6SHA1: 33cf1b18c99a43ea76c4b87c92b73a769acd24adMD5: e4b3a9f9e5e90ce3912665ffb7e0f6f8 |
M22-M8041 | Dorkbot_9d763334 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 9d763334a69c0c9ffcae3f99b4a3337d | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 90853a92441d02881129621868f5a83d4fda693e6602a043dae622186b654a0dSHA1: 3ba06121809b5059d28186691e980bc92ed00f07MD5: 9d763334a69c0c9ffcae3f99b4a3337d |
M22-M8063 | BugDrop_ffd517d2 | Mixed |
This strike sends a malware sample known as BugDrop. BugDrop is an Android malware that masquerades as a QR code scanner on the Google Play store. Its sole purpose is to bypass security measures used in the Google Play Store, and deploy a malicious payload, which is typically an Android Trojan. | ffd517d24a3d09082159493d859d4767 | https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.htmlSHA256: 367ae87d74c4d45aec595bdccee83a2d38b8ceb71956c902716141f163987c8aSHA1: e4c47125daa305c49bbd4ae1f945714b2685e94cMD5: ffd517d24a3d09082159493d859d4767 |
M22-M802a | Dorkbot_6ce9013f | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 6ce9013ff2917fc2cb26fadf22df6bb9 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: af69bafe28d0df36ddba5768583cf25bd5cae24b312e17f607c77294b731f0ddSHA1: 302705510231d77fd7a4d442f85e88db1920aad8MD5: 6ce9013ff2917fc2cb26fadf22df6bb9 |
M22-M8045 | Dorkbot_a60ea31c | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | a60ea31cff0dbe199cbf6fbea03cc77d | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 2bbac09df0fbb667c042f25c8d4810a08d6a3129a57ec70363debad39f917bd2SHA1: 291d37d22feef1fa484c7b1859f284b91c62f033MD5: a60ea31cff0dbe199cbf6fbea03cc77d |
M22-M8009 | TrickBot_186d3ddb | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 186d3ddb5df74784da23a841ad7ae2da | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 094f5c76889cd9f3f9357d72eda49a962eedc8457a77d586459dbd5968f85aefSHA1: 9babd78342a45ab27c527ffcd546251c82092e47MD5: 186d3ddb5df74784da23a841ad7ae2da |
M22-M803f | RapperBot_94c9ae3a | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 94c9ae3ab4319954a302d819e8a608ec | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28adSHA1: 94d51c338af676e51cb22f8d169a5aa867259118MD5: 94c9ae3ab4319954a302d819e8a608ec |
M22-M8043 | TrickBot_a13af228 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | a13af2286cd59a8963df5feb0a06412e | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 3b5e722ae23b3656cfb17fcb9fd218b92c5e4f24c241c3f1c37bded99d92c035SHA1: 4618b4ef94b069b870c8dd2604cba10ec81c6113MD5: a13af2286cd59a8963df5feb0a06412e |
M22-M801d | Dorkbot_535fb4c2 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 535fb4c2c630fc80bdcbc56895528027 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: b7d2ff1e59e0d30e46adf03d7a90dcc0ed83f2ff1e9b35702a70486954f1d3ddSHA1: 1057ea5a9bf3b79438f1a2035c8a6c037bb198f5MD5: 535fb4c2c630fc80bdcbc56895528027 |
M22-M8047 | RapperBot_ab96e594 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | ab96e594403ed957ed2ec6c992513abf | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45dSHA1: 5aa801ffe8d362bcb64a0575aea778082a4ddc54MD5: ab96e594403ed957ed2ec6c992513abf |
M22-M8075 | Locky_cb93d5c8 | Windows |
This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary file has one more imports added in the import table. | cb93d5c8daa92eb0280f3ff3535b8d93 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 41876efdb225d165ae4746a5d10494199bd399d01c23b257d9ac2d5a2a75f640https://arxiv.org/abs/1702.05983PARENTID: M22-M8015SSDEEP: 12288:sbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmcCt:sbXbnpuZS0QkETutYQ8qmbtSHA1: c42a4c652b6c5ef0a545278b0514e1c0560334c5MD5: cb93d5c8daa92eb0280f3ff3535b8d93 |
M22-M8044 | Dorkbot_a42942f2 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | a42942f29b7e3084686d9c851ee53999 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: b478d67b97fa15e88d047c643232590d1c6c2d2179e330df5bdc78c4e56036eeSHA1: ba448f458d7df2f022208098920fad1d4e5c5aaeMD5: a42942f29b7e3084686d9c851ee53999 |
M22-M8023 | RapperBot_5e10e46c | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 5e10e46ccd75627df169976de506029d | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5SHA1: 52489a148462acc8b8633c09f3ba3ce5e9f27063MD5: 5e10e46ccd75627df169976de506029d |
M22-M802e | RapperBot_75181839 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 75181839d4eca01c095f5976cfe06f71 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102SHA1: e8f05a1c719b0348a490afd6b0c213b53d9835caMD5: 75181839d4eca01c095f5976cfe06f71 |
M22-M800f | Dorkbot_2cfa385a | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 2cfa385a368304e57a7a3918e53401cc | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 4faa3a69a429a598863c9369d0b4d572fa01b5bbf567b0d76f5a42f596430003SHA1: 0f0b06d64cd6f594ed1ce651afacb26919d6c0bbMD5: 2cfa385a368304e57a7a3918e53401cc |
M22-M8056 | TrickBot_ddf00820 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | ddf00820caa8c37f4fc691e6195a3a76 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 2d05858c463ea267870ff964d9f9779def1ca711586dcfea58745ebe6675ff1fSHA1: e690ccd3b88df7f13d2294e0fed8e27f35bd8645MD5: ddf00820caa8c37f4fc691e6195a3a76 |
M22-M8070 | Dorkbot_89fecc6d | Windows |
This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has random bytes appended at the end of the file. | 89fecc6df87d3a9ec5efe7deded2560e | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: a0780263595cc6be8e01051e9195c36d54dcb38ff360d5ffcd46b6da0d2ae297https://attack.mitre.org/techniques/T1009/PARENTID: M22-M8046SSDEEP: 6144:Sh/ikWGQrifBkvxVJF3NGwVl8SUKHdwUI:GTJQWfYrJFfzzUGwUISHA1: 57bd25129f7a27245c56aadc04ef5d36d94474ddMD5: 89fecc6df87d3a9ec5efe7deded2560e |
M22-M8050 | Dorkbot_c35270cf | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | c35270cfbadd4cff99be4fd906ed4b49 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 1e358ccc5c00767b2d7518ad5b34639c172a33118f691b6e989c0da4a4067781SHA1: c15f4fcbc753e8ebf689c7112a68371bb4456194MD5: c35270cfbadd4cff99be4fd906ed4b49 |
M22-M8026 | TrickBot_66d07e5c | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 66d07e5c7d5acb931603325b7e064d47 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 12eb4eb5dd38c776ec50166596c5e4ffda47108ce709990ae84a33a3a91776edSHA1: 3cfe64e7408092dafd5a917563952dbd44d6d740MD5: 66d07e5c7d5acb931603325b7e064d47 |
M22-M8006 | RapperBot_1318afe2 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 1318afe218cf3a86f71aa6936df33ee7 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8SHA1: d9c3051c61aedd87c530123ece2fdc5123f04ec8MD5: 1318afe218cf3a86f71aa6936df33ee7 |
M22-M8067 | Dorkbot_27d4b49a | Windows |
This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary file has one more imports added in the import table. | 27d4b49aa7890f825e97fdafb1c99b2a | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 53100100ef19da2ad5acf6384f0ce6211258ba9415bf838f6362ea924898355fhttps://arxiv.org/abs/1702.05983PARENTID: M22-M8046SSDEEP: 6144:4h/ikWGQrifBkvxVJFLNGwVl8SUKHdwU:UTJQWfYrJFDzzUGwUSHA1: ae127468e340258a1ba9ae96998aa9082e096cf6MD5: 27d4b49aa7890f825e97fdafb1c99b2a |
M22-M803e | TrickBot_949e4fdd | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 949e4fddcd7de77db26dcdaf532bf79a | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 04d4ecf05a7bcc6ca0f318bacaa6087ea1e5badc14ca9eebec52aaff791718bcSHA1: 60432d41180f42e9d8268150e6be7f67f635c779MD5: 949e4fddcd7de77db26dcdaf532bf79a |
M22-M805e | RapperBot_ee73067c | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | ee73067c97e7015dc3f805fd3f66f3db | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bbSHA1: bbd8f413be3abe8df87cd2ed6c58e68f4bb505ceMD5: ee73067c97e7015dc3f805fd3f66f3db |
M22-M806c | DarkTortilla | Windows |
This strike sends a polymorphic malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.The binary has a random section name renamed according to the PE format specification. | 6312c27d72dfca46e9dc99030ce5e944 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: a03365c8420c28d02e372ed1dc1d22969bffbe0f70a8083279a31d101a638ed0https://arxiv.org/abs/1801.08917PARENTID: M22-M8039SSDEEP: 24576:oCldODAffhnEeMv+gVDMMgqT8Mw14AIdP/EE9:tjXhnEVv+gVg7qQMwc/E2SHA1: b6029b975f1e30d0aba4e2cd860f40d5699bede8MD5: 6312c27d72dfca46e9dc99030ce5e944 |
M22-M802b | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | 6e91ad0972e104a277505104abe39d1e | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: b3754c6ecc445e9a3b37c5ebe68adb9630ca4aa89a8e8515468f39ae8131f141SHA1: 261d699c3bb1a0042b88a45ed340f2d86149464fMD5: 6e91ad0972e104a277505104abe39d1e |
M22-M8011 | RapperBot_30ce66fa | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 30ce66fa45abddf278dbb3eccf87ddad | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7aeSHA1: 4b6524d0a3f1ffeac80c1251ad63601274896eb0MD5: 30ce66fa45abddf278dbb3eccf87ddad |
M22-M8013 | TrickBot_32dfe14f | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 32dfe14fe473b36a31751b333f82c9e1 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 2549d2a70d146340d14d981ecd9c33ce384bc743d4ed258f1eb9740c30792429SHA1: 1cb4fd30a8abe7db4274d5e781021085628f6c57MD5: 32dfe14fe473b36a31751b333f82c9e1 |
M22-M8040 | XtremeRAT_977f45e5 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 977f45e5cb09032ec6b9cb4a357c40a3 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 10f0a0f8b51964b8a3fc497040601a48fe0493a7e4010ee89e61068cc8e2d92dSHA1: 75aacaf9d2c546cbb902b88da5d2826f60dbceb1MD5: 977f45e5cb09032ec6b9cb4a357c40a3 |
M22-M805b | RapperBot_e70f70c9 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | e70f70c91670ac3fc8d3d7963f6fb8a6 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42SHA1: 8b9f2892a5fe32fe4ffe65c97b7ba0bb2f58bcf9MD5: e70f70c91670ac3fc8d3d7963f6fb8a6 |
M22-M800b | Dorkbot_23788137 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 237881374e70bbe9f94bbf80a5e78580 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 1d0d652abf31a5b4f9ecf5ee6d201b4d31e977f6fc769a34cd34a5468e362e14SHA1: 60e8e54544c14eda7b91ca7335faad76e9d0e166MD5: 237881374e70bbe9f94bbf80a5e78580 |
M22-M8066 | XtremeRAT_05d580a8 | Windows |
This strike sends a polymorphic malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.The binary has random strings (lorem ipsum) appended at the end of the file. | 05d580a868e5ff141cbf373fbf0bb344 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 168cf1a3755a0291e2f429b0e1ea812a9469a6210b5d701b534f0961f0e0b513https://attack.mitre.org/techniques/T1009/PARENTID: M22-M8021SSDEEP: 384:uWBhtbQs2FrJ6nz0xxuXR3OfN9SG9PESZKisPTdH2gSC+GCgX7RHCyFwb5RmJNtq:tbO6nz0fQZeN9D5wPTCpyrQ0vtBIx2USHA1: 6ef35eaad0ad3eb6fcde27e4517a48a4b6a11d76MD5: 05d580a868e5ff141cbf373fbf0bb344 |
M22-M8053 | TrickBot_cafe04d2 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | cafe04d25daaedcb880a433768e0bb96 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 3f32a6229d93292633dc3c9af4dcf7360463cd9fcc72bfc68bfc68afa666316dSHA1: 5e1549e504c1b7b6324da5b89ed4d5bd05dee13cMD5: cafe04d25daaedcb880a433768e0bb96 |
M22-M8068 | Locky_28b5e374 | Windows |
This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has been packed using upx packer, with the default options. | 28b5e37490d59e2d5dff1c1a429263bf | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: a1fb47eb45b37b76fc4acd2a1475dc81e0526489241eb89887a7c3ecd4d6d951https://attack.mitre.org/techniques/T1045/PARENTID: M22-M8015SSDEEP: 12288:NeoRLYW6cph0Zo27laUgc/fMb4PqQ2+4RWXygXCYx70hH4frZoxR:NjBPT0Zo2xa+/fTV2+ukyG7cH4fryRSHA1: 712ba1621cae1df0e146279a9b08199748a7abb3MD5: 28b5e37490d59e2d5dff1c1a429263bf |
M22-M806a | TrickBot_5d9d5845 | Windows |
This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has a random section name renamed according to the PE format specification. | 5d9d5845db1526c160a1cc0791cfa49c | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: b396284c80bc4b860be00321e710751ed44ba4899a85e85b8e5fe4e7a7ab2bdahttps://arxiv.org/abs/1801.08917PARENTID: M22-M8061SSDEEP: 384:n5yqVLBSl0/x+fIDD0HEqsiKS6qFbrCEg3WplnXsaNJawcudoD7UzKDgRAF5iFmH:ng8+c+qqsiKS6RWprnbcuyD7UpRAuIG6SHA1: 55c09a8a54c8f41e8002a0144a5d54d40a46f058MD5: 5d9d5845db1526c160a1cc0791cfa49c |
M22-M801b | Dorkbot_4f2fcaff | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 4f2fcaff3b068ee744b80db7474f8043 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 84055ce5bc4ef2bdf486e82e444e5665c73f4fe627a8734edc463b59f443bfccSHA1: 831c5667c28e437d50c6cd687904aaba29a010a5MD5: 4f2fcaff3b068ee744b80db7474f8043 |
M22-M8017 | XtremeRAT_44096609 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 44096609059132b91abf2e16adce45c7 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 05316395bee1b9759134e86ecf28413d197c95cc6c25bb96a3fd957adfb767feSHA1: 142c859c111cd7dd3bff8ee44ff19f59f723f8b2MD5: 44096609059132b91abf2e16adce45c7 |
M22-M803b | RapperBot_927b2162 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 927b2162032a3a89a6e17f9769155985 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865SHA1: 40434f00734ccd0d55edd135c50b7595de2bc66bMD5: 927b2162032a3a89a6e17f9769155985 |
M22-M8069 | Dorkbot_4e3a397f | Windows |
This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has the timestamp field updated in the PE file header. | 4e3a397fa3e835cf6bb5ca23268cb11a | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: b09bcb7658ae1b8a59e1ae7307c7fccfcd5d885e180103206a8f3c86db9dc9fahttps://attack.mitre.org/techniques/T1099/PARENTID: M22-M8046SSDEEP: 6144:Qh/ikWGQrifBkvxVJF3NGwVl8SUKHdwUP:MTJQWfYrJFfzzUGwUPSHA1: cfa0f48aace027fc5b5efb3b004d532631e6b368MD5: 4e3a397fa3e835cf6bb5ca23268cb11a |
M22-M8022 | RapperBot_5d7d2618 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 5d7d2618e09ea3c84f5a484553e0ea65 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04SHA1: 679010f52909c909bde9aa34645c5ac0044df453MD5: 5d7d2618e09ea3c84f5a484553e0ea65 |
M22-M8058 | Dorkbot_e2a567c0 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | e2a567c007c4446356a8b4c170eaa73d | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 1c21c85c814609bc6db76824eda6333b2d26be11f8736bbb7397e97ad95c9f2eSHA1: bf0141a7a1a936c7514cb2effce1417c5298283fMD5: e2a567c007c4446356a8b4c170eaa73d |
M22-M806e | Dorkbot_7866127d | Windows |
This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has random strings (lorem ipsum) appended at the end of the file. | 7866127daac6c9b5be81d2e01cc2f3f5 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 06e2bb61d73fc1881713f8b66d0effebbbd3342e19a74bbf00b4a7d67253658ahttps://attack.mitre.org/techniques/T1009/PARENTID: M22-M8046SSDEEP: 6144:Sh/ikWGQrifBkvxVJF3NGwVl8SUKHdwUG:GTJQWfYrJFfzzUGwUGSHA1: 91dd3bc2ae1a63b0550f6e1c6cd155247400a9c9MD5: 7866127daac6c9b5be81d2e01cc2f3f5 |
M22-M8012 | TrickBot_31e45c28 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 31e45c2854f8b176b718b5393c4e848d | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 39d4446bb6b1c8cbf319fe02f1316897f22a6b00633af1b7e6159dbd7b837556SHA1: 85fddc2389ae28ce51290eb98a3269641853f123MD5: 31e45c2854f8b176b718b5393c4e848d |
M22-M800c | TrickBot_26b8e22f | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 26b8e22f42fd00707aa625ec383731d9 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 0c25f673e25e8c9bb066ae56c41a83e28ef40a9da8327c9f7cd09f663b9a4614SHA1: 720a15636ae6b9f970a76e01a1f6c9cfd5bbdca0MD5: 26b8e22f42fd00707aa625ec383731d9 |
M22-M801a | BugDrop_4b3c99ae | Mixed |
This strike sends a malware sample known as BugDrop. BugDrop is an Android malware that masquerades as a QR code scanner on the Google Play store. Its sole purpose is to bypass security measures used in the Google Play Store, and deploy a malicious payload, which is typically an Android Trojan. | 4b3c99ae792e7389c43102060633b4cc | https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.htmlSHA256: 214a576b46241bdf76bb4dbeacc7a456905eacd345fc515e0b38d6976c271168SHA1: a7a2fbb022e391618f8f62acf07c7d4681f98775MD5: 4b3c99ae792e7389c43102060633b4cc |
M22-M800a | RapperBot_1bdfcca7 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 1bdfcca7b35ad31a41fba5d6dc88b276 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62SHA1: 4f00520407a40ef18f144b4ac2c03657bc7a65b6MD5: 1bdfcca7b35ad31a41fba5d6dc88b276 |
M22-M8073 | XtremeRAT_9338a39b | Windows |
This strike sends a polymorphic malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system.The binary has random bytes appended at the end of the file. | 9338a39bcc5077aa5b3e42d27624c41e | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 1c16e57ed04588506a6efb5881cf43b2709097b8ce490f373e35a9c3de2d1f96https://attack.mitre.org/techniques/T1009/PARENTID: M22-M8021SSDEEP: 384:uWBhtbQs2FrJ6nz0xxuXR3OfN9SG9PESZKisPTdH2gSC+GCgX7RHCyFwb5RmJNtn:tbO6nz0fQZeN9D5wPTCpyrQ0vtBIxZCSHA1: 6280634e6c85a314e6d7000bef7c8be8cc6d3e3dMD5: 9338a39bcc5077aa5b3e42d27624c41e |
M22-M806d | DarkTortilla | Windows |
This strike sends a polymorphic malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.The binary has the timestamp field updated in the PE file header. | 76d32fe38d0b95c1736133b944b08e56 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 4b77fca60e7007d606a13fb2407613f99e3645f3bf63f9607b52503a459594b1https://attack.mitre.org/techniques/T1099/PARENTID: M22-M8039SSDEEP: 24576:ECldODAffhnEeMv+gVDMMgqT8Mw14AIdP/EE9:xjXhnEVv+gVg7qQMwc/E2SHA1: ec1b3eea02ab96855a0be2b441b49dd44d17c147MD5: 76d32fe38d0b95c1736133b944b08e56 |
M22-M8015 | Locky_37321e84 | Windows |
This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. | 37321e84039a822ec547de8a9aad48a9 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 9be2a26538acb1111657ab79c6680d7f8bde43f5a6e51f38c674967e21d69627SHA1: e5c62aa15a3925c9b21cbd6775fabb1447866db2MD5: 37321e84039a822ec547de8a9aad48a9 |
M22-M8024 | RapperBot_64e0ddc2 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 64e0ddc2aa51350b355434ffd1a4d6b6 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010SHA1: c8e50331f951ea848b36a35751988b9f00336071MD5: 64e0ddc2aa51350b355434ffd1a4d6b6 |
M22-M8042 | RapperBot_9d8cd6a7 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 9d8cd6a75e40c2022abca1e58c88b40f | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818aSHA1: d68e46e4cd4f8fc7af2b82be7e3dea9be3ade56aMD5: 9d8cd6a75e40c2022abca1e58c88b40f |
M22-M8062 | Dorkbot_ff68ff41 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | ff68ff41082fc943576fb8412c620836 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 0ff57cf4b79588ba6c721f78a042e79a8c4e4eb6544dad9147c6918efc0a9bfdSHA1: e4419ca2992e02f15da075e288e9254661531b4fMD5: ff68ff41082fc943576fb8412c620836 |
M22-M8074 | Dorkbot_c8e632b8 | Windows |
This strike sends a polymorphic malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.The binary has the checksum removed in the PE file format. | c8e632b867a715c2174bb3743d600372 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: db362fde2e95a7d7141b9afc04b514b870e3795ad2a7642d4a58d5b3ce3d4902https://arxiv.org/abs/1801.08917PARENTID: M22-M8046SSDEEP: 6144:Sh/ikWGQrifBkvxVJF3NGwVl8SUKHdwU:GTJQWfYrJFfzzUGwUSHA1: a53acce63610c37f32c08a6b787c72ecde4dc7a3MD5: c8e632b867a715c2174bb3743d600372 |
M22-M8001 | TrickBot_01df6398 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 01df63985a519b2d6447998cceada56b | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 2184130eb8a891000fee1e343a5634531d72e05a7893fbafd6d53e52350bae19SHA1: 7cfdfb3d1c4e94e8077e71076717ab11a532e693MD5: 01df63985a519b2d6447998cceada56b |
M22-M8027 | TrickBot_6adb52f5 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 6adb52f5787df2e229c6f7efa79b2ab8 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 3a0c89d07193ae260ced7a04873117af0213c43407248d2ff7edf95bd3b32421SHA1: e7cf92476ec514ad24183894ea6fa75506e5fd38MD5: 6adb52f5787df2e229c6f7efa79b2ab8 |
M22-M8016 | Dorkbot_3ec31a62 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 3ec31a620bb155b175f1dca19d7f3abf | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: adbbf9cf8048f45fce2ad9fb1d681ea9334813a442d6d5b051cd11285fc71154SHA1: 8110191c59c56341b5a55f6ffdf05d3d3f1c2971MD5: 3ec31a620bb155b175f1dca19d7f3abf |
M22-M8034 | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | 84872b60072011eab8940f3b49bdb582 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 5e03556be992d23088a3c49d24c45b1c21cd275bffb4e536348e8128d50374b6SHA1: 3da0f44d45a1d6676d52ce691d2f6d754eb3097eMD5: 84872b60072011eab8940f3b49bdb582 |
M22-M8033 | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | 827258f907c5087f498c413d28e2203e | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 55d7d9bd9d4a511417033b6c14ce93f962d6a6e6c6414f0cb7e455baee1d3ab7SHA1: 5e0cb6076002b11a39636e07a217b493835e5bceMD5: 827258f907c5087f498c413d28e2203e |
M22-M8025 | RapperBot_669a8e06 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 669a8e0683154f594a110d129d96a068 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02SHA1: 781160ca6c18a0875dc2c3269cfa97398f36f27cMD5: 669a8e0683154f594a110d129d96a068 |
M22-M8036 | XtremeRAT_893dfc59 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 893dfc59f925b9b05f1a79617e21b124 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 33ed0e091cc5ccc71d0a9d37c4f82d73f3959ffcd55f9c2f8660e7e13f68393eSHA1: 0625a0e6dfacc0b641cbb1d19678059c0f1ae938MD5: 893dfc59f925b9b05f1a79617e21b124 |
M22-M8014 | Dorkbot_34f8aa91 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 34f8aa917d5e78b3bbc66682d993e992 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 9bf72ac43dcab3750686c49abbf1b0835505186a37187b6435539ea871dfd829SHA1: f233c876731ed07fd44025adaaac2ab7f17bce99MD5: 34f8aa917d5e78b3bbc66682d993e992 |
M22-M8032 | XtremeRAT_80908cd8 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 80908cd8528f54634517e0de99af18ce | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 9906c6c6ce2eb7199023bbfcff346303f08dab61f475da22fe358f0e09d083bdSHA1: 7be3ebf06bb43aef243189029cc70052ea22a74eMD5: 80908cd8528f54634517e0de99af18ce |
M22-M8046 | Dorkbot_aa108570 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | aa108570154f9c81cc9e2be856f15222 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: caf84844a5809c4e1c513299792f95ca26a87c40dc70627e8bddf5b65775206eSHA1: 8a8aa7c79691690406d3b7a682cc9e5e79876d96MD5: aa108570154f9c81cc9e2be856f15222 |
M22-M800e | Dorkbot_2c8b2adb | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 2c8b2adbe648f04b658aa9f3f4ab7ccc | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 32ac146ea9c7899e04a57c42d48407468323b46a40462febfb0453e27466ed11SHA1: b4b5528e51a2460f85192e3246fe8b33a4426289MD5: 2c8b2adbe648f04b658aa9f3f4ab7ccc |
M22-M8010 | RapperBot_2e974038 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 2e9740382e75ebb7c8f4a0cdf2c36500 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5SHA1: 3f563eb47e096ff02f43795f8e4964f217c3b8f4MD5: 2e9740382e75ebb7c8f4a0cdf2c36500 |
M22-M804c | Dorkbot_b901c4d9 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | b901c4d9c76b378adb8919ae3dfa932c | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: c254f12058d6367578b877c09bd219abcc583003db8d15d270ab284bad923234SHA1: 4b45826622f545c6513d78180948dc1a132a488cMD5: b901c4d9c76b378adb8919ae3dfa932c |
M22-M802c | RapperBot_6faeac8f | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 6faeac8f2269c3d86606b34de90607fd | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96SHA1: 213f50b0bf255e5a309faad55ae81775a10ac949MD5: 6faeac8f2269c3d86606b34de90607fd |
M22-M8077 | Locky_fd28fdf1 | Windows |
This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has random bytes appended at the end of the file. | fd28fdf16988f3400f266cc945b7fa79 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 1f1f8c733edb1393821b3f2743073446b6db29da6e0803423747d7527b9c2d61https://attack.mitre.org/techniques/T1009/PARENTID: M22-M8015SSDEEP: 12288:ZbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmcqi:ZbXbnpuZS0QkETutYQ8qmziSHA1: ee53a20e29c940da567fa57adb5cd59de5d24476MD5: fd28fdf16988f3400f266cc945b7fa79 |
M22-M803d | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | 93fe6600c51014d7d6c2afedf8398f92 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 45ef054bca2ae4d67e6623bf28ff75e5d178924602674c654e1b569aa74601cdSHA1: 8f7340704745f3d53b284c101e93c42f8d4c2adcMD5: 93fe6600c51014d7d6c2afedf8398f92 |
M22-M805f | Dorkbot_f42c2687 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | f42c2687a386ea74defec16a76be7b85 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 90b11cecdac4d67db66c36a3f692361425eaf99c3f243c107e884091d209ee8bSHA1: a259f9b9248e49609a3ed163743a0138c11234eeMD5: f42c2687a386ea74defec16a76be7b85 |
M22-M8064 | Locky_0158743f | Windows |
This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has a random section name renamed according to the PE format specification. | 0158743f2c7571a83669159121daed44 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: f6702ed5dbfa259d6d6ef564cf7c641967fe33b5b44548f96898baf85464210fhttps://arxiv.org/abs/1801.08917PARENTID: M22-M8015SSDEEP: 12288:KbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmcq:KbXbnpuZS0QkETutYQ8qmzSHA1: 8ccd09a9f32a778068176ec69fb6e93f9aa96326MD5: 0158743f2c7571a83669159121daed44 |
M22-M8071 | TrickBot_8ce80634 | Windows |
This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The Parent binary was packed using upx, hence this binary is the unpacked version generated using upx -d. | 8ce80634966cd3e73d24cc48b83cfe0e | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 55b67b43bd2796b595edc77ae2e43f22d8e0d819da4058481a185027ef366efchttps://attack.mitre.org/techniques/T1045/PARENTID: M22-M8061SSDEEP: 768:wo/AW4Q75gzGhlqHVBpQ/86WsakxWvrQMKHNAGRAjh6:d/AW4Kgz6MrCk1sakxWcMKtAGeh6SHA1: 0e81dc8ff02019402e01bf9a5c57915bdcded6f5MD5: 8ce80634966cd3e73d24cc48b83cfe0e |
M22-M805c | RapperBot_e94c6fa4 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | e94c6fa46fb3ad76973a221fa75c9557 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73SHA1: 05b1fb3ff5f7c9e8f3eac6fb2ba3f974848ca241MD5: e94c6fa46fb3ad76973a221fa75c9557 |
M22-M8002 | TrickBot_07c5e05b | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 07c5e05b52e1bcc7492266b46982f9e5 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 4f47c12806778d27afa43905ebb5b2079a451da93237899167d6420333cfe9a8SHA1: acded7cdf4101534e49d1a07ac8aa5141fdbd1b9MD5: 07c5e05b52e1bcc7492266b46982f9e5 |
M22-M8007 | Dorkbot_14cd9f53 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 14cd9f533c23959b26089a0f3da47ebe | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 0ce367d545da1ed522fe364fdafc4bf39f1aa9aa326d0413c104132464c4b0f5SHA1: 0e098fd91a137ec3ceddfad869ee8d3f83c91c11MD5: 14cd9f533c23959b26089a0f3da47ebe |
M22-M8059 | Dorkbot_e2ffab46 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | e2ffab464f6be4b25d126ff9d1c51449 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 1a15e5ebecd8f3025b89a1ee2149311bd0883bc62928092980604cecddf5718fSHA1: 351f6790a46ac86d9d84f4702aadc6a8e007873eMD5: e2ffab464f6be4b25d126ff9d1c51449 |
M22-M802f | Dorkbot_79ac3809 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | 79ac3809d107b030fefa02775bb26cb5 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 1487cbb9c1025017bf767b8f9feab2bcdd9f500cd4bed79ca334c4eda4df1d71SHA1: 2245a329b8e686ce14973f029bbcd39e6c730d22MD5: 79ac3809d107b030fefa02775bb26cb5 |
M22-M8005 | XtremeRAT_0df4f4f5 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 0df4f4f5d006c793efd0cfa500a3e16d | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 62243f0a6f197f167173d12b985b2bbd4a8f98864eb4f99c77e28a9f561f4b0dSHA1: 864ceb0305d57da302c120a53cc34457bdad8bb1MD5: 0df4f4f5d006c793efd0cfa500a3e16d |
M22-M8076 | Locky_f4b19b8a | Windows |
This strike sends a polymorphic malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.The binary has random contents appended in one of the existing sections in the PE file format. | f4b19b8a9fa2c1a3ac71e0d95acce031 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 7b10a3318784c4f828d29119270003a3bfe2eb95d925f4d60ac8bf3cf1ca856ehttps://arxiv.org/abs/1801.08917PARENTID: M22-M8015SSDEEP: 12288:ZbBxl0y84cD3SLOmpuWYLx3vIRW2X3Ps9qThst17K/Y87MZmci:ZbXbnpuZS0QkETutYQ8qmPSHA1: edaf8f3243e38f90217281beb45bb345468d3b6cMD5: f4b19b8a9fa2c1a3ac71e0d95acce031 |
M22-M801e | RapperBot_5630ee34 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 5630ee34393ce22d317c3a11a91b5bb2 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeecSHA1: 4698a9f872bde68f504e875cf02c87cd53a4b445MD5: 5630ee34393ce22d317c3a11a91b5bb2 |
M22-M8018 | XtremeRAT_440db648 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 440db648da97e821dd5c124708fea7d1 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: d20e8dd51f00f03a0aacfcc4989d86411e2bc6c6f0a91961f420a056a86eef07SHA1: 80b40f8aa032260deec9538a009f8d20a7b5d822MD5: 440db648da97e821dd5c124708fea7d1 |
M22-M8008 | TrickBot_16ceee4b | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 16ceee4be1b477e97fd9046b40d7d65b | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 04a8a18b801bf158717c49444c3148f56fb1c23b6781b589106b848fad13557fSHA1: 4bf204c8ab278c172931f299ba352a3c9bdda9afMD5: 16ceee4be1b477e97fd9046b40d7d65b |
M22-M802d | RapperBot_72c70d37 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 72c70d37a714ecf026cdea998c36a069 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26SHA1: 887da60a3146abc39b33bdedadbba1e0818e37baMD5: 72c70d37a714ecf026cdea998c36a069 |
M22-M806f | DarkTortilla | Windows |
This strike sends a polymorphic malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader.The binary has random strings (lorem ipsum) appended at the end of the file. | 7b31ea74f3666a5c53683df6b6c98539 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 636baa7d092f454a4b02bf19f51cba1ef29c6b68233236309240d19846961af3https://attack.mitre.org/techniques/T1009/PARENTID: M22-M8039SSDEEP: 24576:1CldODAffhnEeMv+gVDMMgqT8Mw14AIdP/EEc:wjXhnEVv+gVg7qQMwc/EXSHA1: 9e1c87292a1abe7f1c8e76a6cbc581167a06e87fMD5: 7b31ea74f3666a5c53683df6b6c98539 |
M22-M804b | Dorkbot_b8c9fdf0 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | b8c9fdf04315e62badffe4ca393de3b5 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 57d6deb95dad820da83a96f691230e6927f02bd7dc81fd22117a84ce1ff983b1SHA1: 920e0805026df4dc0a68c63aed9680ce27b0bc22MD5: b8c9fdf04315e62badffe4ca393de3b5 |
M22-M8048 | Dorkbot_ae4bf237 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | ae4bf237bdcb56fc66d4ab3f7eefc647 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 3ab978d7ba8cadbfa40ce0d1b6acb6922d6f7b2d8322f420bf03db0c44d94755SHA1: 0a8128ab953d6106c15094c7a9b45c8d2b3ff981MD5: ae4bf237bdcb56fc66d4ab3f7eefc647 |
M22-M8020 | RapperBot_5ab947f7 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 5ab947f7cae22fa65398c591e1aed268 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31SHA1: 5c5066d748f0ef4ef8fe4125434dd20cee566d65MD5: 5ab947f7cae22fa65398c591e1aed268 |
M22-M8052 | TrickBot_c7cbc36f | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | c7cbc36f31fcd55b87796f18cb009606 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 08a004e94ce71ee0d239e38242283544f530996f4785924f85616040b278bef4SHA1: a993ce3b83dd3abf6c99245807db38820de25269MD5: c7cbc36f31fcd55b87796f18cb009606 |
M22-M8049 | XtremeRAT_aecd2075 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | aecd2075262f2e69c38eb9c4fc933c80 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 3e5302bb99e282cd9303eda70e64589529704b3c2edee6637cb040887b02f42fSHA1: 739c020921a6dbd8ce67f809f50d41d48126500fMD5: aecd2075262f2e69c38eb9c4fc933c80 |
M22-M801f | RapperBot_5a2fe024 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 5a2fe024029c7b8894885ded5f08e42e | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39bSHA1: 564ce63b3939e10fd8ae3df1bc764083582707bcMD5: 5a2fe024029c7b8894885ded5f08e42e |
M22-M8065 | TrickBot_0455b17e | Windows |
This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random contents appended in one of the existing sections in the PE file format. | 0455b17ef0b235a3c4dcc9a66e5305e2 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: d4caa22b1136bb71d7df50ff5682664fd9e4bec78fbe99fd8d8d8bbf7678870ahttps://arxiv.org/abs/1801.08917PARENTID: M22-M8061SSDEEP: 384:a5yqVLBSl0/x+fIDD0HEqsiKS6qFbrCEg3WplnXsaNJawcudoD7UzKDgRAF5iFmH:ag8+c+qqsiKS6RWprnbcuyD7UpRAuIG6SHA1: 4b6c97d0e2a3c8481417955bc5e0049ff41a14c9MD5: 0455b17ef0b235a3c4dcc9a66e5305e2 |
M22-M8019 | RapperBot_46da0686 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | 46da0686e0ad65ee44f4cac5f6558ec9 | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727adSHA1: a425cb48d07623849036ae664af9c0c5d39673c6MD5: 46da0686e0ad65ee44f4cac5f6558ec9 |
M22-M804e | RapperBot_bda8d5c2 | Linux |
This strike sends a malware sample known as RapperBot. RapperBot is an IoT botnet malware that heavily borrows from Mirai source code. However, unlike Mirai, RapperBot brute forces vulnerable SSH servers. Upon successfully breaking into the SSH server, the credentials are sent back to the command-and-control server, and then the malware adds its public key to the authorized keys file in an attempt to maintain persistence on the machine. This primes the malware for future DDoS attacks on the target when the attackers are ready. | bda8d5c2665f47877ab571728f07c65a | https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.htmlSHA256: 77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5SHA1: d833bcb845db2ca88e0ae6cb72961b4a1ed6a21aMD5: bda8d5c2665f47877ab571728f07c65a |
M22-M8004 | TrickBot_0b183d62 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 0b183d6240d02bb57638033917e11e48 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 2d1e5cc0f414d6cc94ec251605c68c32c442740e129d7af97f8293844aecca6aSHA1: 125553420253090e13d753b0150a01f8b7f92502MD5: 0b183d6240d02bb57638033917e11e48 |
M22-M8021 | XtremeRAT_5d057c13 | Windows |
This strike sends a malware sample known as XtremeRAT. XtremeRAT is a remote access trojan that allows the attacker to eavesdrop on users and modify the running system. | 5d057c1380096eefa294ffcec51575c1 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: d8df5b44e3469d7a7c0ffc4dba88d34bff093cf4453500074a54b837d50d93c6SHA1: 05dec5b58bce525068893c3689b2f990a89a8429MD5: 5d057c1380096eefa294ffcec51575c1 |
M22-M8060 | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | f44695a8febb2a35576a59fa984629d2 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: 53b3b37b7d1e40c80fcda2c424cd837379ac2ce93023de6c22ba3e2d94679671SHA1: 37ec57e5da46dc1990941a1bb3ffab9e74db346aMD5: f44695a8febb2a35576a59fa984629d2 |
M22-M8051 | DarkTortilla | Windows |
This strike sends a malware sample known as DarkTortilla Loader. DarkTortilla is a .NET-based crypter that delivers information stealers and remote access trojans like AgentTesla and RedLine. It has also been observed delivering payloads like Cobalt Strike and Metasploit as well as other malicious documents and executables. This sample is the DarkTortilla initial loader. | c37aae0ff565a2e44f144f837b750279 | https://www.secureworks.com/research/darktortilla-malware-analysisSHA256: a0b96236bfd79d2ebeadb8e3deb9448af3ec8edd1ea9672b7ad4793934bb4c47SHA1: dde386911b091e894746b0f12d88a1fd18761fb9MD5: c37aae0ff565a2e44f144f837b750279 |
M22-M8030 | TrickBot_7c3b350d | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 7c3b350d98f0826e01dcbdf95d123477 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 30636b11d051121251b2051971223e6e294dfaf917338239deb5b8edf5bce20bSHA1: 2b22f40683dd133774c61aff7c42a2e211cff181MD5: 7c3b350d98f0826e01dcbdf95d123477 |
M22-M8061 | TrickBot_ff63ddb4 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | ff63ddb40ec2e11d7bd734aa4b6f7191 | https://blog.talosintelligence.com/2022/08/threat-roundup-0729-0805.htmlSHA256: 513125bc77c78f24fc6a29a125c0d5373d5b365f476ba496f90d8dc952fd4441SHA1: d64624749481ed97632051237d9fb394bcb07295MD5: ff63ddb40ec2e11d7bd734aa4b6f7191 |
M22-M804f | Dorkbot_bec351f6 | Windows |
This strike sends a malware sample known as Dorkbot. Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. | bec351f63f70e048f5319f8f5a386bf0 | https://blog.talosintelligence.com/2022/08/threat-roundup-0812-0819.htmlSHA256: 94b5e03c8c149c8065dcf1a3696ca0c0801f6932e3a6b73985081dd36bb04194SHA1: 160b248a9856461675b92aedc86ecbf9ce81dfceMD5: bec351f63f70e048f5319f8f5a386bf0 |