M23-M102b | LokiBot_64af1511 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 64af151191f5d60b7ace7a8cb31e7948 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 7b34fede01164a6602eccc2e71a58535a8e484562fe634c82fcf87256f951bcdSHA1: 82c8c29ab11837559b42a7565e6fa14668dc9eceMD5: 64af151191f5d60b7ace7a8cb31e7948 |
M23-M105d | Mimic_db21ed7d | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | db21ed7d19149a615d7432aca9c8f6ca | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: 08f8ae7f25949a742c7896cb76e37fb88c6a7a32398693ec6c2b3d9b488114beSHA1: 4137739d48996b0d9efd7bfbb5db50219ac4aeb0MD5: db21ed7d19149a615d7432aca9c8f6ca |
M23-M1068 | TrickBot_274eb07e | Windows |
This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has the checksum removed in the PE file format. | 274eb07e2600acd6a62a508675ab6e09 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: fbf2ae15b2d031bbdcdd64bab66b816e91a37ebfcd335af4bbc09950aa4877f7https://arxiv.org/abs/1801.08917PARENTID: M23-M1022SSDEEP: 12288:vtkrisgles3JreuHMa+1TSX690cPSAOLuKjdCLS6U10ODk:vORs3JVHs1TSX69TPZguhUOSHA1: 7289424edd7ce4860e0ed42ed3a5faeb9d7fae1cMD5: 274eb07e2600acd6a62a508675ab6e09 |
M23-M1054 | LokiBot_c2d963dd | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | c2d963dd959c1634e35bc1ccc1292174 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: e89082a08c246ba8e4bffb9ddb127a2ee24cef652e4b0a8772ad22d376a82eb7SHA1: 15f2175cf6d237480b695097822186077fa6c7d2MD5: c2d963dd959c1634e35bc1ccc1292174 |
M23-M1025 | Hook_54d7ec1e | Mixed |
This strike sends a malware sample known as Hook. Hook is an Android RAT malware variant based off of the Ermac malware. Hook has the capability to manipulate files on the device as well as interact with the System's UI. This includes the ability to perform gestures, take screenshots, simulate clicks and keypresses, unlocking the device, scrolling, and clicking ui text elements. | 54d7ec1e7d5f8f2884281cdafabae3c0 | https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.htmlSHA256: 55533397f32e960bdc78d74f76c3b62b57f881c4554dff01e7f9e077653f47b2SHA1: 2253f3c96dd24d64cd29dccdbf69b26ed84d46d6MD5: 54d7ec1e7d5f8f2884281cdafabae3c0 |
M23-M105f | QuasarRAT_e48ac0ab | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | e48ac0ab19c5b5599c45e9846fffb1de | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: c37ff695876f126cc4f6b627a54f2a0bfd68983243b87d8e078143609c26f6a1SHA1: cfac2c834e7c28ad2e688464ea9636c96949649fMD5: e48ac0ab19c5b5599c45e9846fffb1de |
M23-M1028 | QuasarRAT_5d6f4a17 | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | 5d6f4a17539d84e07f978f808ceb877f | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 53b741a52f88d7e0f01dd4f5bcffac6882668922a45ecb1bc2e7275778afd599SHA1: a186392695be394a1a81e4b8ed2046cfc3333077MD5: 5d6f4a17539d84e07f978f808ceb877f |
M23-M1049 | Mimic_ac34ba84 | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | ac34ba84a5054cd701efad5dd14645c9 | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490eSHA1: dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8bMD5: ac34ba84a5054cd701efad5dd14645c9 |
M23-M1066 | RedGoBot_fd1facf3 | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | fd1facf3a3fca0fd6108bbbe98f8d5fd | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: 78b55d3f1b34f1154a28ce4fc855252bc3104a07944053facf6acce9195b2e77SHA1: 2621278450f3eba6f67904f23e05f69b7871b49aMD5: fd1facf3a3fca0fd6108bbbe98f8d5fd |
M23-M1067 | TrickBot_26b8e67b | Windows |
This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random contents appended in one of the existing sections in the PE file format. | 26b8e67bbce94745b87a541c867f9ee8 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 93922900eebc3f7e4002209ef5a2843ec6e694ae56763811f9511179cf77e327https://arxiv.org/abs/1801.08917PARENTID: M23-M1059SSDEEP: 24576:mORs3JVHs1TSX69TPZguhU9B69TPZguhUKB69TPZguhUK:5mHs1TSX61PZgXB61PZgEB61PZgESHA1: 9576226648a4f68d12d7db18bbec22cc42a6d3abMD5: 26b8e67bbce94745b87a541c867f9ee8 |
M23-M1027 | TrickBot_5d3242c3 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 5d3242c30060c66a18c7760adf582841 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 87ff71bee735095c209afefc60cda504cc77acc50fc4ba31d756c9ea4c853a89SHA1: 1030d57043f93ed3e3a8fa6e0976f52c4b012628MD5: 5d3242c30060c66a18c7760adf582841 |
M23-M1021 | LokiBot_44fc10c3 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 44fc10c3b6cc2f42d2dacd19f9219915 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: b7062983e7667a1b86c1bd1123bc3aac29b7a8200b079c9bc4b566dd1c7ee44dSHA1: c601f9d1993c4e5b2902571780ec5ff3ac220cfaMD5: 44fc10c3b6cc2f42d2dacd19f9219915 |
M23-M1057 | TrickBot_cad58112 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | cad58112e7a1cd4ea253505762e33199 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 4038edea39f0d2c4155b1917759beca2f9fc8150a48d7e06a1b3e7b9b72652aeSHA1: 6865495f55b005df1d58d52afaa428358bf9c850MD5: cad58112e7a1cd4ea253505762e33199 |
M23-M1069 | Bifrost_31d773b4 | Windows |
This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has random strings (lorem ipsum) appended at the end of the file. | 31d773b42bd89af8689182e72170cbf4 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 6c04238363290f9ab89cc18659e8c7776429e7c9444abf13353d6a8d8dbf252ehttps://attack.mitre.org/techniques/T1009/PARENTID: M23-M1009SSDEEP: 49152:t7vT4rFBiF1Qgw0YX/80KKAjmPBzLUIE/WFtcm7UAS:tAvnvNP80KKymPBzLxE/WFtc1ASSHA1: a25592c677c80d0f113f68a358153e8687a32082MD5: 31d773b42bd89af8689182e72170cbf4 |
M23-M103a | Hook_8e6116cc | Mixed |
This strike sends a malware sample known as Hook. Hook is an Android RAT malware variant based off of the Ermac malware. Hook has the capability to manipulate files on the device as well as interact with the System's UI. This includes the ability to perform gestures, take screenshots, simulate clicks and keypresses, unlocking the device, scrolling, and clicking ui text elements. | 8e6116cc7b74c87520a340c4de6dd911 | https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.htmlSHA256: 8d1aabfb6329bf6c03c97f86c690e95723748be9d03ec2ed117376dd9e13faf0SHA1: d97d8fc638635f6ae61608efa878a43cbea0c51cMD5: 8e6116cc7b74c87520a340c4de6dd911 |
M23-M101f | Bifrost_401423b3 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 401423b33f7e755449450a2badb533be | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 2e3cbe941ab655a6d3ea57382028a75794ebd7895dfaba49ac3aad78921f172fSHA1: 9b2737043259463b51d3e37a10e4696dcba221f2MD5: 401423b33f7e755449450a2badb533be |
M23-M104d | LokiBot_b1e0d2ea | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | b1e0d2ead352745d57ea43c58f18aadf | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 57e5341a8009432af3aa5b4246eabb8774d292db8a245106fc045c4f36e5cddbSHA1: 971c49b4f4b794b7770e09332ec03c1d98557321MD5: b1e0d2ead352745d57ea43c58f18aadf |
M23-M101a | RedGoBot_31be883a | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | 31be883a1346f656df5061bc784060a7 | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: 5e647d4991f9d339e6e83cee6168915e1e2c9fac0cddc53d3083cbc96a278035SHA1: 5dc0f6e5da49cced2ff5c8e92b8a5dac47a0ad52MD5: 31be883a1346f656df5061bc784060a7 |
M23-M100f | QuasarRAT_1ab83ff9 | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | 1ab83ff93da4ce0da0fcb706f6bc8228 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: f707db5c91e9f1e70effecb99ae6d8101cb2343779df3b06eba56311bde64a41SHA1: dfd7d3159e702772c31618f4da1ec5492f7b6e86MD5: 1ab83ff93da4ce0da0fcb706f6bc8228 |
M23-M1011 | LokiBot_1ec5e658 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 1ec5e6588478d9336f48b25419a9c438 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 8126aa90f564c1662d9b42b333a7b0fe7489770c8b5069997b8dc5577ded2bc0SHA1: 89050c992186a5fef33fb5559565e3872dea879cMD5: 1ec5e6588478d9336f48b25419a9c438 |
M23-M1055 | LokiBot_c8a47262 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | c8a472629bb9193b37b9156b91672bc9 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: cc77dde534b4aa329ecf543351157ca8c9ee43730de6dbef2673d1f63f225f87SHA1: 3b9c9ad2a30e7503f51bac7aad88783ed309d8b3MD5: c8a472629bb9193b37b9156b91672bc9 |
M23-M103b | LokiBot_8fad80b1 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 8fad80b104bd3234323be9171aed903f | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: b66c265b35372a58775ab68db5392014be36b745f4647df6c3da1c0a7aab82fcSHA1: e1190346d14c15788685e77347a827f7086adb2cMD5: 8fad80b104bd3234323be9171aed903f |
M23-M1047 | LokiBot_a85424f2 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | a85424f2fb6f690b5f336928355673d1 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: a7225665972f421022ded04315aa75f15cda747e12dbd82130b1a8e87c9d062dSHA1: c4521733d1be82583743a0c33b035a527c791d13MD5: a85424f2fb6f690b5f336928355673d1 |
M23-M100a | QuasarRAT_1347af31 | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | 1347af31f1f759cea0164dd26eeab53f | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 6a625df2a22684ec5c95df37818afc44ca1d7aca39e8011b7c0287c369588728SHA1: dfb9ac5849355a0144c8efc7884c7e4b5f56086dMD5: 1347af31f1f759cea0164dd26eeab53f |
M23-M1056 | Gigabud | Mixed |
This strike sends a malware sample known as Gigabud RAT. Gigabud is a Remote Access Trojan Android malware that has been detected in the wild masquerading as government agencies, shopping apps, and banking applications from Thailand, the Philippines and Peru. The malware has many functions like the ability to receive commands from C2 servers, screen recording, and stealing banking credentials. | ca6aa6c5a7910281a899695e61423079 | https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/SHA256: a940c9c54ff69dacc6771f1ffb3c91ea05f7f08e6aaf46e9802e42f948dfdb66SHA1: 1012a7627b6b82e3afb87380bbfda515764ce0a6MD5: ca6aa6c5a7910281a899695e61423079 |
M23-M1030 | TrickBot_747e2dff | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 747e2dff11b08670fbdc1632cfb8d394 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 6f48cb7449083ebf82b8507d3d32f30fe8d76f329babe728d8bc94628a878981SHA1: 326969ea17414d10f271af6b3c04e2b81672e960MD5: 747e2dff11b08670fbdc1632cfb8d394 |
M23-M1051 | QuasarRAT_be896d1a | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | be896d1a70317c9e457fd3be91e54466 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 19efdda9ec1232653d64ad9f6d3d8813904ddd9995df3e697e49ae4f267622b0SHA1: 1f2213ce01946617df3e24af874ff55e093b4613MD5: be896d1a70317c9e457fd3be91e54466 |
M23-M1041 | LokiBot_9c3d5fda | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 9c3d5fda30d4b32841708d7d7f99c62a | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: e7582ee773f6857a3f18e76453beefc46912089372f3b12bdd6e5735a3a3536dSHA1: cc621680d91f8bdc5225a5af3fbccc542c588401MD5: 9c3d5fda30d4b32841708d7d7f99c62a |
M23-M1063 | Bifrost_f844c72a | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | f844c72a7248602fbe0861525cacc8e1 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 16d1317d954506fb689c594e0dbea407c5d224882d02ee9c97944ecaf2aa815eSHA1: 8a118a521e48e381f1398e6a1f23e1315a3948e7MD5: f844c72a7248602fbe0861525cacc8e1 |
M23-M104a | TrickBot_adc8d3f2 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | adc8d3f293c9fa900655d0550c279c7f | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: a55543ec1b6966095c16d18874123733518b24859d943412b346bb1c1bc2aa45SHA1: e098e2d978031ab7d372e744fc676c98cb8a9638MD5: adc8d3f293c9fa900655d0550c279c7f |
M23-M100d | QuasarRAT_18ea6c3f | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | 18ea6c3f285a0609de3b4be052d26e99 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: ceeddc45a3e52e50445abfd568287edf87649fa4e94d75d3a4533a7396ae1604SHA1: b8450d9f4745ae05cf54eaf1506b3c9fbb34a43fMD5: 18ea6c3f285a0609de3b4be052d26e99 |
M23-M1010 | Mimic_1de4fcc8 | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | 1de4fcc80167b96285656de16f91c7d1 | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: e67d3682910cf1e7ece356860179ada8e847637a86c1e5f6898c48c956f04590SHA1: 51a50bdd10d159bd00218476f86709cb7add4ebbMD5: 1de4fcc80167b96285656de16f91c7d1 |
M23-M101c | TrickBot_32e3a9c1 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 32e3a9c1efe10cbab7c8f15fd57e54a6 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 41892f3328b48749726630a3e75ee0addd7e41060beefcfc9d81d3bfc3ab55fdSHA1: 2201c7d6c11101b6ad37b0818ec3acc328d00713MD5: 32e3a9c1efe10cbab7c8f15fd57e54a6 |
M23-M106a | TrickBot_d04b80a9 | Windows |
This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random contents appended in one of the existing sections in the PE file format. | d04b80a9abc3ac86c2a6f9251e41211e | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: f84926beb3c919c5510a1466805ef892ca88e889b78f0a8622706f1249775752https://arxiv.org/abs/1801.08917PARENTID: M23-M104aSSDEEP: 24576:eORs3JVHs1TSX69TPZguhUDM69TPZguhU7M69:hmHs1TSX61PZgxM61PZgpM6SHA1: 774c2241b77f3bb1902cf0062a60709190ac5b05MD5: d04b80a9abc3ac86c2a6f9251e41211e |
M23-M104e | Gigabud | Mixed |
This strike sends a malware sample known as Gigabud RAT. Gigabud is a Remote Access Trojan Android malware that has been detected in the wild masquerading as government agencies, shopping apps, and banking applications from Thailand, the Philippines and Peru. The malware has many functions like the ability to receive commands from C2 servers, screen recording, and stealing banking credentials. | b2429371b530d634b2b86c331515904f | https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/SHA256: ec1e2ff5c72c233f2b5ad538d44059a06b81b5e5da5e2c82897be1ca4539d490SHA1: ea5359c8408cdb4ebb7480704fe06a8e3bfa37c3MD5: b2429371b530d634b2b86c331515904f |
M23-M1046 | Mimic_a626eaec | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | a626eaec2acc8605825b63e2ca1be83f | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: 480fb2f6bcb1f394dc171ecbce88b9fa64df1491ec65859ee108f2e787b26e03SHA1: 8b101fe4ca4e2ba8c5eae5409c373d9d18586c2aMD5: a626eaec2acc8605825b63e2ca1be83f |
M23-M105e | TrickBot_e06fb6f6 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | e06fb6f69932083d67ec4702520b7210 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 010f84deb5e78bad41895e882203db172819778c5dfd28c26eb079e8be50d77fSHA1: 93799d81897f9a56c842926a84ebe942f8bbf2eeMD5: e06fb6f69932083d67ec4702520b7210 |
M23-M1017 | Bifrost_2d909a3d | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 2d909a3d5efa68b5d8b2553db1c13e7f | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 3c39945e576bdfe9a878b8543c925bbd48f03a778c4f4aabb50362aff6340bfaSHA1: 3986d3a33e4788e64afc17babd566b7f562512d4MD5: 2d909a3d5efa68b5d8b2553db1c13e7f |
M23-M101e | RedGoBot_3c404053 | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | 3c404053296efd41dae11a0a39be3808 | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: 6bca8cf5e48e819179f8473e4e600da2c1ef00802bf1744885dcb5ad56618943SHA1: 4c3c5fc50a29b9ee67aeb4bec39e1635f09bdd93MD5: 3c404053296efd41dae11a0a39be3808 |
M23-M1024 | Mimic_5120980c | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | 5120980c01763759fbc8785899809e6a | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: 136d05b5132adafc4c7616cd6902700de59f3f326c6931eb6b2f3b1f458c7457SHA1: b7581da9c48e1b514664d560f866899745620b82MD5: 5120980c01763759fbc8785899809e6a |
M23-M1001 | Pegasus_3910e0 | Android |
This strike sends an Android malware sample known as Godfather. It is a trojan which affected 400 banking and crypto applications. It is a successor to the Anubis malware which performs its C2 communication over telegram and does malicious activities like screen recording, exfiltrates push notifications for bypassing 2FA, forwards calls etc. The included sample poses as the Google Play Protect app. | 3910e0f2fa87ef1ac40098c98709886d | https://www.group-ib.com/blog/godfather-trojan/https://thehackernews.com/2022/12/godfather-android-banking-trojan.htmlSHA256: f26c0df227b4e0dcc275146066913cd9f32b51a2ba40258539eab86ef8e03ceaPARENTID: M23-M1035SSDEEP: 196608:KctvSeMIRNlXDAioU3FzwUZHGwj2lO+AUlC567NbEYlbuB4Ti8VHHSBlBYUaX4J3:KuvUoNlsioU3RwUl7j2lOklC56pEYIBhSHA1: ebcccd5d69c6f0cde339dc87848ab5c90105f0a4MD5: 3910e0f2fa87ef1ac40098c98709886d |
M23-M105c | Bifrost_d5f53d7e | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | d5f53d7e5d74a981d2f15f3d953b5a90 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: efc1da346ba66ebd0defb0be5cda235c16116b24778ad2ec386de715bec0bcdbSHA1: 911b2ff382419e9109703b74d986ee6e52face99MD5: d5f53d7e5d74a981d2f15f3d953b5a90 |
M23-M102a | LokiBot_63e3bfaa | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 63e3bfaaa31cc2014010270ecfbc72be | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 2c585eb6a6b3d165c75312f0676e312fc0b1c9dbfd63ab4a060356669f605c90SHA1: 7d28d8f975934c9b3f341696916e52c6e773c040MD5: 63e3bfaaa31cc2014010270ecfbc72be |
M23-M106c | TrickBot_d813b0f6 | Windows |
This strike sends a polymorphic malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has the checksum removed in the PE file format. | d813b0f6505f8b1582beb41d3d55d3ae | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 46232164763992ceeba318117a294f1e0bfe1c428c69412645ddcea84f89c414https://arxiv.org/abs/1801.08917PARENTID: M23-M1059SSDEEP: 24576:QORs3JVHs1TSX69TPZguhUyB69TPZguhUKB69TPZguhUK:DmHs1TSX61PZgUB61PZgEB61PZgESHA1: 2fd20d7d5bdff02fc7cedd8edbd905162772065cMD5: d813b0f6505f8b1582beb41d3d55d3ae |
M23-M1003 | TrickBot_014be42c | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 014be42cda8eb56cfea80892e736e7c1 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 380b798da49861cb0cb551a7b945f8db7e3893402c2423b6f9ebac784c79abf6SHA1: 0f71f6ae70ee9dea579dcbc4097926dbf84d5f6dMD5: 014be42cda8eb56cfea80892e736e7c1 |
M23-M102f | TrickBot_741a22e5 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 741a22e524f0c165272d7d5881027253 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 0b6a83489612fbac0c8031c717c2ef806d1ab504ee882a4e83700bd277684ecaSHA1: 0d0a0692d0d96152db19420a494e41ae5dc4ebd9MD5: 741a22e524f0c165272d7d5881027253 |
M23-M1052 | RedGoBot_c1492f71 | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | c1492f719a4553bb4280b5a8c8c39095 | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: 81e581ed06515af959c8477442243f20baa77c0e54a1054542900936c6e81ff5SHA1: 4825af1a2767c8ab277426e4a1150b6b32d7ecfeMD5: c1492f719a4553bb4280b5a8c8c39095 |
M23-M1033 | TrickBot_7734c98f | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 7734c98fc19d785fb9bb15f160d8edfa | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 25473161969a5ce442ced0c778e677792b07fa68fe500734f7fccab735dfc6acSHA1: ea0439673be19c6096d5725a780c70db1ebef28aMD5: 7734c98fc19d785fb9bb15f160d8edfa |
M23-M1043 | Mimic_9e9c2fc8 | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | 9e9c2fc872e905817c5501d07ef946b1 | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: c71ce482cf50d59c92cfb1eae560711d47600541b2835182d6e46e0de302ca6cSHA1: fae69333d7f41881d1e1de3b5391b9c9d236867eMD5: 9e9c2fc872e905817c5501d07ef946b1 |
M23-M1008 | Mimic_102bd157 | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | 102bd157676e752d4e9311b5d17f9d5c | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: 4a6f8bf2b989fa60daa6c720b2d388651dd8e4c60d0be04aaed4de0c3c064c8fSHA1: ff89ff94c05ffa8acc1ba0588dd59feffc8e5475MD5: 102bd157676e752d4e9311b5d17f9d5c |
M23-M1044 | QuasarRAT_a01d7c17 | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | a01d7c171ed097992fa5ff6547d8c0fe | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 99f9e4ecd9882db1a05327c07481941e8a4ce22dfdef90c15e9d200d9c79cbddSHA1: a0351a96ce94ede72a4e7fbf56265c823b5a471dMD5: a01d7c171ed097992fa5ff6547d8c0fe |
M23-M104b | QuasarRAT_ae2833fc | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | ae2833fc5def4bebab9797e7694f8208 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: ae8220d48eb72043bdfc4fd965fce63a668cdd281553c6a93aaf574af554881aSHA1: a052e199cb3da3f2f1eea6b25e3562bb3ef33536MD5: ae2833fc5def4bebab9797e7694f8208 |
M23-M1064 | TrickBot_f9e5b419 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | f9e5b4192366939cbd96afe2d9cfbd41 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 06dd24c4205cce7274c8b332e34abdc1cf6064d21bca8fc4407cd6cf075cfd09SHA1: 4391babd3d30270d6221bd0d47cdef9093df9af1MD5: f9e5b4192366939cbd96afe2d9cfbd41 |
M23-M100e | LokiBot_1a3e6d36 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 1a3e6d3672c71fd1775411275e9322b7 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 93a71008a2294209a986d896b26e8bcff214afc6923323687c9281919c033a91SHA1: c73b600f2929ec0f7b1600b85d3f596ab9755f6dMD5: 1a3e6d3672c71fd1775411275e9322b7 |
M23-M1015 | Bifrost_28c3852d | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 28c3852dadec6b0a094560110dff9d90 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: b780a6616b56776be514c74c969be3c2b51acd03b81f3ace8d666d5d4b0d1febSHA1: cc481ceee0738df3d276b6bcc00a97c7c480fd04MD5: 28c3852dadec6b0a094560110dff9d90 |
M23-M1029 | Bifrost_6255dd50 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 6255dd507eaa7098a14fb139562cb060 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: bf95dc1c0b1b6c234eb8eac2a967c38adbf28bf9aa22558aff970fc92def0813SHA1: cf0cd7d083fb48d9b5a60c02aff280a56f8c5715MD5: 6255dd507eaa7098a14fb139562cb060 |
M23-M100b | LokiBot_16b925b3 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 16b925b3b891d0ba91552419b6c9a343 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 10cd2aa23f0117fb286aba9f6a6ecbf7c467071881763d18c570574eed5b3dc8SHA1: 44c430319377079043ec265b83963f7dec1a3a9aMD5: 16b925b3b891d0ba91552419b6c9a343 |
M23-M103d | LokiBot_90d6eeb7 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 90d6eeb774dfc96b215d0ebea5464640 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: c9ebabe61d9c25500298ac578ba280ebb1b78fd2da07f32a82c44f1c11c3453eSHA1: e831a241bf656d18579326a50f9acc920cd938e7MD5: 90d6eeb774dfc96b215d0ebea5464640 |
M23-M103e | TrickBot_938195ae | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 938195ae6a5ea077a43dccac2df43e0d | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 2d3ae3b2189a6ad6436f046c4dc4e30509132e0a0ae08175a2299105f26277caSHA1: 03bc03269cddb0498e7d84ecfbd0a99ceb2b042cMD5: 938195ae6a5ea077a43dccac2df43e0d |
M23-M1018 | LokiBot_307fee76 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 307fee76a6790b07f15db9f78204d0a7 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: afa915e7174b5c3da177ea2bc6573248a00d173dfe8f2ff8e7667557a3bf699fSHA1: f6876b7d784f9ccebbb4f69b0142d0e35204a0e9MD5: 307fee76a6790b07f15db9f78204d0a7 |
M23-M1005 | TrickBot_04420a52 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 04420a52469fa8c3dece0126fdeb7e80 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 5945310e811930231bf36f6d6d34af46bef97aa4d23e6adc1911772f7b0f8299SHA1: 098c418b21529f470c2a0bf58e96fd727d8292cfMD5: 04420a52469fa8c3dece0126fdeb7e80 |
M23-M1062 | LokiBot_f3821f00 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | f3821f00986bcfeae38622179fc49f5c | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 0096e380996a5c8896055aa0543c3f51bbebd5c1ea8178da1d67691a975cdbf7SHA1: 7670312721cbc16da3655a5a08d62e876dc31aefMD5: f3821f00986bcfeae38622179fc49f5c |
M23-M102c | Mimic_6a690a6b | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | 6a690a6bf79312af5bebc814e99ea84a | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: 9c16211296f88e12538792124b62eb00830d0961e9ab24b825edb61bda8f564fSHA1: c5506f0cd5ee99472e159cc2d0940ea98b8a5194MD5: 6a690a6bf79312af5bebc814e99ea84a |
M23-M1014 | QuasarRAT_25e35c28 | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | 25e35c28e0212a5c1e6c177be4d48b1a | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: e237afed733f19fb87d226904faa1f6b13a9279db2970aa9821bd7ba03a61487SHA1: 2d7dce91567c39526f4edbf5ba5e1467c81cbc5eMD5: 25e35c28e0212a5c1e6c177be4d48b1a |
M23-M1031 | RedGoBot_75ade86d | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | 75ade86d5cb702c76576c587c167c451 | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: 1967370203138b9324f11c5cb3fd15ac8d2f0c585373486614600b676a4e2641SHA1: c1700d081795b6770cb71eb79b3b3328253d2afeMD5: 75ade86d5cb702c76576c587c167c451 |
M23-M100c | Bifrost_188de6b9 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 188de6b94cd471e27fb24bae4ffddef1 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 7deb18fe91d5c043b06f0d7cb3894176b8eaf26b76f3cec14aae17bd91facb8aSHA1: d49122989aebc3bfb82a8345e939dee8a7ff5be6MD5: 188de6b94cd471e27fb24bae4ffddef1 |
M23-M105a | RedGoBot_cd56bea3 | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | cd56bea395c994290ebc71cc1482dfe0 | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: ab3de77616b4d85f032a226da6c3629de4a8f1c1b4d32674c1bed30afb9419e1SHA1: 25512b5f90f36e46ed427d6dfd53eca3600c9fb2MD5: cd56bea395c994290ebc71cc1482dfe0 |
M23-M106b | Bifrost_d533aa9f | Windows |
This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has a new section added in the PE file format with random contents. | d533aa9f1d633528df82a69bb8c515ee | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: a7fec5963c7704a3e802b727ad80e472489f4d4049f58bc095717d4b54a3e6f4https://arxiv.org/abs/1801.08917PARENTID: M23-M105cSSDEEP: 49152:pyhXtcUbUOP7XDW2W/QMrJTiovJLB8vrtr0B7dLz11dj:wqUbH7W4MFFBL+r0B7d/1zjSHA1: 47f41a4a8a66e3eff25f1c863b8a760918ce5446MD5: d533aa9f1d633528df82a69bb8c515ee |
M23-M1058 | TrickBot_cb2d2ddd | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | cb2d2ddd9ecaa9f1ca67275d244fc15b | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 5685ddcb62cd05ed44dd16b1e9004f1c63a5cd8965ccd19089a4fda044a48e81SHA1: e3788e03d8918b0e7f8aede6b154790ee1c87c8eMD5: cb2d2ddd9ecaa9f1ca67275d244fc15b |
M23-M1032 | LokiBot_760b6e1b | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 760b6e1b06322fbe556f9ddf683b0389 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 400e675021818214d2779c38b2d77b457ef9956518cd812b53bc7f41ca228bcaSHA1: 924ec928b6a0d1fd10fc2be6b346225cc2daf23fMD5: 760b6e1b06322fbe556f9ddf683b0389 |
M23-M101d | Bifrost_37c49bbd | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 37c49bbd0788943d753638da6ee74b69 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 48e01c9d590f702876d78f5c7eb7c6d1473174c062e34aafd496fbccfff530baSHA1: d0f708f3b41548d6bbf396663bd0ec232575b8f5MD5: 37c49bbd0788943d753638da6ee74b69 |
M23-M102d | Hook_6e886c71 | Mixed |
This strike sends a malware sample known as Hook. Hook is an Android RAT malware variant based off of the Ermac malware. Hook has the capability to manipulate files on the device as well as interact with the System's UI. This includes the ability to perform gestures, take screenshots, simulate clicks and keypresses, unlocking the device, scrolling, and clicking ui text elements. | 6e886c71b9663012f6659f347790c979 | https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.htmlSHA256: c5996e7a701f1154b48f962d01d457f9b7e95d9c3dd9bbd6a8e083865d563622SHA1: a072280867503e885a530663925b769513305f8cMD5: 6e886c71b9663012f6659f347790c979 |
M23-M1050 | Mimic_bc78159e | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | bc78159e7368ca429fcba29e97fc4da6 | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: b0c75e92e1fe98715f90b29475de998d0c8c50ca80ce1c141fc09d10a7b8e7eeSHA1: 91a1dde54c98703695ca1eafb98dbc6fdcb88f01MD5: bc78159e7368ca429fcba29e97fc4da6 |
M23-M104c | LokiBot_b18fd4de | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | b18fd4de724718b8d1fa887d94731da4 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 86fdff90584064c135a98f05986da5a03bd67abe414f1d8f5fbdbf4249430019SHA1: 97377a93c7fe211badd89a8a3f6ac46e85ae1926MD5: b18fd4de724718b8d1fa887d94731da4 |
M23-M1060 | Bifrost_ed5c7775 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | ed5c777571ca660b7d1eaaac12db6e17 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: c4736cc96c32c48fb86a39d47b5732dc3171f71c0d48033cb1d4c9e62f0b08eaSHA1: ca0251c4fd35d77657785c06bc4f2e910ec72e59MD5: ed5c777571ca660b7d1eaaac12db6e17 |
M23-M1019 | TrickBot_31990c04 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 31990c046c8824f192b49b2f9738265e | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: a3c04866cc1b9024efa30842042f2e50337a6cdb7a77776784ad25e322cf93d7SHA1: 47fd5b432f7cb7c21fc64e1ee5cd3971e793588eMD5: 31990c046c8824f192b49b2f9738265e |
M23-M1007 | TrickBot_0f28b837 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 0f28b837de3e1ad653052a6c459683a4 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 529883d5b3a9935f3863fcf277ed10086645b2c94e0363276358cd2af9dc5dc1SHA1: a232eabd34e11059d8cb1ede6778a4ca3473a100MD5: 0f28b837de3e1ad653052a6c459683a4 |
M23-M102e | Bifrost_70fa85a1 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 70fa85a168782ac467530d7d3dbf5cda | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 288990debffcd3adb7af4e84c86f83e49f1c3726b95f61bf84fded46fbd74a77SHA1: 326f6a12e6e8b61e7c62f5f1987022d7d2089dcdMD5: 70fa85a168782ac467530d7d3dbf5cda |
M23-M1039 | LokiBot_8caa05af | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 8caa05af7060f02bab07ccfba6ac42d6 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 9d6fcf6155af47fbacddd1f7feb457dc919f1ee29f3d28cc30f3c9c437ee516aSHA1: 76c26e775a07e6e4c08be329e8062a901cff4d76MD5: 8caa05af7060f02bab07ccfba6ac42d6 |
M23-M1022 | TrickBot_453434b7 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 453434b724aeda596439430b12982cdd | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: b29afa8695161d81edf54df2f6c36c02bb81fdd109f0000b106cbafe4bcd27a5SHA1: f07d0fca4d9cc752783814926b0405d5b9a55d3fMD5: 453434b724aeda596439430b12982cdd |
M23-M1065 | RedGoBot_fad7f107 | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | fad7f1073fe267fca24927b626afaa1f | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: a877b4e71c8f2f4ab6915cbe8c57c82ac12331e183f7cbda2de4dc3780a50379SHA1: 09d59754d02fcbfcc95867f1a40fa526dec1120fMD5: fad7f1073fe267fca24927b626afaa1f |
M23-M1037 | TrickBot_894c0150 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 894c0150be02cd78f839f56434f1912b | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 2ea0fc4ce00afe714122a10fb44e4f8115724e56c88654b2c0bd0dd952db6b1aSHA1: 9679e9b5704e25a8012f870ab4666d8697448d10MD5: 894c0150be02cd78f839f56434f1912b |
M23-M1002 | Godfather_87cc15 | Android |
This strike sends an Android malware sample known as Pegasus. It is a spyware developed by the NSO group which exfiltrates data from installed social media apps, steals stored credentials, takes screenshots, photos and many more malicious activities. NOTE: The APK samples have been signed with custom certificates. | f1a6be3f6129e96331d1e5484bf0a625 | https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1/https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdfhttps://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.htmlSHA256: f26c0df227b4e0dcc275146066913cd9f32b51a2ba40258539eab86ef8e03ceaPARENTID: M23-M1035SSDEEP: 6144:le2dp/Ant/PYz9lHNKcE13N356verQ6rKFEslscz5+:l3/EYvtXE13p56v56rMhN+SHA1: d698a11ecb4d4c716965659db320e2b959c484acMD5: f1a6be3f6129e96331d1e5484bf0a625 |
M23-M1020 | Bifrost_414a5427 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 414a5427b5d510b7f1eaf3c79c95e591 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 4ce9d9c4d2bb24b5e1f2c7429f2fcd04096ee3038cf7bf3f1ec33d040a4e37fcSHA1: 9b063137b108dd68b7c25814f7a2ea66424235d0MD5: 414a5427b5d510b7f1eaf3c79c95e591 |
M23-M101b | LokiBot_3270fa89 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 3270fa8988eb62bdb1c08a04543a6fb9 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 07417c9975e6ada913ab62a1338ea1df45800d5eca0c73de33d1f53a72973bc6SHA1: 249dc09dceee2a03d725d251a490687bfe8934c3MD5: 3270fa8988eb62bdb1c08a04543a6fb9 |
M23-M104f | Mimic_b92a2606 | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | b92a26068ba3653d8ec491f9702843e7 | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: a1eeeeae0eb365ff9a00717846c4806785d55ed20f3f5cbf71cf6710d7913c51SHA1: eab1f025c6034d53466a8a9428d45008282591ccMD5: b92a26068ba3653d8ec491f9702843e7 |
M23-M105b | TrickBot_d13ec5ad | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | d13ec5adc0dae7eb5a0d6cd4fde38af7 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 3fd4e4bc06b0c735ecb690e317fd0954b0b9011e6e32980e04af7611b938ec2cSHA1: 35fe1c3acb11c87edb55ca98c74de164c27b18a2MD5: d13ec5adc0dae7eb5a0d6cd4fde38af7 |
M23-M1048 | RedGoBot_aaee43e6 | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | aaee43e63d5a3abd70ffa774a16c816e | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: 26e96945ee32199536d4c85124a24c28e853b557eb31f3907d19f08b9798dff4SHA1: 68ec5f83bf5cff8c0af67a175a617b0f577ff557MD5: aaee43e63d5a3abd70ffa774a16c816e |
M23-M1061 | TrickBot_ee5900ed | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | ee5900ed3a23bdfe1e47da24b856d1a6 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 25e7e21526add1508c644c31cbbffd221068779ed6fb1bae751a9a70c6133fd3SHA1: 5df0a1fb6d3126ba1648e3da462e7ad198315fb4MD5: ee5900ed3a23bdfe1e47da24b856d1a6 |
M23-M1042 | RedGoBot_9dcc0ab0 | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | 9dcc0ab0ecc5ece11a70d465dcd9b56b | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: 78953c71318fb93fa90607039bceb48f2746a8abfa3a9a8914c8fdc48ebf55dfSHA1: 99d404d04484d91debae40cf54549af7df51bc35MD5: 9dcc0ab0ecc5ece11a70d465dcd9b56b |
M23-M103f | TrickBot_976b666c | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 976b666c2834842fa07d6ffaddafe98c | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 6f5394ad933af9c28c7eefc6c62eead20d8e3ecf5ebe40b10d81f74d96d1dfe1SHA1: 37d6bf1798cefa54d3deff4ca8cb4f56c75df73dMD5: 976b666c2834842fa07d6ffaddafe98c |
M23-M1034 | LokiBot_77393a98 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 77393a984431fb546e97beb9d0e060b3 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: c2745c75eefa6867cce4cc61d89d306810370e0958a550d039c5935e7012de71SHA1: 7df5f02e8ab51b3bbe6de0713b7a84345cdc3370MD5: 77393a984431fb546e97beb9d0e060b3 |
M23-M1038 | Bifrost_8b220453 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 8b220453ce856f3709cd80beeae503b2 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 6b11b23dbbc86681e47b0aa7e8406d7782e790ee187020e46762312c4cc8b9a8SHA1: 8ed550b8c34d38519a0db63db207dcd444dfafbdMD5: 8b220453ce856f3709cd80beeae503b2 |
M23-M1012 | Hook_21d8304c | Mixed |
This strike sends a malware sample known as Hook. Hook is an Android RAT malware variant based off of the Ermac malware. Hook has the capability to manipulate files on the device as well as interact with the System's UI. This includes the ability to perform gestures, take screenshots, simulate clicks and keypresses, unlocking the device, scrolling, and clicking ui text elements. | 21d8304cb6e169db00d6f19d346e4152 | https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.htmlSHA256: 768b561d0a9fa3c6078b3199b1ef42272cac6a47ba01999c1f67c9b548a0bc15SHA1: a3c42b97d23f799ff2237a1326e172f9663ef136MD5: 21d8304cb6e169db00d6f19d346e4152 |
M23-M1026 | TrickBot_5cc6f3d0 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 5cc6f3d095282971693e9a7c1ea3c1d3 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 25f2be22535798e48ea2b92c08da3e62f15569f1f67bc45889d7dc403a2c5bf8SHA1: 44ee5391a43dc53190a51422405b02326610a7f7MD5: 5cc6f3d095282971693e9a7c1ea3c1d3 |
M23-M1059 | TrickBot_cce5afd9 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | cce5afd9929ee07858713d32e86253c2 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: aceca08c357c2da59b3a311c8b3199ac1d7d903c03c14b6f35f84d77b76c4764SHA1: e8370bdcba7f165eeccc065a072e6e07e3b27d35MD5: cce5afd9929ee07858713d32e86253c2 |
M23-M1009 | Bifrost_11ac73b0 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 11ac73b0ffdf22b9b329bfddf215ed83 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: e9bf3013a7a3985eb4c658e8973147c70770e96edb70b12faa77ea469312d0bdSHA1: 4a263e53fe484ef7de4da41230432bf5019dd634MD5: 11ac73b0ffdf22b9b329bfddf215ed83 |
M23-M1053 | LokiBot_c1cb29e7 | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | c1cb29e7ba19799e20fae14ffa698418 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 067c2a2f4c8344f55cae9cc1c6ba03324a4cc99ae5facd672d100c71f64233e0SHA1: f110beaef6f2e5087e5d5accfa393699aa14fd6aMD5: c1cb29e7ba19799e20fae14ffa698418 |
M23-M1006 | RedGoBot_0c817d83 | Linux |
This strike sends a malware sample known as RedGoBot. RedGoBot malware has recently been distributed in the wild via the exploitation of CVE 2021-35394. This malware is a DDoS botnet with the ability to execute remote commands on the operating system, terminate the bot client, and execute DDoS attacks on HTTP, ICMP, TCP, UDP, VSE, and OpenVPN protocols. | 0c817d839e014ceb4350e6989ac85b08 | https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/SHA256: 57d39a6a88093c9e1fbc1626105d714be92680bdf666279b7663bcaaf7fa7e6eSHA1: 5d688fdecfced32f3fd903831353211e354074bbMD5: 0c817d839e014ceb4350e6989ac85b08 |
M23-M1023 | TrickBot_4c44ea21 | Windows |
This strike sends a malware sample known as TrickBot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 4c44ea21b98a995fb9cb39f485a80fea | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 723bc475c228b18acec71d248f9b79b189fa8a84d6685ea5b4b42cba55a7c9abSHA1: 8a3861afd5064917c07e70d9dcc3a4414f7d9fbaMD5: 4c44ea21b98a995fb9cb39f485a80fea |
M23-M103c | Mimic_8fb35a35 | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | 8fb35a353978f59bd81e1e605855965e | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: b68f469ed8d9deea15af325efc1a56ca8cb5c2b42f2423837a51160456ce0db5SHA1: 66a1ca952cc666eceea66726191889e55b25b0ebMD5: 8fb35a353978f59bd81e1e605855965e |
M23-M1045 | Mimic_a16b5846 | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | a16b58464d8874f358687c49e5d06806 | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: 7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99SHA1: 9211f875714e8e0c9ad073eab7e16b9b0e34bf3eMD5: a16b58464d8874f358687c49e5d06806 |
M23-M1040 | LokiBot_9a53b56a | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 9a53b56adecec33768f427031a3e068d | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 80bfd5671a9013cc4ba919582612f6d16076e0663990572188093e61ae40e2bdSHA1: 4ef5fdf9584ba21a16ddb2dd01aef99b81bf4307MD5: 9a53b56adecec33768f427031a3e068d |
M23-M1013 | LokiBot_24b1096d | Mixed |
This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. | 24b1096dc92c31d5a7e6328520e108e7 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: 3e8d8210b9d681c89f5df122c1598d4117b0c1843b706f7525039b5ba37f96afSHA1: cb9ba92dcfe4817606b8af95305d95dd1de604c3MD5: 24b1096dc92c31d5a7e6328520e108e7 |
M23-M1036 | Bifrost_84932775 | Windows |
This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging. | 84932775991cc72e5e11f92dd8556fd6 | https://blog.talosintelligence.com/threat-roundup-0106-0113/SHA256: 78684bb61de2e43084294d8e38974d3e5150174fe5f0282c40ef701d5d621ab7SHA1: 375290f9ebe5695c1869be4d5cadff2962bf3c9dMD5: 84932775991cc72e5e11f92dd8556fd6 |
M23-M1035 | Godfather_7e061e87 | Mixed |
This strike sends a malware sample known as Godfather. This strike sends an Android malware sample known as Godfather. It is a trojan which affected 400 banking and crypto applications. It is a successor to the Anubis malware which performs its C2 communication over telegram and does malicious activities like screen recording, exfiltrates push notifications for bypassing 2FA, forwards calls etc. The included sample poses as the Google Play Protect app. | 7e061e87f9a4c27bfb69980980270720 | https://thehackernews.com/2022/12/godfather-android-banking-trojan.htmlhttps://www.group-ib.com/blog/godfather-trojan/SHA256: b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fdSHA1: 34d37927b35f422e7c28055ea989ef6524a668efMD5: 7e061e87f9a4c27bfb69980980270720 |
M23-M1016 | QuasarRAT_2aa82aa4 | Windows |
This strike sends a malware sample known as QuasarRAT. On Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT. | 2aa82aa4c787c4f6299a22767d2ead47 | https://blog.talosintelligence.com/threat-roundup-0113-0120/SHA256: ceecc1833d5bd98f7377e20514c3574e5e7baa11462fb952be29b2d7d2be10afSHA1: 08ac2ac3c0dd008b7aa31c68f4ededa2a37c7b81MD5: 2aa82aa4c787c4f6299a22767d2ead47 |
M23-M1004 | Mimic_01ff843b | Windows |
This strike sends a malware sample known as Mimic. Mimic is a ransomware that abuses the APIs of the Everything tool to query files to be encrypted. It has the ability to delete shadow copies, disable Windows Defender, terminate applications and services and perform a variety of other functions. | 01ff843b385a9e4d58e4a892fda02fd5 | https://nationalcybersecurity.com/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-process-hacking-cybersecurity-infosec-comptia-pentest-ransomware/SHA256: 30f2fe10229863c57d9aab97ec8b7a157ad3ff9ab0b2110bbb4859694b56923fSHA1: 233dae8cdb91e030d792d510eaebadb4a4f5a329MD5: 01ff843b385a9e4d58e4a892fda02fd5 |