Malware Monthly Update September - 2022

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M22-M901cBlackMatter_6e9a1ea0Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.6e9a1ea049f79e227503fb5681a58d8ehttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 333f19529de011757c299888e57b8d37801b6adbf7e2d270b71726150aeef90c
SHA1: 4a175c514477d79cd3218b4cfc5d47309e2eabc1
MD5: 6e9a1ea049f79e227503fb5681a58d8e
M22-M9062HomeLandWindows This strike sends a polymorphic malware sample known as HomeLand Justice Encryptor. Iranian state cyber actors calling themselves "HomeLand Justice" launched a cyber attack against the Government of Albania. During the attack the attackers conducted lateral movements, network reconnaissance, and credential harvesting against the Albanian Government. This attack also included a ransomware-style file encryptor and disk wiping malware. This sample is the GoXML.exe ransomware encryptor.The binary has a random section name renamed according to the PE format specification.9adc34da79436d216d6c19f992196f6bhttps://www.cisa.gov/uscert/ncas/alerts/aa22-264a
SHA256: 535a8b8467fd379278d176e718f9eca215a858a5b8d5cc9b697a9f20332f19bf
https://arxiv.org/abs/1801.08917
PARENTID: M22-M9044
SSDEEP: 768:9OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX:IFu8QAFzffJui79f13/AnB5EPAkX
SHA1: 296d399f19cba615671347aa5720a2b034ddb805
MD5: 9adc34da79436d216d6c19f992196f6b
M22-M9029DarkKomet_9ff86effWindows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.9ff86eff19a08360ed26733e73e71abdhttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 0edde1077db95438d2598acd555a39b3c2ac432f98b60d3c77415fd650b13516
SHA1: dd67dc239af783cb850604e7c33a23b7bd4a28d2
MD5: 9ff86eff19a08360ed26733e73e71abd
M22-M9031Cerber_a477662eWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a477662edef8ab16496caf23a208250fhttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 5ed48cdf13e9681085390956e25883680a6b1b4600d99608d84c126d57832025
SHA1: 0a4b77a89b9a546fd0ac863dbf0b648a37a139c6
MD5: a477662edef8ab16496caf23a208250f
M22-M9024DarkKomet_8ecfcd69Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.8ecfcd699de69ff65a3cd3f6b6de329bhttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 1a85cf3317d5a030ab87d02649769a6a0bfb1b342ecc46f1bc26e1f651fbb1ed
SHA1: 854dc9818abd7ddd4bc782a178263444d6c84557
MD5: 8ecfcd699de69ff65a3cd3f6b6de329b
M22-M901bShikitega_6e684589Linux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.6e6845896222ee7d48e76ea2bf11b97dhttps://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8
SHA1: 6f89acd56678b4c9b929794334777fd8d93e6cd0
MD5: 6e6845896222ee7d48e76ea2bf11b97d
M22-M9042Cerber_b9a116e6Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.b9a116e602ac51e388b56b5769065af6https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c
SHA1: 11713fc4d027c1dd1b34b3d5673a3c6435ffccc6
MD5: b9a116e602ac51e388b56b5769065af6
M22-M902aCerber_a084f960Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a084f96088ac607afafa8a41fae13449https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 52573c863390fde5244133cc965bf2501f0eb28e7d76a9996bc300070d41941b
SHA1: 4138b3144dcb46be42d3ac033ed9078895624e61
MD5: a084f96088ac607afafa8a41fae13449
M22-M900eDarkKomet_472cf260Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.472cf260266980cbbed9d6054ee1d161https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 4bb436856e6c78ebac6ef0f48a76fad96268add5dc1583a0e20b986d4532bce4
SHA1: 35169b791e2557d93ce03282a66c9ad4053acb71
MD5: 472cf260266980cbbed9d6054ee1d161
M22-M9034BlackMatter_a6237d50Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.a6237d5041d5a178c50bcad6387b405ehttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 0400ee8269aba8f79bfd0c65f64689b06febae22a7535c9fda728a7eaa29ae0d
SHA1: 4c6892316a83fe36d1f74e121be09a525821dc39
MD5: a6237d5041d5a178c50bcad6387b405e
M22-M901fDeadbolt_76022a94Linux This strike sends a malware sample known as Deadbolt. Deadbolt malware is a ransomware that was first seen targeting QNAP NAS devices during Jan 2022. It has a multi-tiered payment and extortion scheme, a flexible configuration, and is heavily automated.76022a94288bbb07e22d8509b37eea71https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/
SHA256: 14a13534d21d9f85a21763b0e0e86657ed69b230a47e15efc76c8a19631a8d04
SHA1: 9c652d74007890873b8ade8f78b333a4f5e84ebf
MD5: 76022a94288bbb07e22d8509b37eea71
M22-M9016DarkKomet_64916b96Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.64916b96176449c7aec4d0adec055111https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 3adb310c1ed97474f55974c05a17c56a89d082eb3069592d5734f91b330a8d96
SHA1: 5ebfadbc37700fc52eb6aaf27b63811ac53edd24
MD5: 64916b96176449c7aec4d0adec055111
M22-M900fNetWire_4ca8ed01Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.4ca8ed01742bee59de7f772cc63485f6https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 17d3937fb3aceacc0ac99f94a2347b87b22cbc2e7c341830ad9ad0a8f88babee
SHA1: a14e2ac0ca546856baef1d406fbdd31a97c20844
MD5: 4ca8ed01742bee59de7f772cc63485f6
M22-M9023DarkKomet_88123242Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.88123242d631fb205b49827cabb3a306https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 1abb5ce77ce286aac491f9363161554eb0894dfb425e4457aee3cd3fc22982e9
SHA1: 5e85511a0537dc66c4d0823829be1a19d50e267f
MD5: 88123242d631fb205b49827cabb3a306
M22-M900aDarkKomet_29749cd4Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.29749cd4791f34d76d620d80b833f307https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 44317a91b1c813dc8423423cc5a1130e34264f5ab8cc4b35e05da3b7eaacc3f2
SHA1: 31e5b2e3d9de87c070c089a0947c1ae0d5608106
MD5: 29749cd4791f34d76d620d80b833f307
M22-M905bDarkKomet_fca9ed0fWindows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.fca9ed0f8759e5c71e0911cd6e819273https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 07fb7af6f5ebe683cea86ec012a0a002771d658873ea3428d989f8ecaccc2e0b
SHA1: 0e090ad8c62d5d61f062e563e84be43523d2def7
MD5: fca9ed0f8759e5c71e0911cd6e819273
M22-M901dDeadbolt_718ae697Linux This strike sends a malware sample known as Deadbolt. Deadbolt malware is a ransomware that was first seen targeting QNAP NAS devices during Jan 2022. It has a multi-tiered payment and extortion scheme, a flexible configuration, and is heavily automated.718ae69788dc752a8db46b0e43e42f13https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/
SHA256: 444e537f86cbeeea5a4fcf94c485cc9d286de0ccd91718362cecf415bf362bcf
SHA1: 338c16a49899ee08b5284b9bb3b2b14d6e5bdfe3
MD5: 718ae69788dc752a8db46b0e43e42f13
M22-M903fCerber_b3923fb7Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.b3923fb72ad8b7ca15ad85d7082a1429https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 74c864c6b31afa1db6c8d6fb2bb8860b655d3554c8d309a91d894fd210351b7e
SHA1: 1c617abd784d40e709d365f6f1f39247452a82a1
MD5: b3923fb72ad8b7ca15ad85d7082a1429
M22-M903dShikitega_b035f858Linux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.b035f85870bb17380b25189bd97b8e65https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765
SHA1: 029dbe8df57f3d89ee1f1fe7f50fbf4519ee9522
MD5: b035f85870bb17380b25189bd97b8e65
M22-M9011DarkKomet_535f56beWindows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.535f56be2c6bd965548864e65e1433c6https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 0ce96b476d6d0aeaa983de1cf41c4553f68156d6cbbe9d48ae852ef0e5143de7
SHA1: a9a4755a723a91f062b539df2e2f0738adf9e05c
MD5: 535f56be2c6bd965548864e65e1433c6
M22-M904dCerber_ce478d86Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.ce478d8638a31fd6593c31ceb29fdad2https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 0fb820719ef10ee032dbb69607c6fc222fa70b64844af4f04f6eecafc08345a7
SHA1: cd2867f31622ac01754cbacfb3f99a09d071530a
MD5: ce478d8638a31fd6593c31ceb29fdad2
M22-M904aCerber_cb6d7b58Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.cb6d7b58eec5efe3fa44c873529e7db0https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 05602feb977139c96c226969997d8bc55bd47b1d142252d3ec4067591dda85f2
SHA1: ab36c7fa9e52c9d2704e2d88336ba5c8d8b98d3c
MD5: cb6d7b58eec5efe3fa44c873529e7db0
M22-M9014DarkKomet_602d5277Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.602d5277edc95076d58c33dd2dde428ehttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 01dc08a7611de9ed95addbdc484f028da8c4cc4f2f04bf007955e8e7771af2ad
SHA1: 4ecb9707512bc1845d0f4744fb90f94f7e3e0840
MD5: 602d5277edc95076d58c33dd2dde428e
M22-M9025BlackMatter_9200233dWindows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.9200233d9b991b290c16d33a9956bea8https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 2e641dbe994f931adeff6b65fb9db481a42717454a0ea6b1e2222ba24d890fa9
SHA1: 75acfcaed3d1ec23e82b6b70bf8957d4b333b151
MD5: 9200233d9b991b290c16d33a9956bea8
M22-M9050NetWire_d5684dacWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.d5684dac5c8e7081056494a1b8c0eb3dhttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 4101b1f2efa7e4ac9711140c8e5e724bf5a74ac0b4ab76f0d6c4e23374977627
SHA1: 83c5cbc25f910f43fcdcaec4c9d3fa12b128aea3
MD5: d5684dac5c8e7081056494a1b8c0eb3d
M22-M9038Cerber_aa038ee8Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.aa038ee865d3da0373c92a693bcc1459https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: f330c988680055316a3aa2bc341e409096517381395469a32aa369a1940e9e5c
SHA1: 0b71aa42733b9d024af60b6488cc98dbb8a567e0
MD5: aa038ee865d3da0373c92a693bcc1459
M22-M902cCerber_a0e22f8bWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a0e22f8b2be97dd7f539209350aabaf5https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 09768afcaa8eae74f05841e49ece1ac338318c0d5f0153c2db6cecf169718698
SHA1: fb4960f7df677859f43ec693340aaa2175a2f56b
MD5: a0e22f8b2be97dd7f539209350aabaf5
M22-M9010DarkKomet_52db481dWindows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.52db481d13883721bdeeec442a293781https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 2ba447c32a9cfa066bbc502772d11c9fb62404c090a9de7c83d9aa4151dbf35c
SHA1: e71d2bea6c848ce1a13dc7ec4dcc4e846aa90284
MD5: 52db481d13883721bdeeec442a293781
M22-M9043Cerber_b9a78094Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.b9a78094607d6b3e2b6b46076a954cb5https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: c4698b067e10ecf2ac5a4e318703d46b33cbdcd9803ffabc4a9da147e5d271f1
SHA1: 9b6ddc378ba72b0a280962bcbd0c68faea752935
MD5: b9a78094607d6b3e2b6b46076a954cb5
M22-M9022HomeLandWindows This strike sends a malware sample known as HomeLand Justice Wiper. Iranian state cyber actors calling themselves "HomeLand Justice" launched a cyber attack against the Government of Albania. During the attack the attackers conducted lateral movements, network reconnaissance, and credential harvesting against the Albanian Government. This attack also included a ransomware-style file encryptor and disk wiping malware. This sample is the disk wiper.7b71764236f244ae971742ee1bc6b098https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
SHA256: e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0
SHA1: f22a7ec80fbfdc4d8ed796119c76bfac01e0a908
MD5: 7b71764236f244ae971742ee1bc6b098
M22-M9015BlackMatter_60f217ddWindows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.60f217dd352109f05550b9473d22dc6bhttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 55b45145bf1ed50d1e72c74c0743ce36e279a10e55dada004824f3eb7db5646d
SHA1: fcd9e27651bbfca937d7d6441639b617388bd538
MD5: 60f217dd352109f05550b9473d22dc6b
M22-M905cShikitega_fd3bc823Linux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.fd3bc823d9e6b1aa0622c36ebd5e69f2https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: 29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8
SHA1: 009639d09c5955ae5fda4a5e1c161579a684b514
MD5: fd3bc823d9e6b1aa0622c36ebd5e69f2
M22-M901eDarkKomet_758f1590Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.758f159012adf559276f74dec143e4f1https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 32c9b04c79b44e5c331c6497b9c11ce942b53e9fe6d6b57211e2dac442bb4d8b
SHA1: adb07fd1c79941eeca31d92b318420beab492120
MD5: 758f159012adf559276f74dec143e4f1
M22-M9060HomeLandWindows This strike sends a polymorphic malware sample known as HomeLand Justice Encryptor. Iranian state cyber actors calling themselves "HomeLand Justice" launched a cyber attack against the Government of Albania. During the attack the attackers conducted lateral movements, network reconnaissance, and credential harvesting against the Albanian Government. This attack also included a ransomware-style file encryptor and disk wiping malware. This sample is the GoXML.exe ransomware encryptor.The binary has the timestamp field updated in the PE file header.369ddb9e0d94793f0f70dfa3d8d2079fhttps://www.cisa.gov/uscert/ncas/alerts/aa22-264a
SHA256: 7d81fa60433f4c50358e52926ed297cdbbca459d9d93af864e09694c433ce91e
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M9044
SSDEEP: 768:JOFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX:sFu8QAFzffJui79f13/AnB5EPAkX
SHA1: 5c78162ce35b518f6f7b9cb5a0054b98cc0d7d29
MD5: 369ddb9e0d94793f0f70dfa3d8d2079f
M22-M9020Shikitega_7a34ca9cLinux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.7a34ca9c59cde0af620ffa30783348a9https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: 6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275
SHA1: c193d71ab61054ea7b5445a5a7a5745624171cf8
MD5: 7a34ca9c59cde0af620ffa30783348a9
M22-M9054DarkKomet_eb6eda8dWindows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.eb6eda8d9e47e427383fb7a2c33e0591https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 483c61bf01f6404f78a83413bf011e0e86c6adae8cce6e1a622ff1ee6e95c1ee
SHA1: 82e0378464dcbe72a412740433fabf4b86408744
MD5: eb6eda8d9e47e427383fb7a2c33e0591
M22-M9044HomeLandWindows This strike sends a malware sample known as HomeLand Justice Encryptor. Iranian state cyber actors calling themselves "HomeLand Justice" launched a cyber attack against the Government of Albania. During the attack the attackers conducted lateral movements, network reconnaissance, and credential harvesting against the Albanian Government. This attack also included a ransomware-style file encryptor and disk wiping malware. This sample is the GoXML.exe ransomware encryptor.bbe983dba3bf319621b447618548b740https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
SHA256: f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5
SHA1: 5d117d8ef075f3f8ed1d4edcc0771a2a0886a376
MD5: bbe983dba3bf319621b447618548b740
M22-M9048NetWire_c687c676Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c687c676f0cfa41262d69b051d600609https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 815132096b824dbe0c8497cfd85f7508eeac3718c147541c791701df09b6f196
SHA1: cb54c10606ebce1a4768e8f426bdfacf8918de1e
MD5: c687c676f0cfa41262d69b051d600609
M22-M904fShikitega_d1cd3293Linux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.d1cd3293ac4b312e0b3218e80376bd88https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: 0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed
SHA1: c49bd909be55892f75d81b174588b5af15d2a6ff
MD5: d1cd3293ac4b312e0b3218e80376bd88
M22-M900dNetWire_44e152bfWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.44e152bf429a978efaacc69aaa15f411https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32
SHA1: cbc264cc28e5bb477fbc6675388437309be811f1
MD5: 44e152bf429a978efaacc69aaa15f411
M22-M9032NetWire_a482429dWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.a482429d1a13c6d0f3a879a6673391c5https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace
SHA1: 17c069f52138457ea210670b831cf21c89c1f0af
MD5: a482429d1a13c6d0f3a879a6673391c5
M22-M9003DarkKomet_0e5bc969Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.0e5bc9695442dcabb77be26c203708e3https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 4326fb1eabf2fd7bde99777bc0283746791e7398cacdf575affe537ab33cf16f
SHA1: 6739d2aca9fcd305564d40c840ef2a8cad617fb2
MD5: 0e5bc9695442dcabb77be26c203708e3
M22-M905aNetWire_f6be0865Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.f6be08653b37cc6bf40b589ccc712b97https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: e2ad52e5cc9b5e5a51811e13daeed3f6d61e239a079ec3617f2c1a4400f6dcaf
SHA1: 4f08649ea8b75da6fd1cc90c327e676e1ca6b100
MD5: f6be08653b37cc6bf40b589ccc712b97
M22-M9006DarkKomet_16b1b477Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.16b1b477b093a551a88d1e62a340cd94https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 234eb8f2d2c1a731eb5672006b5c449761e8536b2f6d4b40d20f54e74d631807
SHA1: 0eb2eab77451f868beba7a3a21e213b7b96ed6b3
MD5: 16b1b477b093a551a88d1e62a340cd94
M22-M903cCerber_af77aefbWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.af77aefb38535197e5551c0549beeb7chttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 8642a1c54c99774f7ffc1ade073f2ccc90b6e2fcacb0118f1eca20b20018d590
SHA1: 18375fabd9b92a3bb6592801c2b499a7f91cbbfd
MD5: af77aefb38535197e5551c0549beeb7c
M22-M9039BlackMatter_ad291818Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.ad2918181f609861ccb7bda8ebcb10e5https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b
SHA1: 76d2207b8d2494016c2b2ab2a9ac9796b2564906
MD5: ad2918181f609861ccb7bda8ebcb10e5
M22-M9026Shikitega_932df67eLinux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.932df67ea6b8900a30249e311195a58fhttps://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d
SHA1: d6b7c2388a75c2c3b71d5ad7130f1d3dfeb7fd83
MD5: 932df67ea6b8900a30249e311195a58f
M22-M902bCerber_a0a620a9Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a0a620a900c4a3fc42db9c2632f55a96https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 3eb0b591eb274fa052c4a7cdfcb6c943361c9a199ca33679678791399e8b8988
SHA1: 34198f85fb314458d9c253c72e331511256247f1
MD5: a0a620a900c4a3fc42db9c2632f55a96
M22-M9033Cerber_a5741d01Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a5741d01be4d0cc52fc4988a6337a834https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 2738e1df3421ba011f912c22e19bdae3b29d1fb1092be51174da6dbbbc72df8d
SHA1: 217cd381c6c395af34f8a9efd3cf61b46d56909f
MD5: a5741d01be4d0cc52fc4988a6337a834
M22-M9018Shikitega_6b13e69cLinux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.6b13e69cc37757b1f2dbc2a1c8f806f1https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374
SHA1: 01364dc40e5f1005fd7cd6e087368d64b35896f7
MD5: 6b13e69cc37757b1f2dbc2a1c8f806f1
M22-M904bBlackMatter_cd2d2003Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.cd2d2003cc0c59535a090f015ed629b7https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: fe20b163358d90a39f3afc632dedd029231428474dd42c71a333b2a6d514f1e8
SHA1: 9e265782d4ece0551c0bf4d21d535bd8bf54a744
MD5: cd2d2003cc0c59535a090f015ed629b7
M22-M9052Shikitega_da193f6bLinux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.da193f6bf387f9884d88ace9c04278a0https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: 7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad
SHA1: 9eeef2f22ae1f96b49e45989a8e935c825be92ad
MD5: da193f6bf387f9884d88ace9c04278a0
M22-M9030Cerber_a42c9151Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a42c91514cbd1eb343e69c1ce2aa0f81https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 4505a343015d3ef0ad624e61ecfc61e2fc499a11fc5a52911c424de5ccd99d9e
SHA1: d9a81ee032b3e6003f697492283d54b3fd7886e3
MD5: a42c91514cbd1eb343e69c1ce2aa0f81
M22-M902fCerber_a2656455Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a26564559325bccd013c7db518e2f4d6https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 61a051fabbf66383709e43bf77fb49c6a645f2f479eaddffa6769010cb690eea
SHA1: dba65d631a363d3e72e36bed62496e48f753301a
MD5: a26564559325bccd013c7db518e2f4d6
M22-M9009DarkKomet_296477f4Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.296477f4a6ee0696f492ab955578f1a2https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 2f6fa4f49fb85c80342285a08bd5fc0b9e3f3198f4854973824567fb131b07e0
SHA1: d4fba062ae468a899c583e31df5d0d4835b46b92
MD5: 296477f4a6ee0696f492ab955578f1a2
M22-M903bCerber_af26a65aWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.af26a65adeef251c7ee04c4457d2135dhttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: dee4d4d3b765fc0ad7ba88d69104b5cf90a448eaf1623445033a0f671e44ffd1
SHA1: 75114a3d99da6e379fa391f11b153fabc270fd6f
MD5: af26a65adeef251c7ee04c4457d2135d
M22-M9002DarkKomet_07cd9307Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.07cd93078bf5a5a28360fce833ac75a3https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 259941e22122288262ef81fd0d0412a9b2725a9a0d77f7c6442020b0733ebbed
SHA1: af60a63a6eef76b4195a51f6d1f565c1304f90d2
MD5: 07cd93078bf5a5a28360fce833ac75a3
M22-M9017Deadbolt_6821f568Linux This strike sends a malware sample known as Deadbolt. Deadbolt malware is a ransomware that was first seen targeting QNAP NAS devices during Jan 2022. It has a multi-tiered payment and extortion scheme, a flexible configuration, and is heavily automated.6821f568afd50383f31ceac886a99ab7https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/
SHA256: acb3522feccc666e620a642cadd4657fdb4e9f0f8f32462933e6c447376c2178
SHA1: e61603823104865cb633d8f5a6aae7c74c68e98b
MD5: 6821f568afd50383f31ceac886a99ab7
M22-M9007Deadbolt_1b5d415eLinux This strike sends a malware sample known as Deadbolt. Deadbolt malware is a ransomware that was first seen targeting QNAP NAS devices during Jan 2022. It has a multi-tiered payment and extortion scheme, a flexible configuration, and is heavily automated.1b5d415eeb8d926fcaaec6e345c5d0c1https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/
SHA256: 3c4af1963fc96856a77dbaba94e6fd5e13c938e2de3e97bdd76e1fca6a7ccb24
SHA1: e236d0736875ab3a29b9ef5714d0ff9adf1d53aa
MD5: 1b5d415eeb8d926fcaaec6e345c5d0c1
M22-M9051DarkKomet_d67857bfWindows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.d67857bf55235d7bd2af03785e61073fhttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 433bedd8a7ee7e1585a93cc9076941d3d31c33c602f116e407da8bddd9db9ea6
SHA1: 246e8608a5b4a9703bd6fd8a59d75394c7cef50e
MD5: d67857bf55235d7bd2af03785e61073f
M22-M9049NetWire_c69a5fdcWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c69a5fdc28d64c93f41e8944d88ebd1chttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: f7a74e6284a41f39cba3f0c186c61ad96fac8a3099b88e04071fdd8e1eabe9bf
SHA1: ee6ec5ff0a45b890d088af5ada8e957182f0ad13
MD5: c69a5fdc28d64c93f41e8944d88ebd1c
M22-M9004Shikitega_0f1f2d4aLinux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.0f1f2d4a6fc26df7cf5d5a8c65ac8578https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: 8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732
SHA1: 6acba32a32d4d0dd01ad17db719d0d0bc26b551d
MD5: 0f1f2d4a6fc26df7cf5d5a8c65ac8578
M22-M9046DarkKomet_c311aa40Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.c311aa4054689cce23a9d3daa0188312https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 0521c25b0e73636633fc888ecb616c71e37cc63cdef64d531938fb41cb5190c3
SHA1: 83a446e68474bcafc2a0f3227f14f660a40b9543
MD5: c311aa4054689cce23a9d3daa0188312
M22-M901aDarkKomet_6c7bb741Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.6c7bb74133fa4462f030de13415108d1https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 0b8d380e9ff7c2cdd17b4e95d6663d1b21db1c955b0c933d68bd66c9c8b1b74b
SHA1: 61f2bc88935451f0525ccd9e2dba7ff00a3f641b
MD5: 6c7bb74133fa4462f030de13415108d1
M22-M9053NetWire_e124339fWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.e124339f08506d6b5bab4d071784a65ehttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201
SHA1: bcac9d8f2919ed3e57ad78f4a5c999b3b9faf88f
MD5: e124339f08506d6b5bab4d071784a65e
M22-M905fHomeLandWindows This strike sends a polymorphic malware sample known as HomeLand Justice Encryptor. Iranian state cyber actors calling themselves "HomeLand Justice" launched a cyber attack against the Government of Albania. During the attack the attackers conducted lateral movements, network reconnaissance, and credential harvesting against the Albanian Government. This attack also included a ransomware-style file encryptor and disk wiping malware. This sample is the GoXML.exe ransomware encryptor.The binary has random strings (lorem ipsum) appended at the end of the file.2fc18ad9d19c40895dfa3aa743188082https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
SHA256: a2ac771515d37a4c7fced4d0b2c691feaff021596ebdd16ed1cd1e18e12c4188
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M9044
SSDEEP: 768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWhU:RFu8QAFzffJui79f13/AnB5EPAk+
SHA1: 971f059d73486eb88e3488a497751b0b7dcca4d0
MD5: 2fc18ad9d19c40895dfa3aa743188082
M22-M9056NetWire_ee8b2b97Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.ee8b2b973977faff498e0ab45b01251chttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 49f2bb5892eda8223f4709f6b84366911b000652eb19085b09dc5998fe8c8259
SHA1: c064c5f7d6af57c6211231e463e68de132b81440
MD5: ee8b2b973977faff498e0ab45b01251c
M22-M9036Cerber_a8aa7411Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a8aa7411837c2341c9c281d60c18a934https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: b86d1564a606793a4427d5795a37825eeb11296b01cae339da01ab64feb73922
SHA1: a921a2dddd3eadaebf277e3a61557c273952cf81
MD5: a8aa7411837c2341c9c281d60c18a934
M22-M9021Shikitega_7b229d73Linux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.7b229d73b7c5c55fda0e1f57ceaaf118https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb
SHA1: a046a2ddb1d4baa6cbc6611a3d072a28ff893e1f
MD5: 7b229d73b7c5c55fda0e1f57ceaaf118
M22-M9012Shikitega_557bdc56Linux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.557bdc5602b301d5584a34b27328b019https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331
SHA1: 74d584862b851fbf54605c205f447fc5cfb517ee
MD5: 557bdc5602b301d5584a34b27328b019
M22-M9045BlackMatter_c06b8cb2Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.c06b8cb2c5e3e282c7cc26836ce83f9bhttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 00d3f19ff84cddc5b0cfc9d9b053a99b493add5a9bf8ec74659ef9b3d9298de6
SHA1: 19c82b4e28245d30e7002d52ec1385886412a14f
MD5: c06b8cb2c5e3e282c7cc26836ce83f9b
M22-M9019NetWire_6c7173b5Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.6c7173b5cb3cc73798312015cca492b7https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 27288965d55cf7459cfa35b7a37ab9298f34e6e7734f6d6609527d573e5db71e
SHA1: e4792eb9aa651f0e03df2c9819e1d13b754093a3
MD5: 6c7173b5cb3cc73798312015cca492b7
M22-M902dCerber_a1456115Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a1456115c9688f5792bdcd2723764f9chttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: ff2c3f6c56786af4fea96c55bb7877094ea482a162050721397dda1d82246ea0
SHA1: 85c1bb03535fc78749bae6ea616d094f4490770c
MD5: a1456115c9688f5792bdcd2723764f9c
M22-M905eHomeLandWindows This strike sends a polymorphic malware sample known as HomeLand Justice Encryptor. Iranian state cyber actors calling themselves "HomeLand Justice" launched a cyber attack against the Government of Albania. During the attack the attackers conducted lateral movements, network reconnaissance, and credential harvesting against the Albanian Government. This attack also included a ransomware-style file encryptor and disk wiping malware. This sample is the GoXML.exe ransomware encryptor.The binary has the checksum removed in the PE file format.2e3f4d0c18c040e8ff0b8d8da1cbcc84https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
SHA256: 3f22dfd09ede9be350bd9b73e693e99450b993cb1080411ef5a772a56dc7103a
https://arxiv.org/abs/1801.08917
PARENTID: M22-M9044
SSDEEP: 768:7OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX:qFu8QAFzffJui79f13/AnB5EPAkX
SHA1: 60b266557b64485d31e6fe358fac03617cbfa9f9
MD5: 2e3f4d0c18c040e8ff0b8d8da1cbcc84
M22-M9037Cerber_a916a0a7Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a916a0a7a6efbc763d8f3e7efbcfb631https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 5ce6f26a04a5bf871018eecafb8e9f8f7284ebbd134230574da1574830d4646e
SHA1: 3d4357870352209092989ff47d0e394e02235c7f
MD5: a916a0a7a6efbc763d8f3e7efbcfb631
M22-M9040Cerber_b54b348bWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.b54b348b1d7081f03c73e4b6ddc647bdhttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 9d14c9d7fca8e623607986ac1c27a149dfa9a82ac267475bed080636a5870269
SHA1: cd38a694037b9082258c8c48b427db2cbef1ca7c
MD5: b54b348b1d7081f03c73e4b6ddc647bd
M22-M903aCerber_aed47450Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.aed474509baebe1b716d5c65d21a2cfchttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: e5af2faef6688bf5e5889e78357bf993e13a1d21086dfb8a4ae268ae2004068f
SHA1: b21625c56a0393b54fecafa92879c75e4202f89b
MD5: aed474509baebe1b716d5c65d21a2cfc
M22-M9035Cerber_a7b5ca0aWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a7b5ca0afd68452ccfa9f037936f06f5https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 06cba247d80b0c6c4f5865e34ad3c33fc1ef5ffd0a285f3009d64109b0ee3d22
SHA1: a6e705c1ed0425f4ab778b841e26309072601fcd
MD5: a7b5ca0afd68452ccfa9f037936f06f5
M22-M902eCerber_a1652735Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a16527350f21508630e955fc6efab7d8https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 3c6776dd10054cad73b50c96d62e3b7a1e807ef1f8e6355d097cac12ddccb8c8
SHA1: 3d0e4aea6eac68fd1f2150f4a69d515b0bb612c5
MD5: a16527350f21508630e955fc6efab7d8
M22-M9013Deadbolt_5e185a8bLinux This strike sends a malware sample known as Deadbolt. Deadbolt malware is a ransomware that was first seen targeting QNAP NAS devices during Jan 2022. It has a multi-tiered payment and extortion scheme, a flexible configuration, and is heavily automated.5e185a8b4077a9149fa5cc6ae2bea12chttps://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/
SHA256: 80986541450b55c0352beb13b760bbd7f561886379096cf0ad09381c9e09fe5c
SHA1: e70114e0bcf764c8bffbe740158535302880ef0f
MD5: 5e185a8b4077a9149fa5cc6ae2bea12c
M22-M9047DarkKomet_c633939eWindows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.c633939e77b5cad28435cd6d1992f733https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313
SHA1: beb9eb6895f973e8652f93ec792ce899653e07f2
MD5: c633939e77b5cad28435cd6d1992f733
M22-M9059Deadbolt_f2bf3c75Linux This strike sends a malware sample known as Deadbolt. Deadbolt malware is a ransomware that was first seen targeting QNAP NAS devices during Jan 2022. It has a multi-tiered payment and extortion scheme, a flexible configuration, and is heavily automated.f2bf3c75b172112d492d985917064f0bhttps://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/
SHA256: e16dc8f02d6106c012f8fef2df8674907556427d43caf5b8531e750cf3aeed77
SHA1: 9d408f9c17575bfe09c1adb5830bfcdd6c3ee061
MD5: f2bf3c75b172112d492d985917064f0b
M22-M904cNetWire_cdc526f8Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.cdc526f81bb9883a6027caf1befea29fhttps://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: 3788fc76ea84b87735527d224d39b4672b970c6bbcdd59b60978945b76d0fb1b
SHA1: bf9b7bc7823baf60787f8270eb3ff3782fb19087
MD5: cdc526f81bb9883a6027caf1befea29f
M22-M905dHomeLandWindows This strike sends a polymorphic malware sample known as HomeLand Justice Encryptor. Iranian state cyber actors calling themselves "HomeLand Justice" launched a cyber attack against the Government of Albania. During the attack the attackers conducted lateral movements, network reconnaissance, and credential harvesting against the Albanian Government. This attack also included a ransomware-style file encryptor and disk wiping malware. This sample is the GoXML.exe ransomware encryptor.The binary has random bytes appended at the end of the file.11e534e8f9f6d2068a97d07e6b2e95d4https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
SHA256: 420625daf0e68ba1a82713137c7b9c3bb025633485a6c07dc9f585b474f8b564
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M9044
SSDEEP: 768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABW6:RFu8QAFzffJui79f13/AnB5EPAk6
SHA1: a5260618d78045609fea3b4e374f3a8f7dbe97c8
MD5: 11e534e8f9f6d2068a97d07e6b2e95d4
M22-M9001Shikitega_04ad59ffLinux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.04ad59ff2b2b8461a6d990af16bc5ca7https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: 130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5
SHA1: f437d04482e90d459c4bb6722cbec928f7317871
MD5: 04ad59ff2b2b8461a6d990af16bc5ca7
M22-M904eBlackMatter_d19ab335Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.d19ab33523d0d070451213c05ed55ebahttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: a6f7f973e63f3c2ef886a98663bd4aa08deb3ec9a4a8c60ead43ce5a9b9787f5
SHA1: 1a80b6374e8062b44cbfd88dd7aef4265e6e7d69
MD5: d19ab33523d0d070451213c05ed55eba
M22-M9055BlackMatter_ec17046cWindows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.ec17046c66d51485a7d029acffa1599ehttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: e5bb89bea6c854818b9b5884bf9e46e51873ccba73e73ef61ff2e63def151ce0
SHA1: 22964faa014445538f55af6e09091476e5f64b40
MD5: ec17046c66d51485a7d029acffa1599e
M22-M9058BlackMatter_f263c8c7Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.f263c8c7872ff7f565fa1c6af55b97cahttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: e4eda1e494929b5bf8a5affbbe56d8fa89e4868042cf844c9124d58c9094d77b
SHA1: 5caf8eed546d5792f8668b54111d3c024d019af2
MD5: f263c8c7872ff7f565fa1c6af55b97ca
M22-M900bShikitega_2f56a330Linux This strike sends a malware sample known as Shikitega. Shikitega is malware that targets devices that running the Linux OS. It is delivered in a multistage infection chain where each module responds to a part of the payload and then proceeds to download and execute the next module. When run a cryptominer is executed and the attacker can is potentially granted full access to the machine.2f56a330fb253a1520e00668c6f94e47https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
SHA256: 4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7
SHA1: 8ef509c2b25e6475dbdc92f14117c7592af70b88
MD5: 2f56a330fb253a1520e00668c6f94e47
M22-M9028DarkKomet_9d801556Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.9d801556b05b156c65a6fcc06157ec47https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 1dc5ac655a745dc442a017eb4fe0d86a0877726d4c84a026e8eb3dbe528953f9
SHA1: 64c0732df1411bfe15d4323301db82d5e1d63229
MD5: 9d801556b05b156c65a6fcc06157ec47
M22-M9041BlackMatter_b786eef4Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.b786eef4adf086e8dbccc1c1f8d4d164https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 4707b114756307df755bbe231a468d02503d82947d32f9037d011075d826445e
SHA1: ad42462fdc02d5ee27716eb9b348794108ca458e
MD5: b786eef4adf086e8dbccc1c1f8d4d164
M22-M900cDarkKomet_31f421d6Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.31f421d6f9684d27cbf27bf9f50049eehttps://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 2bc2fc0088f069fb5bb5e448b106a6dc91e5177e00c443571baecac8b8afd8f9
SHA1: 26a8731d067b666383200bce59252dcd4ff09d1c
MD5: 31f421d6f9684d27cbf27bf9f50049ee
M22-M9057BlackMatter_f13669a4Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.f13669a48189b6b982ca2ec90c596d39https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: a24db7475958186ec57258d44edd465b1a060b52aff714e7f261cce41d052deb
SHA1: 620ec93124854065384f30977a2c21c3f0ff0383
MD5: f13669a48189b6b982ca2ec90c596d39
M22-M9005BlackMatter_1060dca3Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.1060dca3875b4c027b247807b0a46ef9https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1
SHA1: 0f6361044459498f35a811601189488d87da5dae
MD5: 1060dca3875b4c027b247807b0a46ef9
M22-M9008DarkKomet_1c4705bcWindows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.1c4705bccd3a8c4992eeab0daeb63a49https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 01d99de8be5d399beb94238ded93f68cecce9b05010ec2095fb88dfea30be905
SHA1: dd3cd49ee4558c23aa278bf15d4896c0eb39570b
MD5: 1c4705bccd3a8c4992eeab0daeb63a49
M22-M9027DarkKomet_95b89858Windows This strike sends a malware sample known as DarkKomet. DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.95b8985804bcb843b80594617f027c52https://blog.talosintelligence.com/2022/09/threat-roundup-0826-0902.html
SHA256: 35a047096848277ecedf71875652c55466a6d1a167bb82e810591951d991c0ff
SHA1: 4eeda95eb4f1120b68f1f3e9a30e5e7a3f8d6a4c
MD5: 95b8985804bcb843b80594617f027c52
M22-M903eNetWire_b1c25ebdWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.b1c25ebd733fcfa1c80420ddd3dad995https://blog.talosintelligence.com/2022/09/threat-roundup-0916-0923.html
SHA256: d22989a65a91ee78b6af2fd2a9cadf2656637959cc07cd1b92baeb8c5950b45d
SHA1: 082f36859980d945b406bdafb49c4d132fa63ed8
MD5: b1c25ebd733fcfa1c80420ddd3dad995
M22-M9061HomeLandWindows This strike sends a polymorphic malware sample known as HomeLand Justice Encryptor. Iranian state cyber actors calling themselves "HomeLand Justice" launched a cyber attack against the Government of Albania. During the attack the attackers conducted lateral movements, network reconnaissance, and credential harvesting against the Albanian Government. This attack also included a ransomware-style file encryptor and disk wiping malware. This sample is the GoXML.exe ransomware encryptor.The binary has random contents appended in one of the existing sections in the PE file format.64035692b7c55caf9fd4d2535a5face3https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
SHA256: 99eb6c0a6f1960dae2d79f5513ab82715531dc5014425bad282336205e316671
https://arxiv.org/abs/1801.08917
PARENTID: M22-M9044
SSDEEP: 768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPAcWX:RFu8QAFzffJui79f13/AnB5EPAtX
SHA1: ce51fb7dd3e10545fa32cfb0e940d7f0f4483bfc
MD5: 64035692b7c55caf9fd4d2535a5face3