Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week ― covering the dates between Sept. 14 and 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
The most prevalent threats highlighted in this round up are:
Win.Dropper.Genkryptik-6690044-0Dropper
This threat attempts to spread via removable drives and spam email. It uses legitimate SMTP servers to send spam from its victims. Win.Dropper.Dofoil-6689818-0
Dropper
Dofoil, aka SmokeLoader, is primarily used to download and execute additional malware. Read more about this threat on our bloghere. Doc.Malware.Nastjencro-6688356-0
Malware
Nastjencro uses PowerShell to download and execute additional malware. Win.Dropper.Kovter-6689163-0
Dropper
Kovter uses mshta and PowerShell to minimize its presence on the victims harddrive. It uses the registry to execute a malicious script any time a file with a specific file extension is opened (e.g. *.clUQwv). Win.Dropper.Coinminer-6688928-0
Dropper
This malware installs and executes cryptocurrency mining software. You can read more about this kind of threaton our blog. Win.Dropper.Fareit-6688124-0
Dropper
The Fareit trojan is primarily an information stealer with the ability to download and install other malware. Doc.Downloader.Pederr-6686124-0
Downloader
Pederr uses malicious PowerShell scripts to download and execute a malicious executable. It has been seen installing banking malware such as Emotet. Threats Win.Dropper.Genkryptik-6690044-0 Indicators of Compromise
Registry Keys
N/AMutexes
N/AIP Addresses
N/ADomain Names
smtp[.]yandex[.]comFiles and or directories created
%AppData%\windows Update.exe \??\E:\Sys.exe \??\E:\autorun.infFile Hashes
0b6d3eb6dba7730fdfcaf892eb153c1cf9762419eaf0a29689ec929cc7e57aff 27b205b99c01b6ef21c8ee0df5dce9a970790d61b48da3d6a8be8c8845289db5 3069631a8410decb34e6210a8fc4b36de03d1635baac8655035365076a3613e4 3b6ec2629747f8ddb0b244a686f29f7001b030f0ba86ab7b76961bfff0f6c151 3ccba4f06849edeefe60f8a25f4752f89b9ccf8ca62378f7e6108980b244ac2c 3e2a97b7d366e255fcfd2f470da800e9e5aae08a3c1d75916870f8e42ad6160a 492064ef6226b2b174046c07987dfe09afcd9e2f3f69f80bb109dd8b151ea49d 4b50bda6c3fe41f6c930ec701d851781e1664b720e6fc65ab2fbb6c28916f24b 5325cf98bf3080c9846aba8bc76d5cb49de5ac4cf10e337e12a1945cc9a4763d 5a0a5181cf8be2be6fda2be77eca48030d64ad6f737f4c911eba52219537b746 5f7c12cefe681ce32304c1944da6a14e47de36d83ecb47101873d8702f041b76 656a97b7d3481ebf79887b691637f45ec54c494832f5b83774f35dc2c8d8bba2 714f0773cd6a55310527aa10eba1905284c42ace7a5cc063443fd8a00c9868fb 73efa5fd117d51ffd6d2f51e0a946ed3455ad29334f5899b39ff338d0b72edf8 825f8902a8a8ae4852ff5c2351efbc83140203473b2d90eb8526c9b8eb88faca 896e7407427fdb945e2f09b65095d80c79cae041db31a16bcd5979668bcd14ec 8a6fe46554f345d8e5001bff5b8147edb2570fab335bfef28d9f5cff661d6e2c 8eef0b06ac1bc9445e752d851dd2ed905494df8741ae22cc3acee2af1d2ef36f 9cbe3c887a94b6a4fb47f3ec3d1e329cb90b291c39f14179337c52eb3a6228a0 9fb4cd041ff2bb0cbbf2e62f3633aadcbf9513ff12a449a9db8c69aee048c387 a52367db8f3e58f122222d22b62072ad827389760e6cf179382b29e5d5478152 a80cb2444eaa865fc268874e90ab7af658335159e6c6d0ffd939662f9f7b82e6 af8e4c150fe96ee59d7a9ef0dc5d97624fa94bc4dd6a6bcb947b7c5820b9f47b b906ab1e3606cd64670fa1ad6c308a63f10b6d71d1758f3f58cf72947ce4d836 c9a8eefdca421af7871d7dd3bccbb56a64fc1b7c0721260286a5c5e4d3c0ef67 Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Dropper.Dofoil-6689818-0 Indicators of Compromise
Registry Keys
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: internat.exeMutexes
N/AIP Addresses
99[.]12[.]215[.]168 98[.]217[.]41[.]219 99[.]152[.]6[.]105 98[.]66[.]233[.]28Domain Names
N/AFiles and or directories created
N/AFile Hashes
09b128c59e326c83d4c51cab9cbdd5be2e94dbfb6f10ec8c6a2624e209c72e48 0c2b53607f9a654193bd746068de1ddf9d5bf6b7bc6f3971f72fae2f3ff9a285 16153bfbe50ea0565dcdf55151483f47dda327a367883a26848e2a5d89205aae 17b672d424c62eeebf742068e1c1e38404d2ec0d28349265ee14b546aa6adbb7 21785834f2d808fa9c19956b9c4f24ddc22730e69ca4c781cc006541a4807e5d 23edd474e7fbdb77e2125cc41c70d79959b8ebc764108a230dbfa2843f6993ba 2664dd574bb2115864e4d9ca72f8ad0acf53bfc6b02697795ad980c05e2d4127 27c1d0d72d43e3af324ce52ccdceae142f404f7636862654a8e9da9890de4099 29e59373e62a2c41003cf065865b07f847003467f70dc50d67a6c8592dd4303c 31609ceba86711fe540c4aa7beca78dba4c0f72f41c15251fe98fb9b6d099b01 394a644677da56ac14dbc5b3c72db0f60f77158ead598f3dc9af3564a326f7a1 3e72c6843feadb36dadf0e34551762164a1f24554584c9cca7e1629d6b8f027e 3fc9444d1ee0fa180d761646db3828b1e5f97e2db46a4fc613ee4bc9eb1211c7 41f3fc180ba3c26cf716adff8ae07a9d509d621390d4733cf4b4d8b68f0ec49e 475fec4512fa00322e723ba1a687a01ffe9c64532f6d8d9899d2c8ffbe0a3088 4d905057797bdddd0f17bc62bbd051bb34c08a095e563fb56c30ab08c67398e2 578e81265a2a78e97cb088b34c45f78c1a75ad1515b0a4720592bd4b061d3f0f 5cb179313e277a4d50a637f69d1277fdb63d3b713d3df37c0f7289814d4f04ca 5f3d2fbdaead02e440ad43475cc6411e08738495129eb83c8897cca10379d180 60d91c1223b66c03b82223ac156437e1d299d51a9cb5e6c0e8b4eb8f383d1982 6bd7d37e7dc72a6681c97abf4e315e780325de849159ac9bcd44174b79048d82 6c6afd4ee02aab0050696b157e6db5b14b5a94c84b10c6475e34b0a544668e72 7209b1b807534e03c3ca7fc12df9b74b5cbebc66f834eef37a22b1764476acbb 73b5f2e591f089008a0b2711adc80e38b83f759d4d2e576bc742ea10734466fb 74b13ba6c7a4e340386826c97b1cb5492e7b2f8b662e4e01b643c817d9866c2c Coverage
Screenshots of Detection
AMP
ThreatGrid