Threat Roundup for Nov. 9 to Nov. 16

TalosIntelligence

Security / TalosIntelligence 70 Views 0


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 09 and Nov. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Ransomware.Gandcrab-6748603-0
    Ransomware
    Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
    &
  • Win.Virus.Parite-6748128-0
    Virus
    Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives.
    &
  • Win.Malware.Dijo-6748031-0
    Malware
    Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
    &
  • Win.Malware.Vobfus-6747720-0
    Malware
    Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
    &
  • Win.Downloader.Upatre-6746951-0
    Downloader
    Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
    &
  • Win.Malware.Emotet-6745295-0
    Malware
    Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails.
    &

Threats

Win.Ransomware.Gandcrab-6748603-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c
  • \BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e4
  • Global\7bf1bf81-e78a-11e8-a007-00501e3ae7b5
IP Addresses contacted by malware. Does not indicate maliciousness
  • 66[.]171[.]248[.]178
Domain Names contacted by malware. Does not indicate maliciousness
  • ipv4bot[.]whatismyipaddress[.]com
Files and or directories created
  • %AllUsersProfile%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5
  • %AppData%\Microsoft\umitoa.exe
  • %AppData%\Microsoft\hhbbvc.exe
  • \Win32Pipes.000006c8.00000045
  • \Win32Pipes.000006c8.00000047
  • \Win32Pipes.000006c8.00000049
File Hashes
  • 008e2453c3bba10629ae8f7f32c6377d91bd17326da52295f038d7badd53cf4f
  • 00f07cc799aabac7449a324ff47161a6a34ad02ba4b2074ddb382152d383ed14
  • 02edf037074ebd2445625737108f7337715a6af17ec161429fa0392894e479bd
  • 04196939eee8a21a4480a5e5bcf34f70b20f1dad9c3038bc632a415130ac47e8
  • 043f30bd958e54d6947631c10d70ddec772ababd8a3852ceb0e646e87d670a92
  • 051f4d57fc51e1491eb9121cb6ecdd036e140103f1afbc73fe9cef9a4fd67a84
  • 06cafb061ce341647e48d4113eb71bed76290d30d54ce6d98169fcfe8bbe83c5
  • 0799d33c49bceeeeb9c92077d448d5823ab8e71a04b71c6b8afa7f386fb5aa92
  • 08d56fc6c0622c2e931f04eb8c68a25fa431ac4833b1cbd7e44847d55f7f26e1
  • 09abf839c42200b000d3065d2cda41d858be415a521a5cb2b77b6e62503ae460
  • 0a48f61677791bca8d2553662ec6bce8acfdb3249cfcabac2802ba216ac54262
  • 0acc350e791e4201a7dd17e389ba8e03264343020432389d3e1b9d08874005af
  • 0b3e086550e4baaa05c69777d484b9b20773b01d5c6da124197eff423b798b04
  • 0dd771fecae00517f9297e21a42956d2ee113f6f0bc4d3ee277f887721efc19a
  • 0f2784bc6fb959eace7e44fd19fd08fbfa39af04b4f793241c3eddd4183dbe71
  • 0f50d6433d2a79f30c2417fc434098d029eceedf3acd405901d3951208be2ae7
  • 10b5897f820d7ae3fe0194b8969c42c5c5de6cc658baf95699f8a781e18237ff
  • 130f32c65f3f2e67bdc228f125bc07c049f40fae04114b0de920e9fd0b00bccf
  • 13ab0a6dcd3cfd5136b54d11739169917df37a5681189baf92c4c6b0a2df0bc9
  • 13ccda5af78a1dea028d076418db880ab3734c745f068d2c4df5de4d4968b478
  • 14094b6a6ba1af401829963ce991e02c0eb9da885eb3837cec88f1559e2007c6
  • 166627c9ad4fb0acb0bec8e09e1d4ceedc3110e7cdbaa709322d0dbe41a2f70f
  • 17b78d2828794c9612cc87b09b7254c32c810134e5d06742058c55ec55ddb746
  • 19b4d752b0be5e81c835bd3b87f3c1124c208ba6adb2150f7b85a1b76222350f
  • 1ac89466a2668afd8d06d0f9345d48151dc2978b81985070bb23e30a767bd71c

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Virus.Parite-6748128-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Residented
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %AppData%\Wplugin.dll
  • %WinDir%\Wplugin.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yma1.tmp
  • %LocalAppData%\Temp\neb2886.tmp
File Hashes
  • 00ad96301d29476dba58c071ef5bc4cf5eb265e9181a1d866bcacfe847199f64
  • 01edcc04020177e2f31b13d9f6a46db2e058028011151850b0802394ccda8d77
  • 05f816442e9d1d18a80233674af70d0ce6e17d10768d8f0e77973566b07aba8e
  • 0e70c57c577078b1c9cab7d6bd1215372330548ae0c20ff2b80f0cb86cde2074
  • 115995a5dc32df9da2f214cf9f4f81341daf7bc101c1b9346bead99428acb15e
  • 145c7866de76f33e571f19a1a40c2e12c900a6a1ad9bac30b46dcdc28be6feec
  • 14ac990a0affb831e4dccee45cff19e8a7c28dc5b93f731131ffa1c319e43823
  • 15c7b9a2c4688af296b57ac418f01347c8fbbd74ac5fbcae17c90f9bcdfb8e26
  • 16ee4360c7d1b78da48d06889177668120dfcaf62745bbc8c88d7864d28ba43d
  • 1817a467dba009e325a1c8bbaa5c274ec80856f8936321980fee86a0e33a34cd
  • 181dd25663e2628e56410e65b57677f5f3346866ccb737aa2eab8dd7376a11af
  • 1c8698e1bd9fa33f8f664a0a12e90db53e91e31414cd307c21575a5d039b0d32
  • 1eece81891ab4f4836931f8b1bc630e044d08ed659797dc19afc3bebd3b2b259
  • 1fa3b372ec521a5b57a52d8b6a5ec8de67f5d8f80e87835b67b4916d4e5dd415
  • 29f37223352f9584de101958ce00b41c3c66d9cfb15cc27d22a67df2c9dcd53e
  • 2aea31075160d93b13bb726dc95b2a46505deefa529f8c9edfd9f6ecd8d80a37
  • 300655178fabae5c65e48307fef7de67100b7d866b118f1ca0f0919de7e3a490
  • 35270fa68190eba46f59bba10c8dce3a03e55d8af7e8a33f9a330e077f63aeff
  • 39cb46a92889429d3dfc422381b46d04f9e69af0a088eec656845f184ed0b8f2
  • 3b6a4dbf9a923ac935f6f671b38de0ed83da428b74dea48efa180365a507e13f
  • 452ce18b59c1ab0cb4925435edf60edcfc5114cdea15056702e69c45af5763a2
  • 4e38b473973bce00cf5f60b545327db9c9e8b17225262e88d13299f6abf579f2
  • 51a323f3b47edc969017af5b31d364d4f23574471a52511970aaf54a8c34c382
  • 51bbe9d3ae4bd23f31fd90ddf0d8af295ca98773653a16c2bb5a950670352888
  • 525bc89d56339ce9423aae276228a8b879d7156ecadff7054a397a8d5178f5f0

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Dijo-6748031-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 95[.]181[.]198[.]115
  • 192[.]162[.]244[.]171
Domain Names contacted by malware. Does not indicate maliciousness
  • resolver1[.]opendns[.]com
  • 222[.]222[.]67[.]208[.]in-addr[.]arpa
  • myip[.]opendns[.]com
  • www[.]bing[.]com
  • hq92lmdlcdnandwuq[.]com
  • cyanteread[.]com
  • tmencedfur[.]com
Files and or directories created
  • %LocalAppData%\Temp\RESB9BE.tmp
  • %LocalAppData%\Temp\CSCE580781F303F45AE9F8858B262C2D7E7.TMP
  • %LocalAppData%\Temp\9DF6.bin
  • %LocalAppData%\Temp\CB8E.bin
  • %LocalAppData%\Temp\3F14.bi1
  • %LocalAppData%\Temp\RESBCAB.tmp
  • %LocalAppData%\Temp\CSC8B3FB8E53BAD4C5CA67A2B1CAEA0ABB3.TMP
  • %LocalAppData%\Temp\5mq30dkw.2sp.psm1
  • %LocalAppData%\Temp\jrz15mzo.uwv.ps1
  • %LocalAppData%\Temp\lajoenvy.0.cs
  • %LocalAppData%\Temp\lajoenvy.cmdline
  • %LocalAppData%\Temp\lajoenvy.dll
  • %LocalAppData%\Temp\lajoenvy.err
  • %LocalAppData%\Temp\lajoenvy.out
  • %LocalAppData%\Temp\lajoenvy.tmp
File Hashes
  • 0024d14e96fc79b1f7fd052945424e685843a48b1124f2b19b3a0b00570fb716
  • 004a4d3772f1253ed309ce48cdefb8358c7500b91b7fc1a548dd32af03f8178d
  • 00f9d43bdeb5c30acc9e5594c0ff1bd29b52efdcaa63bb8eba745342c165f856
  • 0169eb0d2386671d1929cf74456a32da1758d8c177b4dadbb5c1998768eee892
  • 016ef438660d7acbe94a229f0680b154bb963bc9dbc56eed7450dab36d486c01
  • 01aa3a5ab9590ff079a13d66f67d40b441ab171d2a6ead0df5453b2d3b55888d
  • 01e4c31f4836784dc4d297c4ba6e8f680216693735339022e11669960b929dcc
  • 020c8eff9905e60c6bba7ff500dd0097b0b3017cfa33712a74ff23062c539520
  • 0326d68f08fc899cd8bb7f1a9c1d7df50bc5b979e0f7d2532904a419ab1b7160
  • 033370dfd1d35bc66ed5abf0e6f6ff214c9e1e25196fef04679f18875b0b683c
  • 0383644a89640bbccf401520a918b54920f038e04ec0b0ae0d5aa53c45c08705
  • 03d315458bfc34d01d2e058b6aa772c7fcd294f3dbcd821f71249675da00d94e
  • 03df086184a6b1b146858ea3cef951dc9c3bf6148a26740a74e2384f5cc4a256
  • 03e17ccdc6dfa104759f6d08c38a1ee96fd9cb161600fb5446b61132e4d9bd3d
  • 04abd09ae808338d64a59fedb49dd5af79599cb9e990c2eab869d1afb25285a1
  • 04ef397e7e52f4c71553f5eb2d4bc1971d2eda8a54eafa5a23aae4700264688d
  • 05a5bbabbab5444214ce70c1190f41ccef8ef3dee786d1821d26a396d8a49eb5
  • 07b911ca945371e153a661cc0d3dc04a41e75075b184eeba26a82c6a945a82e2
  • 0879b668fbfac129d1c21076fc5826d46323398a3bcd327e4012be584778a446
  • 095114cf4e2a81c44821a1ad9d4ea632e8cf17cf35a5cabc65813a29bcc41157
  • 0a088fe8df26a9a2cd4330224134e1ea0d249300cbce0eaf11fc6f70b75f21f1
  • 0ad6e9f9cd8e64c8ec265d258407f627fb1a872d13bd9cb577ad5e100633f492
  • 0b438e78bb3fe8bffc8f5f1453f318efe177c97d9e4f0ba7e26969a60671a67e
  • 0b4d5c0751ead190373484f7b4d8f0d7e5de5ade613b888712b92947fc173a6a
  • 0d1b953aa006b38c0140f3a2bacda47a28262d54d5676aeeaf432235e356a5bd

Coverage


Screenshots of Detection

AMP




ThreatGrid




Umbrella



Win.Malware.Vobfus-6747720-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: muehe
Mutexes
  • \BaseNamedObjects\A
  • A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • ns1[.]chopsuwey[.]org
  • ns1[.]chopsuwey[.]biz
  • ns1[.]chopsuwey[.]info
  • ns1[.]chopsuwey[.]com
  • ns1[.]chopsuwey[.]net
Files and or directories created
  • \??\E:\autorun.inf
  • \autorun.inf
  • \??\E:\System Volume Information.exe
  • \System Volume Information.exe
  • \$RECYCLE.BIN.exe
  • \??\E:\$RECYCLE.BIN.exe
  • \Secret.exe
  • \??\E:\Passwords.exe
  • \??\E:\Porn.exe
  • \??\E:\Secret.exe
  • \??\E:\Sexy.exe
  • \??\E:\x.mpeg
  • \Passwords.exe
  • \Porn.exe
  • \Sexy.exe
  • %SystemDrive%\Documents and Settings\Administrator\sauuyi.exe
  • %UserProfile%\muehe.exe
  • \??\E:\RCXFF.tmp
  • \??\E:\muehe.exe
  • \RCXFBD0.tmp
  • \RCXFF.tmp
  • \muehe.exe
File Hashes
  • 010054eb95e98fdfea1f1164b12a5dcf475f0ffcc16dc18c276553d4bce3e39c
  • 01cdf16c052bd4d6e8f50d0447f0570b6e42727cbb3dcebed6e20766a0599854
  • 02785ab8fe2473f20ea32dad5908f6b8831d603c26db26e67e8b3d1daefd4544
  • 0293926921291e6700eddb633fe22ac136735ace9170e6c502be52039d3e7488
  • 02f72dfcc27501cd1a44b3a0eed9e41831f745fc26d6b7d1526c151c94d58333
  • 0572a5a7f2888736e647fccbd2d4ed051bb038b82d3d53fb899dcde836922fc2
  • 0581546a844cf13d0f0c494c9cda7eb7a71a5dbea4abbd8ddb917fe00665965b
  • 06383e4b2c2a596732f85ce8028c5b1c0a60c82e75bbb75358bcd8498b6b4b03
  • 080d08b5202a6da7052a3256c1863db41121881d75188ad96b9af9ab5932a97e
  • 08293e6522e8888ce18400e0c3d6e6ac1319e80bd99ffd24b8e7845fca091cf5
  • 08c0cc2e37a1fbc8f84c932a7cb2bc9a3d3f78a4ce086c1286cb3d335619f9ff
  • 0b2752012a9e104641af14d60987db12a41d39401ac46584b6e9125ed5d0c198
  • 0bcd28d3d84c7518df94abbb5a8153a345121d1d126fc9dc4624259de02a41ab
  • 0c45087137456380ec673b12d06310d8d753be92a3009bcec94ec4ebc2140bb7
  • 0ceecae1d802f19881b04e6f97af98b5039f2b8ccd538c293d66de93d8d77964
  • 0d9a84172a0f96b340eb3f6bd45ca30dbe6c20180f9dae75cb135d0d8b6ffa38
  • 0db0feea81c1b211fbae852151734fca8fb423102cb953dafb3c188f40491482
  • 0ea8e078ab8b42d97148b488fb1ad7d21972c37fdac7befc7d462ee7be3acb84
  • 0feb943bda713bb872c82a94bceb10acd11a1ec0cd2997236dc17da24b646288
  • 121a6b3a8000948f073e3660ecafb19bf5d204a9d468112575afd15c39222eb1
  • 12fc93e4e1c01ce7e3670138d50aa26e5c3d77f3c42da0dc3bd7bbae57359dc4
  • 133fea888e19e34c7703b38194ec08360ce8d697d7aec79da979a35072adce02
  • 145fe07226fb8eb92f609f16f7044ae5a529433730d285ca7c33b9cff6b86b71
  • 1551de875bb37b13c332d5b67ed64026c477f21bbcc6ad3d50ba8b3b8702ee5f
  • 18ee7ed2c61ee532f9a42d02c3c53b017496071608324361117514bdd3fdcade

Coverage


Screenshots of Detection

AMP





ThreatGrid



Umbrella



Win.Downloader.Upatre-6746951-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 195[.]38[.]137[.]100
Domain Names contacted by malware. Does not indicate maliciousness
  • drippingstrawberry[.]com
Files and or directories created
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ffengh.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hfsrfgs.exe
  • %LocalAppData%\Temp\ffengh.exe
  • hfsrfgs.exe
File Hashes
  • 1b806d44ead6688b22e623a1d50ad910af73b6ebe274901cccff8aabd526e3dd
  • 1df5a1477102ad9d32a976eea0af04b7c63a660fefc39a8c2c524e8cfa9634e3
  • 2e09c458bc34495f4390b2783d17369a2f809860eb95b95ff914c6610fd42ab0
  • 56db7b1dd0bcbeca631eee556146fb599fc363466f51ec01eae28ecd4289e838
  • 61e96310f388db546db48b6b8d81958264647add9f7cc880067cd6f875b5b4f9
  • 64c1bb68e91d30812c0ea2690a4bb15d2788b43ec6c54aa9672de758ee7e5042
  • 71dfc74d26d696f74b65c03c93a9118b9c62e5adfb6c93a5e15d00dcb50d585f
  • 7a305e442718a07f2ddcc7ae9a8983c49be3247c123b06dabcf7d48d3a4bdcde
  • 7da8dd2d31ad4ed61c87b5f44e1d70bcb938d9c5ff9abbc94c8e76cf0b10f379
  • 87071c84cff348e086cb28fcfeec54daf58d728c5fb3aaa26ff4aca42fab4b4f
  • 99230cc2ba171d71a9c5bade432d53bbf1ea78be629f62b90bb73fd71a26e8a4
  • af44d4fff8ce394f9ecb9b3f9d95b8fb440a7b8f1892574f41355072ec2f0999
  • bcdfdc97d2a6f3769902d3bf55b180b4dd9efc74af345cf23a795dbdc9456b51
  • c224d27d7adf2fece2e92d4ed2f62e244e8e5bcaa98c89ade06d40b0112e6bd1
  • d7afe736ed75987b854236b451a4cb6f0642b4e9cc92f3a9a96e2b8535070d05
  • d9d107fed85d142d6a5cb4d40a48b3ddf5c61f97bc502a297f816ac902fa13a6
  • e4eddc3910aca83db9bef4bc4f11006c0ae09a1552a6266adac79dc922ffe90a
  • e6c03bfb271c97063320d079b7ed156b8eae18c75ccf5c25d5ae5cc01df62139
  • f41388706c803a31645f416804995ad881d8ee0e0de0f0c355fb87fc415de211
  • fb75875cdf989e58a80330aa43543b9ab3765fde077174729e2011555cd295d9

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Win.Malware.Emotet-6745295-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\GENRALNLA
    • Value Name: ObjectName
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
  • PEM19C
  • PEM52C
  • PEM748
  • PEM43C
  • PEM20C
IP Addresses contacted by malware. Does not indicate maliciousness
  • 187[.]162[.]64[.]157
  • 98[.]144[.]2[.]113
  • 200[.]71[.]62[.]76
  • 82[.]211[.]30[.]202
  • 165[.]255[.]91[.]69
  • 154[.]0[.]171[.]246
  • 110[.]142[.]247[.]110
  • 119[.]59[.]124[.]163
  • 108[.]51[.]20[.]17
  • 197[.]249[.]165[.]27
  • 96[.]242[.]234[.]105
  • 217[.]91[.]43[.]150
  • 66[.]220[.]110[.]56
  • 72[.]67[.]198[.]45
  • 183[.]88[.]1[.]238
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 0edecb893280c8258b5ee20f17afdbdcd09efdec198ba3f0b9dae3bb3a74c497
  • 11fb93e3b137ff6978fd79fdd634f44f257ee28f9bc5c2965108cb5c49a0d949
  • 313f19bdb8c46b96ac18bca55f53f5c0eb03d2fcececaab47b9339d8f014f7c7
  • 40651a1759d2ae614541d3f6e8bb6298ab72a242673c44e541dc28e30ca8929f
  • 5df55f78a21cd8457c9432afc8da45c182fad6107e3b6e4f5cf86272b68012b1
  • 70921b45506097595f7d11123c1b5c92aa032332c8a503058b27f32ec85d8df2
  • 73689ce1d669a63bdc781fab63f052fdc22021f7d08d37ed7573d2da7230568e
  • 83b316b9a9f76efcab1e741c8eeb7a0c7a50072c3fde5acd49cb0d28afbe7a23
  • 9edeb5b8ba0b6fd036650f80edf1cdd3c35974fcb8ef5a272b658d3ec1a38035
  • b53fb3cf4ed1d4e62dd0cc9d8e1d482dc1a55dedc3804a097f1b213080bb64c5
  • dab7877de92a3793873fec30c4b2e4a758bd5c3c6a67c8da20bfce7c255031be
  • ea8479d471d38105312f8264f2d93c7dd317d1bfda94f345f74313efffe8fb54
  • eba4704ea3e2a37a2bef98101758cbd2264bf6dcfe36eb930fe36fa32d75838a
  • f2a2d0eda6e21c4273d07aafe190918d96c21db335de4c4872e1eca136920c6b
  • fba4b9baf4b72790f1ff9ad58160efd7bd4a1927191668da75468255083e48b9
  • fc5935b12a8d07abcafc613a04d3c6773e088f31b88f78acc7f8ee2d2fc2d529

Coverage


Screenshots of Detection

AMP




ThreatGrid






Comments