Malware Monthly Update January - 2023 Release Notes

Malware Monthly Update January - 2023

Malware Strikes

Strike ID	Malware	Platform	Info	MD5	External References
M23-M102b	LokiBot_64af1511	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	64af151191f5d60b7ace7a8cb31e7948	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 7b34fede01164a6602eccc2e71a58535a8e484562fe634c82fcf87256f951bcd SHA1: 82c8c29ab11837559b42a7565e6fa14668dc9ece MD5: 64af151191f5d60b7ace7a8cb31e7948
M23-M105d	Mimic_db21ed7d	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	db21ed7d19149a615d7432aca9c8f6ca	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: 08f8ae7f25949a742c7896cb76e37fb88c6a7a32398693ec6c2b3d9b488114be SHA1: 4137739d48996b0d9efd7bfbb5db50219ac4aeb0 MD5: db21ed7d19149a615d7432aca9c8f6ca
M23-M1068	TrickBot_274eb07e	Windows	This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has the checksum removed in the PE file format.	274eb07e2600acd6a62a508675ab6e09	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: fbf2ae15b2d031bbdcdd64bab66b816e91a37ebfcd335af4bbc09950aa4877f7 https://arxiv.org/abs/1801.08917 PARENTID: M23-M1022 SSDEEP: 12288:vtkrisgles3JreuHMa+1TSX690cPSAOLuKjdCLS6U10ODk:vORs3JVHs1TSX69TPZguhUO SHA1: 7289424edd7ce4860e0ed42ed3a5faeb9d7fae1c MD5: 274eb07e2600acd6a62a508675ab6e09
M23-M1054	LokiBot_c2d963dd	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	c2d963dd959c1634e35bc1ccc1292174	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: e89082a08c246ba8e4bffb9ddb127a2ee24cef652e4b0a8772ad22d376a82eb7 SHA1: 15f2175cf6d237480b695097822186077fa6c7d2 MD5: c2d963dd959c1634e35bc1ccc1292174
M23-M1025	Hook_54d7ec1e	Mixed	This strike sends a malware sample known as Hook. Hook is an Android RAT malware variant based off of the Ermac malware. Hook has the capability to manipulate files on the device as well as interact with the System's UI. This includes the ability to perform gestures, take screenshots, simulate clicks and keypresses, unlocking the device, scrolling, and clicking ui text elements.	54d7ec1e7d5f8f2884281cdafabae3c0	https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html SHA256: 55533397f32e960bdc78d74f76c3b62b57f881c4554dff01e7f9e077653f47b2 SHA1: 2253f3c96dd24d64cd29dccdbf69b26ed84d46d6 MD5: 54d7ec1e7d5f8f2884281cdafabae3c0
M23-M105f	QuasarRAT_e48ac0ab	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	e48ac0ab19c5b5599c45e9846fffb1de	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: c37ff695876f126cc4f6b627a54f2a0bfd68983243b87d8e078143609c26f6a1 SHA1: cfac2c834e7c28ad2e688464ea9636c96949649f MD5: e48ac0ab19c5b5599c45e9846fffb1de
M23-M1028	QuasarRAT_5d6f4a17	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	5d6f4a17539d84e07f978f808ceb877f	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 53b741a52f88d7e0f01dd4f5bcffac6882668922a45ecb1bc2e7275778afd599 SHA1: a186392695be394a1a81e4b8ed2046cfc3333077 MD5: 5d6f4a17539d84e07f978f808ceb877f
M23-M1049	Mimic_ac34ba84	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	ac34ba84a5054cd701efad5dd14645c9	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e SHA1: dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b MD5: ac34ba84a5054cd701efad5dd14645c9
M23-M1066	RedGoBot_fd1facf3	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	fd1facf3a3fca0fd6108bbbe98f8d5fd	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: 78b55d3f1b34f1154a28ce4fc855252bc3104a07944053facf6acce9195b2e77 SHA1: 2621278450f3eba6f67904f23e05f69b7871b49a MD5: fd1facf3a3fca0fd6108bbbe98f8d5fd
M23-M1067	TrickBot_26b8e67b	Windows	This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random contents appended in one of the existing sections in the PE file format.	26b8e67bbce94745b87a541c867f9ee8	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 93922900eebc3f7e4002209ef5a2843ec6e694ae56763811f9511179cf77e327 https://arxiv.org/abs/1801.08917 PARENTID: M23-M1059 SSDEEP: 24576:mORs3JVHs1TSX69TPZguhU9B69TPZguhUKB69TPZguhUK:5mHs1TSX61PZgXB61PZgEB61PZgE SHA1: 9576226648a4f68d12d7db18bbec22cc42a6d3ab MD5: 26b8e67bbce94745b87a541c867f9ee8
M23-M1027	TrickBot_5d3242c3	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	5d3242c30060c66a18c7760adf582841	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 87ff71bee735095c209afefc60cda504cc77acc50fc4ba31d756c9ea4c853a89 SHA1: 1030d57043f93ed3e3a8fa6e0976f52c4b012628 MD5: 5d3242c30060c66a18c7760adf582841
M23-M1021	LokiBot_44fc10c3	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	44fc10c3b6cc2f42d2dacd19f9219915	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: b7062983e7667a1b86c1bd1123bc3aac29b7a8200b079c9bc4b566dd1c7ee44d SHA1: c601f9d1993c4e5b2902571780ec5ff3ac220cfa MD5: 44fc10c3b6cc2f42d2dacd19f9219915
M23-M1057	TrickBot_cad58112	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	cad58112e7a1cd4ea253505762e33199	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 4038edea39f0d2c4155b1917759beca2f9fc8150a48d7e06a1b3e7b9b72652ae SHA1: 6865495f55b005df1d58d52afaa428358bf9c850 MD5: cad58112e7a1cd4ea253505762e33199
M23-M1069	Bifrost_31d773b4	Windows	This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has random strings (lorem ipsum) appended at the end of the file.	31d773b42bd89af8689182e72170cbf4	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 6c04238363290f9ab89cc18659e8c7776429e7c9444abf13353d6a8d8dbf252e https://attack.mitre.org/techniques/T1009/ PARENTID: M23-M1009 SSDEEP: 49152:t7vT4rFBiF1Qgw0YX/80KKAjmPBzLUIE/WFtcm7UAS:tAvnvNP80KKymPBzLxE/WFtc1AS SHA1: a25592c677c80d0f113f68a358153e8687a32082 MD5: 31d773b42bd89af8689182e72170cbf4
M23-M103a	Hook_8e6116cc	Mixed	This strike sends a malware sample known as Hook. Hook is an Android RAT malware variant based off of the Ermac malware. Hook has the capability to manipulate files on the device as well as interact with the System's UI. This includes the ability to perform gestures, take screenshots, simulate clicks and keypresses, unlocking the device, scrolling, and clicking ui text elements.	8e6116cc7b74c87520a340c4de6dd911	https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html SHA256: 8d1aabfb6329bf6c03c97f86c690e95723748be9d03ec2ed117376dd9e13faf0 SHA1: d97d8fc638635f6ae61608efa878a43cbea0c51c MD5: 8e6116cc7b74c87520a340c4de6dd911
M23-M101f	Bifrost_401423b3	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	401423b33f7e755449450a2badb533be	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 2e3cbe941ab655a6d3ea57382028a75794ebd7895dfaba49ac3aad78921f172f SHA1: 9b2737043259463b51d3e37a10e4696dcba221f2 MD5: 401423b33f7e755449450a2badb533be
M23-M104d	LokiBot_b1e0d2ea	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	b1e0d2ead352745d57ea43c58f18aadf	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 57e5341a8009432af3aa5b4246eabb8774d292db8a245106fc045c4f36e5cddb SHA1: 971c49b4f4b794b7770e09332ec03c1d98557321 MD5: b1e0d2ead352745d57ea43c58f18aadf
M23-M101a	RedGoBot_31be883a	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	31be883a1346f656df5061bc784060a7	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: 5e647d4991f9d339e6e83cee6168915e1e2c9fac0cddc53d3083cbc96a278035 SHA1: 5dc0f6e5da49cced2ff5c8e92b8a5dac47a0ad52 MD5: 31be883a1346f656df5061bc784060a7
M23-M100f	QuasarRAT_1ab83ff9	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	1ab83ff93da4ce0da0fcb706f6bc8228	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: f707db5c91e9f1e70effecb99ae6d8101cb2343779df3b06eba56311bde64a41 SHA1: dfd7d3159e702772c31618f4da1ec5492f7b6e86 MD5: 1ab83ff93da4ce0da0fcb706f6bc8228
M23-M1011	LokiBot_1ec5e658	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	1ec5e6588478d9336f48b25419a9c438	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 8126aa90f564c1662d9b42b333a7b0fe7489770c8b5069997b8dc5577ded2bc0 SHA1: 89050c992186a5fef33fb5559565e3872dea879c MD5: 1ec5e6588478d9336f48b25419a9c438
M23-M1055	LokiBot_c8a47262	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	c8a472629bb9193b37b9156b91672bc9	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: cc77dde534b4aa329ecf543351157ca8c9ee43730de6dbef2673d1f63f225f87 SHA1: 3b9c9ad2a30e7503f51bac7aad88783ed309d8b3 MD5: c8a472629bb9193b37b9156b91672bc9
M23-M103b	LokiBot_8fad80b1	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	8fad80b104bd3234323be9171aed903f	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: b66c265b35372a58775ab68db5392014be36b745f4647df6c3da1c0a7aab82fc SHA1: e1190346d14c15788685e77347a827f7086adb2c MD5: 8fad80b104bd3234323be9171aed903f
M23-M1047	LokiBot_a85424f2	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	a85424f2fb6f690b5f336928355673d1	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: a7225665972f421022ded04315aa75f15cda747e12dbd82130b1a8e87c9d062d SHA1: c4521733d1be82583743a0c33b035a527c791d13 MD5: a85424f2fb6f690b5f336928355673d1
M23-M100a	QuasarRAT_1347af31	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	1347af31f1f759cea0164dd26eeab53f	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 6a625df2a22684ec5c95df37818afc44ca1d7aca39e8011b7c0287c369588728 SHA1: dfb9ac5849355a0144c8efc7884c7e4b5f56086d MD5: 1347af31f1f759cea0164dd26eeab53f
M23-M1056	Gigabud	Mixed	This strike sends a malware sample known as Gigabud RAT. Gigabud is a Remote Access Trojan Android malware that has been detected in the wild masquerading as government agencies, shopping apps, and banking applications from Thailand, the Philippines and Peru. The malware has many functions like the ability to receive commands from C2 servers, screen recording, and stealing banking credentials.	ca6aa6c5a7910281a899695e61423079	https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/ SHA256: a940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66 SHA1: 1012a7627b6b82e3afb87380bbfda515764ce0a6 MD5: ca6aa6c5a7910281a899695e61423079
M23-M1030	TrickBot_747e2dff	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	747e2dff11b08670fbdc1632cfb8d394	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 6f48cb7449083ebf82b8507d3d32f30fe8d76f329babe728d8bc94628a878981 SHA1: 326969ea17414d10f271af6b3c04e2b81672e960 MD5: 747e2dff11b08670fbdc1632cfb8d394
M23-M1051	QuasarRAT_be896d1a	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	be896d1a70317c9e457fd3be91e54466	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 19efdda9ec1232653d64ad9f6d3d8813904ddd9995df3e697e49ae4f267622b0 SHA1: 1f2213ce01946617df3e24af874ff55e093b4613 MD5: be896d1a70317c9e457fd3be91e54466
M23-M1041	LokiBot_9c3d5fda	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	9c3d5fda30d4b32841708d7d7f99c62a	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: e7582ee773f6857a3f18e76453beefc46912089372f3b12bdd6e5735a3a3536d SHA1: cc621680d91f8bdc5225a5af3fbccc542c588401 MD5: 9c3d5fda30d4b32841708d7d7f99c62a
M23-M1063	Bifrost_f844c72a	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	f844c72a7248602fbe0861525cacc8e1	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 16d1317d954506fb689c594e0dbea407c5d224882d02ee9c97944ecaf2aa815e SHA1: 8a118a521e48e381f1398e6a1f23e1315a3948e7 MD5: f844c72a7248602fbe0861525cacc8e1
M23-M104a	TrickBot_adc8d3f2	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	adc8d3f293c9fa900655d0550c279c7f	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: a55543ec1b6966095c16d18874123733518b24859d943412b346bb1c1bc2aa45 SHA1: e098e2d978031ab7d372e744fc676c98cb8a9638 MD5: adc8d3f293c9fa900655d0550c279c7f
M23-M100d	QuasarRAT_18ea6c3f	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	18ea6c3f285a0609de3b4be052d26e99	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: ceeddc45a3e52e50445abfd568287edf87649fa4e94d75d3a4533a7396ae1604 SHA1: b8450d9f4745ae05cf54eaf1506b3c9fbb34a43f MD5: 18ea6c3f285a0609de3b4be052d26e99
M23-M1010	Mimic_1de4fcc8	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	1de4fcc80167b96285656de16f91c7d1	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: e67d3682910cf1e7ece356860179ada8e847637a86c1e5f6898c48c956f04590 SHA1: 51a50bdd10d159bd00218476f86709cb7add4ebb MD5: 1de4fcc80167b96285656de16f91c7d1
M23-M101c	TrickBot_32e3a9c1	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	32e3a9c1efe10cbab7c8f15fd57e54a6	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 41892f3328b48749726630a3e75ee0addd7e41060beefcfc9d81d3bfc3ab55fd SHA1: 2201c7d6c11101b6ad37b0818ec3acc328d00713 MD5: 32e3a9c1efe10cbab7c8f15fd57e54a6
M23-M106a	TrickBot_d04b80a9	Windows	This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random contents appended in one of the existing sections in the PE file format.	d04b80a9abc3ac86c2a6f9251e41211e	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: f84926beb3c919c5510a1466805ef892ca88e889b78f0a8622706f1249775752 https://arxiv.org/abs/1801.08917 PARENTID: M23-M104a SSDEEP: 24576:eORs3JVHs1TSX69TPZguhUDM69TPZguhU7M69:hmHs1TSX61PZgxM61PZgpM6 SHA1: 774c2241b77f3bb1902cf0062a60709190ac5b05 MD5: d04b80a9abc3ac86c2a6f9251e41211e
M23-M104e	Gigabud	Mixed	This strike sends a malware sample known as Gigabud RAT. Gigabud is a Remote Access Trojan Android malware that has been detected in the wild masquerading as government agencies, shopping apps, and banking applications from Thailand, the Philippines and Peru. The malware has many functions like the ability to receive commands from C2 servers, screen recording, and stealing banking credentials.	b2429371b530d634b2b86c331515904f	https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/ SHA256: ec1e2ff5c72c233f2b5ad538d44059a06b81b5e5da5e2c82897be1ca4539d490 SHA1: ea5359c8408cdb4ebb7480704fe06a8e3bfa37c3 MD5: b2429371b530d634b2b86c331515904f
M23-M1046	Mimic_a626eaec	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	a626eaec2acc8605825b63e2ca1be83f	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: 480fb2f6bcb1f394dc171ecbce88b9fa64df1491ec65859ee108f2e787b26e03 SHA1: 8b101fe4ca4e2ba8c5eae5409c373d9d18586c2a MD5: a626eaec2acc8605825b63e2ca1be83f
M23-M105e	TrickBot_e06fb6f6	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	e06fb6f69932083d67ec4702520b7210	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 010f84deb5e78bad41895e882203db172819778c5dfd28c26eb079e8be50d77f SHA1: 93799d81897f9a56c842926a84ebe942f8bbf2ee MD5: e06fb6f69932083d67ec4702520b7210
M23-M1017	Bifrost_2d909a3d	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	2d909a3d5efa68b5d8b2553db1c13e7f	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 3c39945e576bdfe9a878b8543c925bbd48f03a778c4f4aabb50362aff6340bfa SHA1: 3986d3a33e4788e64afc17babd566b7f562512d4 MD5: 2d909a3d5efa68b5d8b2553db1c13e7f
M23-M101e	RedGoBot_3c404053	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	3c404053296efd41dae11a0a39be3808	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: 6bca8cf5e48e819179f8473e4e600da2c1ef00802bf1744885dcb5ad56618943 SHA1: 4c3c5fc50a29b9ee67aeb4bec39e1635f09bdd93 MD5: 3c404053296efd41dae11a0a39be3808
M23-M1024	Mimic_5120980c	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	5120980c01763759fbc8785899809e6a	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: 136d05b5132adafc4c7616cd6902700de59f3f326c6931eb6b2f3b1f458c7457 SHA1: b7581da9c48e1b514664d560f866899745620b82 MD5: 5120980c01763759fbc8785899809e6a
M23-M1001	Pegasus_3910e0	Android	This strike sends an Android malware sample known as Godfather. It is a trojan which affected 400 banking and crypto applications. It is a successor to the Anubis malware which performs its C2 communication over telegram and does malicious activities like screen recording, exfiltrates push notifications for bypassing 2FA, forwards calls etc. The included sample poses as the Google Play Protect app.	3910e0f2fa87ef1ac40098c98709886d	https://www.group-ib.com/blog/godfather-trojan/ https://thehackernews.com/2022/12/godfather-android-banking-trojan.html SHA256: f26c0df227b4e0dcc275146066913cd9f32b51a2ba40258539eab86ef8e03cea PARENTID: M23-M1035 SSDEEP: 196608:KctvSeMIRNlXDAioU3FzwUZHGwj2lO+AUlC567NbEYlbuB4Ti8VHHSBlBYUaX4J3:KuvUoNlsioU3RwUl7j2lOklC56pEYIBh SHA1: ebcccd5d69c6f0cde339dc87848ab5c90105f0a4 MD5: 3910e0f2fa87ef1ac40098c98709886d
M23-M105c	Bifrost_d5f53d7e	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	d5f53d7e5d74a981d2f15f3d953b5a90	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: efc1da346ba66ebd0defb0be5cda235c16116b24778ad2ec386de715bec0bcdb SHA1: 911b2ff382419e9109703b74d986ee6e52face99 MD5: d5f53d7e5d74a981d2f15f3d953b5a90
M23-M102a	LokiBot_63e3bfaa	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	63e3bfaaa31cc2014010270ecfbc72be	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 2c585eb6a6b3d165c75312f0676e312fc0b1c9dbfd63ab4a060356669f605c90 SHA1: 7d28d8f975934c9b3f341696916e52c6e773c040 MD5: 63e3bfaaa31cc2014010270ecfbc72be
M23-M106c	TrickBot_d813b0f6	Windows	This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has the checksum removed in the PE file format.	d813b0f6505f8b1582beb41d3d55d3ae	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 46232164763992ceeba318117a294f1e0bfe1c428c69412645ddcea84f89c414 https://arxiv.org/abs/1801.08917 PARENTID: M23-M1059 SSDEEP: 24576:QORs3JVHs1TSX69TPZguhUyB69TPZguhUKB69TPZguhUK:DmHs1TSX61PZgUB61PZgEB61PZgE SHA1: 2fd20d7d5bdff02fc7cedd8edbd905162772065c MD5: d813b0f6505f8b1582beb41d3d55d3ae
M23-M1003	TrickBot_014be42c	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	014be42cda8eb56cfea80892e736e7c1	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 380b798da49861cb0cb551a7b945f8db7e3893402c2423b6f9ebac784c79abf6 SHA1: 0f71f6ae70ee9dea579dcbc4097926dbf84d5f6d MD5: 014be42cda8eb56cfea80892e736e7c1
M23-M102f	TrickBot_741a22e5	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	741a22e524f0c165272d7d5881027253	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 0b6a83489612fbac0c8031c717c2ef806d1ab504ee882a4e83700bd277684eca SHA1: 0d0a0692d0d96152db19420a494e41ae5dc4ebd9 MD5: 741a22e524f0c165272d7d5881027253
M23-M1052	RedGoBot_c1492f71	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	c1492f719a4553bb4280b5a8c8c39095	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: 81e581ed06515af959c8477442243f20baa77c0e54a1054542900936c6e81ff5 SHA1: 4825af1a2767c8ab277426e4a1150b6b32d7ecfe MD5: c1492f719a4553bb4280b5a8c8c39095
M23-M1033	TrickBot_7734c98f	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	7734c98fc19d785fb9bb15f160d8edfa	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 25473161969a5ce442ced0c778e677792b07fa68fe500734f7fccab735dfc6ac SHA1: ea0439673be19c6096d5725a780c70db1ebef28a MD5: 7734c98fc19d785fb9bb15f160d8edfa
M23-M1043	Mimic_9e9c2fc8	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	9e9c2fc872e905817c5501d07ef946b1	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: c71ce482cf50d59c92cfb1eae560711d47600541b2835182d6e46e0de302ca6c SHA1: fae69333d7f41881d1e1de3b5391b9c9d236867e MD5: 9e9c2fc872e905817c5501d07ef946b1
M23-M1008	Mimic_102bd157	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	102bd157676e752d4e9311b5d17f9d5c	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: 4a6f8bf2b989fa60daa6c720b2d388651dd8e4c60d0be04aaed4de0c3c064c8f SHA1: ff89ff94c05ffa8acc1ba0588dd59feffc8e5475 MD5: 102bd157676e752d4e9311b5d17f9d5c
M23-M1044	QuasarRAT_a01d7c17	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	a01d7c171ed097992fa5ff6547d8c0fe	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 99f9e4ecd9882db1a05327c07481941e8a4ce22dfdef90c15e9d200d9c79cbdd SHA1: a0351a96ce94ede72a4e7fbf56265c823b5a471d MD5: a01d7c171ed097992fa5ff6547d8c0fe
M23-M104b	QuasarRAT_ae2833fc	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	ae2833fc5def4bebab9797e7694f8208	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: ae8220d48eb72043bdfc4fd965fce63a668cdd281553c6a93aaf574af554881a SHA1: a052e199cb3da3f2f1eea6b25e3562bb3ef33536 MD5: ae2833fc5def4bebab9797e7694f8208
M23-M1064	TrickBot_f9e5b419	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	f9e5b4192366939cbd96afe2d9cfbd41	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 06dd24c4205cce7274c8b332e34abdc1cf6064d21bca8fc4407cd6cf075cfd09 SHA1: 4391babd3d30270d6221bd0d47cdef9093df9af1 MD5: f9e5b4192366939cbd96afe2d9cfbd41
M23-M100e	LokiBot_1a3e6d36	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	1a3e6d3672c71fd1775411275e9322b7	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 93a71008a2294209a986d896b26e8bcff214afc6923323687c9281919c033a91 SHA1: c73b600f2929ec0f7b1600b85d3f596ab9755f6d MD5: 1a3e6d3672c71fd1775411275e9322b7
M23-M1015	Bifrost_28c3852d	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	28c3852dadec6b0a094560110dff9d90	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: b780a6616b56776be514c74c969be3c2b51acd03b81f3ace8d666d5d4b0d1feb SHA1: cc481ceee0738df3d276b6bcc00a97c7c480fd04 MD5: 28c3852dadec6b0a094560110dff9d90
M23-M1029	Bifrost_6255dd50	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	6255dd507eaa7098a14fb139562cb060	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: bf95dc1c0b1b6c234eb8eac2a967c38adbf28bf9aa22558aff970fc92def0813 SHA1: cf0cd7d083fb48d9b5a60c02aff280a56f8c5715 MD5: 6255dd507eaa7098a14fb139562cb060
M23-M100b	LokiBot_16b925b3	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	16b925b3b891d0ba91552419b6c9a343	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 10cd2aa23f0117fb286aba9f6a6ecbf7c467071881763d18c570574eed5b3dc8 SHA1: 44c430319377079043ec265b83963f7dec1a3a9a MD5: 16b925b3b891d0ba91552419b6c9a343
M23-M103d	LokiBot_90d6eeb7	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	90d6eeb774dfc96b215d0ebea5464640	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: c9ebabe61d9c25500298ac578ba280ebb1b78fd2da07f32a82c44f1c11c3453e SHA1: e831a241bf656d18579326a50f9acc920cd938e7 MD5: 90d6eeb774dfc96b215d0ebea5464640
M23-M103e	TrickBot_938195ae	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	938195ae6a5ea077a43dccac2df43e0d	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 2d3ae3b2189a6ad6436f046c4dc4e30509132e0a0ae08175a2299105f26277ca SHA1: 03bc03269cddb0498e7d84ecfbd0a99ceb2b042c MD5: 938195ae6a5ea077a43dccac2df43e0d
M23-M1018	LokiBot_307fee76	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	307fee76a6790b07f15db9f78204d0a7	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: afa915e7174b5c3da177ea2bc6573248a00d173dfe8f2ff8e7667557a3bf699f SHA1: f6876b7d784f9ccebbb4f69b0142d0e35204a0e9 MD5: 307fee76a6790b07f15db9f78204d0a7
M23-M1005	TrickBot_04420a52	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	04420a52469fa8c3dece0126fdeb7e80	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 5945310e811930231bf36f6d6d34af46bef97aa4d23e6adc1911772f7b0f8299 SHA1: 098c418b21529f470c2a0bf58e96fd727d8292cf MD5: 04420a52469fa8c3dece0126fdeb7e80
M23-M1062	LokiBot_f3821f00	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	f3821f00986bcfeae38622179fc49f5c	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 0096e380996a5c8896055aa0543c3f51bbebd5c1ea8178da1d67691a975cdbf7 SHA1: 7670312721cbc16da3655a5a08d62e876dc31aef MD5: f3821f00986bcfeae38622179fc49f5c
M23-M102c	Mimic_6a690a6b	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	6a690a6bf79312af5bebc814e99ea84a	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: 9c16211296f88e12538792124b62eb00830d0961e9ab24b825edb61bda8f564f SHA1: c5506f0cd5ee99472e159cc2d0940ea98b8a5194 MD5: 6a690a6bf79312af5bebc814e99ea84a
M23-M1014	QuasarRAT_25e35c28	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	25e35c28e0212a5c1e6c177be4d48b1a	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: e237afed733f19fb87d226904faa1f6b13a9279db2970aa9821bd7ba03a61487 SHA1: 2d7dce91567c39526f4edbf5ba5e1467c81cbc5e MD5: 25e35c28e0212a5c1e6c177be4d48b1a
M23-M1031	RedGoBot_75ade86d	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	75ade86d5cb702c76576c587c167c451	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: 1967370203138b9324f11c5cb3fd15ac8d2f0c585373486614600b676a4e2641 SHA1: c1700d081795b6770cb71eb79b3b3328253d2afe MD5: 75ade86d5cb702c76576c587c167c451
M23-M100c	Bifrost_188de6b9	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	188de6b94cd471e27fb24bae4ffddef1	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 7deb18fe91d5c043b06f0d7cb3894176b8eaf26b76f3cec14aae17bd91facb8a SHA1: d49122989aebc3bfb82a8345e939dee8a7ff5be6 MD5: 188de6b94cd471e27fb24bae4ffddef1
M23-M105a	RedGoBot_cd56bea3	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	cd56bea395c994290ebc71cc1482dfe0	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: ab3de77616b4d85f032a226da6c3629de4a8f1c1b4d32674c1bed30afb9419e1 SHA1: 25512b5f90f36e46ed427d6dfd53eca3600c9fb2 MD5: cd56bea395c994290ebc71cc1482dfe0
M23-M106b	Bifrost_d533aa9f	Windows	This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has a new section added in the PE file format with random contents.	d533aa9f1d633528df82a69bb8c515ee	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: a7fec5963c7704a3e802b727ad80e472489f4d4049f58bc095717d4b54a3e6f4 https://arxiv.org/abs/1801.08917 PARENTID: M23-M105c SSDEEP: 49152:pyhXtcUbUOP7XDW2W/QMrJTiovJLB8vrtr0B7dLz11dj:wqUbH7W4MFFBL+r0B7d/1zj SHA1: 47f41a4a8a66e3eff25f1c863b8a760918ce5446 MD5: d533aa9f1d633528df82a69bb8c515ee
M23-M1058	TrickBot_cb2d2ddd	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	cb2d2ddd9ecaa9f1ca67275d244fc15b	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 5685ddcb62cd05ed44dd16b1e9004f1c63a5cd8965ccd19089a4fda044a48e81 SHA1: e3788e03d8918b0e7f8aede6b154790ee1c87c8e MD5: cb2d2ddd9ecaa9f1ca67275d244fc15b
M23-M1032	LokiBot_760b6e1b	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	760b6e1b06322fbe556f9ddf683b0389	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 400e675021818214d2779c38b2d77b457ef9956518cd812b53bc7f41ca228bca SHA1: 924ec928b6a0d1fd10fc2be6b346225cc2daf23f MD5: 760b6e1b06322fbe556f9ddf683b0389
M23-M101d	Bifrost_37c49bbd	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	37c49bbd0788943d753638da6ee74b69	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 48e01c9d590f702876d78f5c7eb7c6d1473174c062e34aafd496fbccfff530ba SHA1: d0f708f3b41548d6bbf396663bd0ec232575b8f5 MD5: 37c49bbd0788943d753638da6ee74b69
M23-M102d	Hook_6e886c71	Mixed	This strike sends a malware sample known as Hook. Hook is an Android RAT malware variant based off of the Ermac malware. Hook has the capability to manipulate files on the device as well as interact with the System's UI. This includes the ability to perform gestures, take screenshots, simulate clicks and keypresses, unlocking the device, scrolling, and clicking ui text elements.	6e886c71b9663012f6659f347790c979	https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html SHA256: c5996e7a701f1154b48f962d01d457f9b7e95d9c3dd9bbd6a8e083865d563622 SHA1: a072280867503e885a530663925b769513305f8c MD5: 6e886c71b9663012f6659f347790c979
M23-M1050	Mimic_bc78159e	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	bc78159e7368ca429fcba29e97fc4da6	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: b0c75e92e1fe98715f90b29475de998d0c8c50ca80ce1c141fc09d10a7b8e7ee SHA1: 91a1dde54c98703695ca1eafb98dbc6fdcb88f01 MD5: bc78159e7368ca429fcba29e97fc4da6
M23-M104c	LokiBot_b18fd4de	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	b18fd4de724718b8d1fa887d94731da4	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 86fdff90584064c135a98f05986da5a03bd67abe414f1d8f5fbdbf4249430019 SHA1: 97377a93c7fe211badd89a8a3f6ac46e85ae1926 MD5: b18fd4de724718b8d1fa887d94731da4
M23-M1060	Bifrost_ed5c7775	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	ed5c777571ca660b7d1eaaac12db6e17	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: c4736cc96c32c48fb86a39d47b5732dc3171f71c0d48033cb1d4c9e62f0b08ea SHA1: ca0251c4fd35d77657785c06bc4f2e910ec72e59 MD5: ed5c777571ca660b7d1eaaac12db6e17
M23-M1019	TrickBot_31990c04	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	31990c046c8824f192b49b2f9738265e	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: a3c04866cc1b9024efa30842042f2e50337a6cdb7a77776784ad25e322cf93d7 SHA1: 47fd5b432f7cb7c21fc64e1ee5cd3971e793588e MD5: 31990c046c8824f192b49b2f9738265e
M23-M1007	TrickBot_0f28b837	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	0f28b837de3e1ad653052a6c459683a4	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 529883d5b3a9935f3863fcf277ed10086645b2c94e0363276358cd2af9dc5dc1 SHA1: a232eabd34e11059d8cb1ede6778a4ca3473a100 MD5: 0f28b837de3e1ad653052a6c459683a4
M23-M102e	Bifrost_70fa85a1	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	70fa85a168782ac467530d7d3dbf5cda	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 288990debffcd3adb7af4e84c86f83e49f1c3726b95f61bf84fded46fbd74a77 SHA1: 326f6a12e6e8b61e7c62f5f1987022d7d2089dcd MD5: 70fa85a168782ac467530d7d3dbf5cda
M23-M1039	LokiBot_8caa05af	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	8caa05af7060f02bab07ccfba6ac42d6	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 9d6fcf6155af47fbacddd1f7feb457dc919f1ee29f3d28cc30f3c9c437ee516a SHA1: 76c26e775a07e6e4c08be329e8062a901cff4d76 MD5: 8caa05af7060f02bab07ccfba6ac42d6
M23-M1022	TrickBot_453434b7	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	453434b724aeda596439430b12982cdd	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: b29afa8695161d81edf54df2f6c36c02bb81fdd109f0000b106cbafe4bcd27a5 SHA1: f07d0fca4d9cc752783814926b0405d5b9a55d3f MD5: 453434b724aeda596439430b12982cdd
M23-M1065	RedGoBot_fad7f107	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	fad7f1073fe267fca24927b626afaa1f	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: a877b4e71c8f2f4ab6915cbe8c57c82ac12331e183f7cbda2de4dc3780a50379 SHA1: 09d59754d02fcbfcc95867f1a40fa526dec1120f MD5: fad7f1073fe267fca24927b626afaa1f
M23-M1037	TrickBot_894c0150	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	894c0150be02cd78f839f56434f1912b	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 2ea0fc4ce00afe714122a10fb44e4f8115724e56c88654b2c0bd0dd952db6b1a SHA1: 9679e9b5704e25a8012f870ab4666d8697448d10 MD5: 894c0150be02cd78f839f56434f1912b
M23-M1002	Godfather_87cc15	Android	This strike sends an Android malware sample known as Pegasus. It is a spyware developed by the NSO group which exfiltrates data from installed social media apps, steals stored credentials, takes screenshots, photos and many more malicious activities. NOTE: The APK samples have been signed with custom certificates.	f1a6be3f6129e96331d1e5484bf0a625	https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1/ https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html SHA256: f26c0df227b4e0dcc275146066913cd9f32b51a2ba40258539eab86ef8e03cea PARENTID: M23-M1035 SSDEEP: 6144:le2dp/Ant/PYz9lHNKcE13N356verQ6rKFEslscz5+:l3/EYvtXE13p56v56rMhN+ SHA1: d698a11ecb4d4c716965659db320e2b959c484ac MD5: f1a6be3f6129e96331d1e5484bf0a625
M23-M1020	Bifrost_414a5427	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	414a5427b5d510b7f1eaf3c79c95e591	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 4ce9d9c4d2bb24b5e1f2c7429f2fcd04096ee3038cf7bf3f1ec33d040a4e37fc SHA1: 9b063137b108dd68b7c25814f7a2ea66424235d0 MD5: 414a5427b5d510b7f1eaf3c79c95e591
M23-M101b	LokiBot_3270fa89	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	3270fa8988eb62bdb1c08a04543a6fb9	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 07417c9975e6ada913ab62a1338ea1df45800d5eca0c73de33d1f53a72973bc6 SHA1: 249dc09dceee2a03d725d251a490687bfe8934c3 MD5: 3270fa8988eb62bdb1c08a04543a6fb9
M23-M104f	Mimic_b92a2606	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	b92a26068ba3653d8ec491f9702843e7	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: a1eeeeae0eb365ff9a00717846c4806785d55ed20f3f5cbf71cf6710d7913c51 SHA1: eab1f025c6034d53466a8a9428d45008282591cc MD5: b92a26068ba3653d8ec491f9702843e7
M23-M105b	TrickBot_d13ec5ad	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	d13ec5adc0dae7eb5a0d6cd4fde38af7	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 3fd4e4bc06b0c735ecb690e317fd0954b0b9011e6e32980e04af7611b938ec2c SHA1: 35fe1c3acb11c87edb55ca98c74de164c27b18a2 MD5: d13ec5adc0dae7eb5a0d6cd4fde38af7
M23-M1048	RedGoBot_aaee43e6	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	aaee43e63d5a3abd70ffa774a16c816e	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: 26e96945ee32199536d4c85124a24c28e853b557eb31f3907d19f08b9798dff4 SHA1: 68ec5f83bf5cff8c0af67a175a617b0f577ff557 MD5: aaee43e63d5a3abd70ffa774a16c816e
M23-M1061	TrickBot_ee5900ed	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	ee5900ed3a23bdfe1e47da24b856d1a6	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 25e7e21526add1508c644c31cbbffd221068779ed6fb1bae751a9a70c6133fd3 SHA1: 5df0a1fb6d3126ba1648e3da462e7ad198315fb4 MD5: ee5900ed3a23bdfe1e47da24b856d1a6
M23-M1042	RedGoBot_9dcc0ab0	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	9dcc0ab0ecc5ece11a70d465dcd9b56b	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: 78953c71318fb93fa90607039bceb48f2746a8abfa3a9a8914c8fdc48ebf55df SHA1: 99d404d04484d91debae40cf54549af7df51bc35 MD5: 9dcc0ab0ecc5ece11a70d465dcd9b56b
M23-M103f	TrickBot_976b666c	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	976b666c2834842fa07d6ffaddafe98c	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 6f5394ad933af9c28c7eefc6c62eead20d8e3ecf5ebe40b10d81f74d96d1dfe1 SHA1: 37d6bf1798cefa54d3deff4ca8cb4f56c75df73d MD5: 976b666c2834842fa07d6ffaddafe98c
M23-M1034	LokiBot_77393a98	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	77393a984431fb546e97beb9d0e060b3	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: c2745c75eefa6867cce4cc61d89d306810370e0958a550d039c5935e7012de71 SHA1: 7df5f02e8ab51b3bbe6de0713b7a84345cdc3370 MD5: 77393a984431fb546e97beb9d0e060b3
M23-M1038	Bifrost_8b220453	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	8b220453ce856f3709cd80beeae503b2	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 6b11b23dbbc86681e47b0aa7e8406d7782e790ee187020e46762312c4cc8b9a8 SHA1: 8ed550b8c34d38519a0db63db207dcd444dfafbd MD5: 8b220453ce856f3709cd80beeae503b2
M23-M1012	Hook_21d8304c	Mixed	This strike sends a malware sample known as Hook. Hook is an Android RAT malware variant based off of the Ermac malware. Hook has the capability to manipulate files on the device as well as interact with the System's UI. This includes the ability to perform gestures, take screenshots, simulate clicks and keypresses, unlocking the device, scrolling, and clicking ui text elements.	21d8304cb6e169db00d6f19d346e4152	https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html SHA256: 768b561d0a9fa3c6078b3199b1ef42272cac6a47ba01999c1f67c9b548a0bc15 SHA1: a3c42b97d23f799ff2237a1326e172f9663ef136 MD5: 21d8304cb6e169db00d6f19d346e4152
M23-M1026	TrickBot_5cc6f3d0	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	5cc6f3d095282971693e9a7c1ea3c1d3	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 25f2be22535798e48ea2b92c08da3e62f15569f1f67bc45889d7dc403a2c5bf8 SHA1: 44ee5391a43dc53190a51422405b02326610a7f7 MD5: 5cc6f3d095282971693e9a7c1ea3c1d3
M23-M1059	TrickBot_cce5afd9	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	cce5afd9929ee07858713d32e86253c2	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: aceca08c357c2da59b3a311c8b3199ac1d7d903c03c14b6f35f84d77b76c4764 SHA1: e8370bdcba7f165eeccc065a072e6e07e3b27d35 MD5: cce5afd9929ee07858713d32e86253c2
M23-M1009	Bifrost_11ac73b0	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	11ac73b0ffdf22b9b329bfddf215ed83	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: e9bf3013a7a3985eb4c658e8973147c70770e96edb70b12faa77ea469312d0bd SHA1: 4a263e53fe484ef7de4da41230432bf5019dd634 MD5: 11ac73b0ffdf22b9b329bfddf215ed83
M23-M1053	LokiBot_c1cb29e7	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	c1cb29e7ba19799e20fae14ffa698418	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 067c2a2f4c8344f55cae9cc1c6ba03324a4cc99ae5facd672d100c71f64233e0 SHA1: f110beaef6f2e5087e5d5accfa393699aa14fd6a MD5: c1cb29e7ba19799e20fae14ffa698418
M23-M1006	RedGoBot_0c817d83	Linux	This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols.	0c817d839e014ceb4350e6989ac85b08	https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ SHA256: 57d39a6a88093c9e1fbc1626105d714be92680bdf666279b7663bcaaf7fa7e6e SHA1: 5d688fdecfced32f3fd903831353211e354074bb MD5: 0c817d839e014ceb4350e6989ac85b08
M23-M1023	TrickBot_4c44ea21	Windows	This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.	4c44ea21b98a995fb9cb39f485a80fea	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 723bc475c228b18acec71d248f9b79b189fa8a84d6685ea5b4b42cba55a7c9ab SHA1: 8a3861afd5064917c07e70d9dcc3a4414f7d9fba MD5: 4c44ea21b98a995fb9cb39f485a80fea
M23-M103c	Mimic_8fb35a35	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	8fb35a353978f59bd81e1e605855965e	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: b68f469ed8d9deea15af325efc1a56ca8cb5c2b42f2423837a51160456ce0db5 SHA1: 66a1ca952cc666eceea66726191889e55b25b0eb MD5: 8fb35a353978f59bd81e1e605855965e
M23-M1045	Mimic_a16b5846	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	a16b58464d8874f358687c49e5d06806	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: 7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99 SHA1: 9211f875714e8e0c9ad073eab7e16b9b0e34bf3e MD5: a16b58464d8874f358687c49e5d06806
M23-M1040	LokiBot_9a53b56a	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	9a53b56adecec33768f427031a3e068d	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 80bfd5671a9013cc4ba919582612f6d16076e0663990572188093e61ae40e2bd SHA1: 4ef5fdf9584ba21a16ddb2dd01aef99b81bf4307 MD5: 9a53b56adecec33768f427031a3e068d
M23-M1013	LokiBot_24b1096d	Mixed	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	24b1096dc92c31d5a7e6328520e108e7	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: 3e8d8210b9d681c89f5df122c1598d4117b0c1843b706f7525039b5ba37f96af SHA1: cb9ba92dcfe4817606b8af95305d95dd1de604c3 MD5: 24b1096dc92c31d5a7e6328520e108e7
M23-M1036	Bifrost_84932775	Windows	This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.	84932775991cc72e5e11f92dd8556fd6	https://blog.talosintelligence.com/threat-roundup-0106-0113/ SHA256: 78684bb61de2e43084294d8e38974d3e5150174fe5f0282c40ef701d5d621ab7 SHA1: 375290f9ebe5695c1869be4d5cadff2962bf3c9d MD5: 84932775991cc72e5e11f92dd8556fd6
M23-M1035	Godfather_7e061e87	Mixed	This strike sends a malware sample known as Godfather. This strike sends an Android malware sample known as Godfather. It is a trojan which affected 400 banking and crypto applications. It is a successor to the Anubis malware which performs its C2 communication over telegram and does malicious activities like screen recording, exfiltrates push notifications for bypassing 2FA, forwards calls etc. The included sample poses as the Google Play Protect app.	7e061e87f9a4c27bfb69980980270720	https://thehackernews.com/2022/12/godfather-android-banking-trojan.html https://www.group-ib.com/blog/godfather-trojan/ SHA256: b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd SHA1: 34d37927b35f422e7c28055ea989ef6524a668ef MD5: 7e061e87f9a4c27bfb69980980270720
M23-M1016	QuasarRAT_2aa82aa4	Windows	This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.	2aa82aa4c787c4f6299a22767d2ead47	https://blog.talosintelligence.com/threat-roundup-0113-0120/ SHA256: ceecc1833d5bd98f7377e20514c3574e5e7baa11462fb952be29b2d7d2be10af SHA1: 08ac2ac3c0dd008b7aa31c68f4ededa2a37c7b81 MD5: 2aa82aa4c787c4f6299a22767d2ead47
M23-M1004	Mimic_01ff843b	Windows	This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions.	01ff843b385a9e4d58e4a892fda02fd5	https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/ SHA256: 30f2fe10229863c57d9aab97ec8b7a157ad3ff9ab0b2110bbb4859694b56923f SHA1: 233dae8cdb91e030d792d510eaebadb4a4f5a329 MD5: 01ff843b385a9e4d58e4a892fda02fd5