As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
This week's most prevalent threats are:
- Doc.Macro.MaliciousHeuristic-6298845-0
Office Macro
Office macro code is used to further compromise a target system. Macros can leverage external system binaries to execute other binaries to further compromise the system. This signature looks for code associated with hiding the core functionality by including junk code.
- Win.Dropper.DarkComet-6301230-0
Trojan/RAT dropper
This is a malware dropper. It currently drops the DarkComet RAT. The file is a slightly modified version of wextract.exe, a legitimate Windows tool to unpack archives. The malware payload is stored in the resource section of the binary. The dropper binary is actually a multi-format file, and can be interpreted both as a PE executable as well as a cab archive. The modified Windows binary will extract the payload binary from itself and run the extracted file.
- Win.Trojan.ServStart
Trojan
ServStart is a trojan that installs a persistent service on the victim’s machine. The service exfiltrates information about the infected computer including machine name, username, keyboard language, and computer performance specifications. The malware server can respond with commands to download and execute files, or execute shell commands. ServStart has been observed using multiple dynamic DNS providers for its command and control infrastructure.
- Win.Trojan.Agent-6298180-0
Trojan (credential stealer)
This sample attempts to collect stored credentials from a number of installed applications and then attempts to transmit those credentials back to a PHP application on a possibly compromised server.
- Win.Trojan.PWS-6299789-0
Password stealer, injector
PWS (also known as Fareit or Chisburg) is a credential & sensitive information harvester. Select information such as banking credentials or web browser password databases are queried for on the infected host. Any discovered data is propagated to a C2. These recent samples are protected with the Armadillo packer & rely on both code injections & dropped VBScript code.
- Win.Dropper.Emotet-6301061-0
Dropper
This dropper is delivered through different mechanism, most of the time the victims is redirected to a website to get it through malicious pdf, http iframe injected. Once running on the computer the binary is gathering details on volume disk drive and other details, injecting process, dropping itself and contacting internet to execute more. Websites observed delivering ransomware and trojan banker.
Threats
Doc.Macro.MaliciousHeuristic-6298845-0
Indicators of Compromise
Registry Keys- N/A
- N/A
- N/A
- storefronts[.]pl
- 23b90b1c55fdbbd371655da0ccf359e891deb51ed5bbc0ac772c5d572f4b3a42
- 2471636a92daa0a54095aa66b55ad2fea5fd5d6372b0be9d65d1d1e2cef31bd5
- 2b24221aabc8cd18e756a579b29a005fc9c33213f5ec963b9b6ccf4e6187b23b
- 4b781b8370f973b9204b44c8ce3615692fc66c1613967a44924984d35fba7bc4
- 4ee6b9bb8e903bed9a82c7dad6d62163e3a4f759ade5f5f8fcf899945bfd9264
- 564c37dcd8322bd6e8cabc788f982a35f7d3e335c3d736ce544fc17a6b090183
- 59b54e7c4e052adbc1d64dc61623af6f55db1a8692b373cb6ca871ba087feaac
- 6930d456c506c94b9e19a08659181b7d376254dca652d0e56c305764867578d2
- 6a0eae0addd6ce84966ac1bd006e9582036eaaa1011a38190f700871cc37de24
- 7045d8f339cab73cf0ec7f31a7b3a31a84057f0b275f789f4bfed9dffee35564
- 7638745d08de218fa16e9c0828ed0a1139223d3ebddf4bb528bc3ae185cea90e
- 81cdded9aa21513ad9c6ae04455a7fce68129135f3358b9c5e28a80139e78f21
- 93472e054b4b4fcc54a71a32b6275f8b35c8ef84490248d21c094f19a537c773
- a0bfeb90468ddf50a3c85d5074e002b1d89995d6377eceeb0781ba5292facbcc
- b3dfdfcfea160ed34eb69da55909294f78d2b5a6320cbf5151a3da01c6449631
- c185559d0a38e782167beacff78a7a72544d82890b5e5723e6a25a70e6e16d59
- d2c1b89129e3e26544bfbef3fac4567c3629817a98ded9ce5c7dee485d0364a9
- f2e4fe273c4a8cc1cd7799d5558c58b8a08dfe160235dfa2eb2a8bad9bba40aa
- 02481825e922c38ba797ebc18d5a8273ede8c5a4d52eecd2f58eb569533d780b
- 06736e5f3127a54bbe6bb25f4a82ca95371e5cc8654a893c02d3d4e677e0b916
- 21b039f3171f26911290dad3e1ce0da6d6d3545e11f9a119408922ac2ae06db6
- 2643f9f8dce45983eac80feeebd16adbd498e3a644ef8b05bc40448be9342ddf
- 2ac6b5487c69427476b48bcbbddd7646842e02363a0d4ebe1b1998da6d1f55a8
- 2dad87b69ee91bfa71d911b791e5468efb6ce689ccc4cde3e91626cbfcfc14ab
- 2f4853b54c36adf9ca9fbb163dacedee78b6b027fac3c24c72120e9d8cc6f01e
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
Malware
Win.Dropper.DarkComet-6301230-0
Indicators of Compromise
Registry Keys- N/A
- N/A
- N/A
- N/A
- 05C8DE4B97737440913F5C714082AD647281FA50F1904B1BF11EDB8560294FAC
- 07D9D6DA8C6CD162DD9FC78AC48EAF82BC49D4239908AF354E44C4822FE06D62
- 099ADD24586D77C5F2B8EFB9C33A8A11B5A0C11001A8534D9635A674ADC260AD
- 0A155F4F20367E4D23B6D238208FA5F943A1341E47BDBB2DBC520CCB27AD120B
- 150420EDB4BF00DADCF71601781DBE3BD6E34CBA767153B9F82307EDDF391395
- 15F2BB3B4A12A6F5B0965FDE62AE21B2796D7659BBA8011FC22AF40D465984BE
- 318B2A4F06345E95C63E4623F52E0E7C57257548C74E0C7A272FCB64D3F49692
- 4B0BB06E09ED0B2EDB085641E125490E9B1A6CC5652C05C77C78E47CF9448D35
- 507874BA705282183F928D3AE11ED5497A0F1EAC3368DE75C392D17749CB8EE9
- 55FDFC65C0C10A958239E0447E5696989FE66557437EB725849BB578D882D74E
- 5D31C073C4B7322A7DE871D533D520DE2444466D0C944CB06F6244D2CE57D49D
- 6597E2DD82FC203BA2C609B358B2E0CAE37A4309808626DA27BD58614077D646
- 6A23031FDD70C6D57D8FE9C8D3EFE6A423C38BF2D46B9B24959E5CA7D0714FCA
- 6C652B0E4998456F150515EBF50CA569CF373BA709442F6909DD7D4330C83D2E
- 6EB12C46F0605D8F915C8E895FC70D189D9E8825775EBDB464A9A24834887E60
- 776B2679819B1E0385E1630EEEC50190DAAAEC0EEF9F659EE728C47991FABFBB
- 77FA104262E3FF983B3418540FF744E0EAAE5E66388333ED785EF6F5AA2801F9
- 7D6765A1F6589A554457D9363F702F65E81DDDA52EB62C600250E0F94C473A16
- 8590486CD299DAA9BF42497EF28028364E4E18B6C60B725736A7D2DDC73BBC2F
- 92EABA06563800BA670249E90D91C32F9D315889439BCAA73F24D2C08E285B84
Coverage
Detection Screenshots
AMP
ThreatGrid
Win.Trojan.ServStart
Indicators of Compromise
Registry Keys- HKLM\SYSTEM\CONTROLSET001\SERVICES\NATIONALLWC\Description
"Providesufl a domain server for NI security."
- Nationallwc
- N/A
- syhaw1516.codns[.]com
- wrop0422.codns[.]com
- ansbase.9966[.]org
- fbbc6852ff1947fcd820b90e60ab71af93ffad079bd13a0d2b514955bb1c9d62
- 40eddfac964b69ee2e26742faaacfe50960fa0232a1b9a11c382e61cecd700ff
- 6106eda3ae39449fec42db2caf4f1b5f994d72b5a759dddfd77a8a29ebb3f497
- c106435a2aced27d03ee5531eda025b14cec106106a1c7ca750127090f6d2039
- 8d4366eff17da1c18ab3fed1692628756a8f41f3145877f895b7ef950055262f
- 3be7ab79f032cf24b09fc05b08544fd61ec7e3fd355f8ab7b4580eb43d8c3e55
- ff6b7320d6b75a638c0f2d024f43853dd78993276a8f6b5f7463d6317858dd9c
- c9a193d273f606860bee0dd4a878a6421233b05ac4c6faf357d9324f0d6a575a
- 932d8d5829570237e9ab7688dd2d3c03812a05157f72af124cabf530be583789
- ba07a79a2f4d51eaac585b0f50e3b1e61d8fc555592aadb1e5d3916fb26b0e27
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
Win.Trojan.Agent-6298180-0
Indicators of Compromise
Registry Keys- N/A
- N/A
- 212.129.14[.]211
- tranexestin[.]com
- afc3ba4941b89a4467e2f1a4ab0df2c88ef5e39264182a4b3a2dbbfa5b022e3f
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
Win.Trojan.PWS-6299789-0
Indicators of Compromise
Registry Keys- USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- \MACHINE\Software\Wow6432Node\Microsoft\Tracing
- \MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASMANCS
- USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
- USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft
- USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
- USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Visual Basic\6.0
- \MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASAPI32
- USER\S-1-5-21-2580483871-590521980-3826313501-500\Software
- USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
- MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
- USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\Visual Basic
- USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
- N/A
- 92.53.96[.]120
- cv42569.tmweb[.]ru
- dddde27836842e0f950b5622e1be7a0f51072db573b2f2e41d20d4b4c45028d8
- dc086f745c35b2abe58675e546b475ed64f15ea6e9d4492a0502476f784ea85c
- 97cd05c529002b85ae756a9e7b7da7a538026583f0886a235cf48b72c378551a
- 2992c6ce7ccda6fef751a912eafb8a31e3426bde8964ccf31b0512390bd61615
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
Win.Dropper.Emotet-6301061-0
Indicators of Compromise
Registry Keys- N/A
- N/A
- 188.165.220[.]214
- N/A
- f566fdc382f6988599cb16894d8a9a92e291d83574834de705d6367b520b6b50
- dda1fffa38e3f9d30833d201b542422aed15a41253b2a72797ad38dfba8fe535
- 6d4fa878e2930cb3bedc2078855f6d7db7b6b136464f6dff256d8c62657b505f
- 8ad1c1655d6d3b2a4931ae2dd9eb4e3b7be488a7f39b9c396fe1eeda2eda05a7
- c0e8a92ba6ce12d803ecfccd01432f855e6fd9ad19825602a74a081459e25389
- 5598fdcc6c0c2e7bdb095193a5f986e6cf22fdcca26c2e8451c46d787ef18435
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
from Threat Round-up for Apr 21 – Apr 28
No comments:
Post a Comment