Threat Roundup for August 3-10

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week ― covering the dates between Aug. 3 - 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

Win.Malware.Dbzx-6628757-0
Malware
This is a variant of the Tspy family. It is able to execute after every reboot, making it persistent. It contacts domains that are related to RATs and are generally command and control (C2) servers to upload data, and receives additional commands. The samples are often packed and contain anti-debug tricks to complicate the manual analysis. Win.Malware.Emotet-6628754-0
Malware
This cluster provides generic detection for the Emotet trojan that's downloaded onto a targets machine. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. Win.Malware.Zerber-6629234-0
Malware
This is a malware identification for a ransomware variant of Cerber. Win.Malware.Startsurf-6628791-0
Malware
Strtsurf is a trojan targeted at collecting personal information, and sometimes labeled as a potentially unwanted application (PUA) in other coverage signatures. Win.Packed.Eorezo-6629326-0
Packed
This malware is known to enable the display of advertisements in Internet Explorer. It's also downloads several pieces of software and installs them in the background. Threats Win.Malware.Dbzx-6628757-0 Indicators of Compromise

Registry Keys

<HKLM>\Software\Wow6432Node\Microsoft\Tracing

Mutexes

QSR_MUTEX_HnRHWDxWQnveBdUtWT

IP Addresses

N/A

Domain Names

ip-api[.]com

Files and or directories created

N/A

File Hashes

25430a357d53aec77dd1f119b838ceae79a22bb3a60c7a002cb7328b098546a7 54279416f864d374f33fe9a2fe2998db3976c4ff43e8b0da006548489a50bbdd 5ce812ebf77f6d63de37a1e3d261b9688d595aaeadaef3388f4214896bb64892 810fb35557e051a7be3f03b37247c90796595a2d5afa1b2c3034187de2a3f0bc 8f08bcadd3a44055a70dbae3308cf18c8d1824e424100eda03ddc71e9417fb5e 9435b87c7c91ac98f9f461aeaa6b1630e2270e2d2ccdf6a05d46fa02de91d1eb 9634a2afb40139e39da8c8ef0da8f5104229d7bb4c3b95faee5a4396713f528e a137c89d2c6f0ae74217724e1cb56aea726e285d0e6e98adfda16617ad51d176 a2907c7011b20373fd47e03a0f4679fdd51b982b973bb37d1d45bfa4a618bc5a b3c6a0883d9ed8bcf1bf162c0ade8b16f2cd4ae890e30ba9e9540f4bdf5f5ba1 ba5afe1245d10f72637d34a96bf6e365c2f4326da69dcd440beacf421b634133 cd3a4783c2795a16c82518c56f955c9b56f415d59ef5bc77e143f6124123364b d0dbd75a4d8716ba7ca7d025ee1c772aa4ff554214a993b4b874a0a26dcf5a6c e2116a9a176ff765f1c5ec23003266bfe0f1592e46e41236482ad4c3520ea53a e2846881f6127d99222144e4ece509bd18522fdd7791bf84d7697b37ffa40919 efc3e1b1d6c13c3624160edc36f678dd92f172339bfde598ad1a95b02b474981 f7df8c9e36cf3440709111a33721e7ac7268a2a80057df08843ba95a72c222eb fdd4cce37fd524f99e096d0e45f95ac4dac696c8d7e8eb493bb485c63409c7b3 Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Emotet-6628754-0 Indicators of Compromise

Registry Keys

N/A

Mutexes

PEMB2C PEM944 PEM80C PEMA10

IP Addresses

67[.]68[.]235[.]25 187[.]192[.]180[.]144

Domain Names

N/A

Files and or directories created

%WinDir%\SysWOW64\TO5sH5uBMit.exe

File Hashes

0406ad0fe90d371b02742e6821486abbfbf2bbd72a7593e8ddb650f0b97673b3 0604aa87706cb7890075b494f026c88b2f03b621367f1bb62a87f5c5deb87870 086af92d83279f5792c15a762a70e158de54b67c1a96bfc14c4ad52a24468f32 10f13af2a3591efa3d58c47bb0635e3a653e14ec7726493bb4595b4dd8cd51cb 127c316e7a10579e61369d6a8154e3e34726209b3cc075ddd6d9875c439c583e 1fc9fda1b0c868dc7cb0cf6d8867b7aefc202436fe9e41cba5b2b35bb1ce9e9f 23ba67cf24c95f3bfd36b66f822feb3d2fd0f72617921550fee034a1b7b8cc74 27e37ac7cc8b48573a8345223399ce6b0ab9432ee977acf02c09bcf64cf6622d 2bf1192e5200b6f8d25586908b05912a5fa6e06e87540dbb914200446a3deb10 2ee83958eb1e8cb622ca833c38e51b53548d299b6574e5b7203741a2d27963f5 2fca527cf8ebf4576e982118e22dfe3fd8e445749a5403dafed36089666f2357 30bbfb79d26a172975e9482204f06423eff6948b1732384e7b6d23f9932ec08d 30bf6e1a41dea6e4024853f9b7a6a878e4f5e4141dba4b0fe7686159925fe6cf 42fca9d196c668747b74f80ca996aee9ae38bed96956b42436949a8d4d33ecf1 45e6356ca3b373da3a80a72a1b64f1254f4426949598b8877abd6de99e379166 4ac5db87bc83dcbf1399f4fc0fede3c5ecee5b8ef2a2500fd79b1588ef033429 4b2f6d80bf78ad165c2f07d914cb4137ba31918f3f8f03f812b20715c3451f56 4d7d9d73dad989590860178530dd8848d9b79a23f1cb379bc1ca5545cb196eca 4e81241256ab4adb5bb96b21633d95773cc34ee72e499659064db0d32046dabf 4ea92195bc159e268c7a348f2649010cb01a3e67c315d2f0b8115eaf2c879692 5639d3af9cf530a057aebf3cbf92061b58539b2c311491a26d8f404a211d66bb 59644dcd34cce275ff5d72c022fa76ac42a422b038d816909281e01e392d3b40 599e4e8130e4a1f3f3777c6f9f088cc03c2781f4e802e0e16e417a43ec58c518 5eef8b5433ebc22e4c9ea3c1462d525192a4bda8d20be4e7b09fe7d03fb9d119 6238c7a704baa8771812e4f3452acb042c6475913db4cd57cfaf17a7454d4d22 Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Zerber-6629234-0 Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\windows\CURRENTVERSION\RUN Value Name: FlashPlayerApp <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER Value Name: Run <HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR Value Name: AutoRun <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNEC