Threat Roundup for April 28 to May 5
Discription

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/threat-roundup.jpg)

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 28 and May 5. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, [Snort.org](), or [ClamAV.net]().

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here]() that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name| Type| Description
—|—|—
Win.Packed.njRAT-9999411-0| Packed| njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim’s webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Dropper.Bifrost-9999421-0| Dropper| Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder and client backdoor program configuration to allow a remote attacker who uses the client to execute arbitrary code on the compromised machine. The malware contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. To mark its presence in the system, Bifrost uses a mutex that may be named “Bif1234” or “Tr0gBot.”
Win.Ransomware.Cerber-9999985-0| Ransomware| Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.
Win.Dropper.Kuluoz-9999994-0| Dropper| Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.XtremeRAT-10000002-0| Dropper| XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Dropper.Tofsee-10000005-0| Dropper| Tofsee is multi-purpose malware that features several modules to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.
Win.Trojan.Ramnit-10000021-1| Trojan| Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It can also steal browser cookies and hide from popular anti-virus software.

* * *

## Threat Breakdown

### Win.Packed.njRAT-9999411-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 12 samples
Registry Keys| Occurrences
—|—
`ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS`| 8
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: 23556fb1360f366337f97c924e76ead3`| 3
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: 23556fb1360f366337f97c924e76ead3`| 3
`SOFTWARE23556FB1360F366337F97C924E76EAD3`| 3
`SOFTWARE23556FB1360F366337F97C924E76EAD3
Value Name: US`| 3
`SOFTWAREBA4C12BEE3027D94DA5C81DB2D196BFD
Value Name: US`| 2
`SOFTWAREBA4C12BEE3027D94DA5C81DB2D196BFD`| 2
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2`| 1
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: ba4c12bee3027d94da5c81db2d196bfd`| 1
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: ba4c12bee3027d94da5c81db2d196bfd`| 1
`SOFTWARE5CD8F17F4086744065EB0992A09E05A2
Value Name: US`| 1
`SOFTWARE5CD8F17F4086744065EB0992A09E05A2`| 1
`SOFTWARED8D7C4726DD94E5629F337DB2965C1AF`| 1
`SOFTWARED8D7C4726DD94E5629F337DB2965C1AF
Value Name: US`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: d8d7c4726dd94e5629f337db2965c1af`| 1
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: d8d7c4726dd94e5629f337db2965c1af`| 1
`SOFTWAREF170B3532C72267660723E333127B4D`| 1
`SOFTWAREF170B3532C72267660723E333127B4D
Value Name: US`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: 0f170b3532c72267660723e333127b4d`| 1
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: 0f170b3532c72267660723e333127b4d`| 1
Mutexes| Occurrences
—|—
“| 7
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`torrent-leech[.]servebeer[.]com`| 3
`test0102[.]zapto[.]org`| 1
`hamzahacker84[.]no-ip[.]biz`| 1
`de7kaaat[.]zapto[.]org`| 1
`bobica[.]no-ip[.]info`| 1
Files and or directories created| Occurrences
—|—
`%APPDATA%svchost.exe`| 3
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartup23556fb1360f366337f97c924e76ead3.exe`| 3
`%APPDATA%svchost.exe.tmp`| 3
`E:23556fb1360f366337f97c924e76ead3.exe`| 3
`23556fb1360f366337f97c924e76ead3.exe`| 3
`%TEMP%svchost.exe`| 2
`5cd8f17f4086744065eb0992a09e05a2.exe`| 1
`ba4c12bee3027d94da5c81db2d196bfd.exe`| 1
`TEMP.tmp`| 1
`%TEMP%Trojan.exe`| 1
`%TEMP%Trojan.exe.tmp`| 1
`%TEMP%svchost.exe.tmp`| 1
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartupba4c12bee3027d94da5c81db2d196bfd.exe`| 1
`E:5cd8f17f4086744065eb0992a09e05a2.exe`| 1
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartup5cd8f17f4086744065eb0992a09e05a2.exe`| 1
`E:ba4c12bee3027d94da5c81db2d196bfd.exe`| 1
`%TEMP%hamza.exe`| 1
`%TEMP%hamza.exe.tmp`| 1
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartupd8d7c4726dd94e5629f337db2965c1af.exe`| 1
`%ProgramData%isystem.exe`| 1
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartupf170b3532c72267660723e333127b4d.exe`| 1

#### File Hashes

`2167739d4cf736cf94b6f2156107cab8c312eac07b5a1eb26317564a9e5592b3`
`40ddedff2d7a63f99419ff69023258668d23217999e87134cf047038e59f88e4`
`49489f01e57b62d0f7a6ab2958589e3b888ae550bf32e4d6709df1c3364201e7`
`8ec9406c6818b968da592497a20a54a5d078686f652dfbde51d7ab510b6a58bd`
`a7b5eeea6104af0c07fa7af2cfab24670d43c4ce4aa3c113939f64b3a8c5f36e`
`af81e25f6aecf9306272e46a0267a3625b19f412e0499beaee617c6ae2489371`
`b965b370bf5205a592a1756e2c02e3ccd974d4dc2d63dc6ad90135afc5c74a0e`
`c1edf108bf51d26e6672d720ffab35de23cb2b14500f4c51372d31e2d789ce05`
`c82097083a498aaec3bbdcbdecfc8205c92fc5eadc643d917d3a56a065e77767`
`c89def53ae08d75d4164de3f3d37c5b01de1216125691fa127fb0f3e9e7591f1`
`e69a60228101d497ddc68c11e919402fb228413c09d5d3af426451880907b95c`
`e8cdabd65b244c74c37b21c8949fc5a80fec74aee34f159cd4b81d8cdeb7e293`

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| N/A
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/amp_40ddedff2d7a63f99419ff69023258668d23217999e87134cf047038e59f88e4_20230429.png)

#### Secure Malware Analytics

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/tg_40ddedff2d7a63f99419ff69023258668d23217999e87134cf047038e59f88e4_20230429.png)

#### MITRE ATT&CK

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/mitre_attack_33388.png)

* * *

### Win.Dropper.Bifrost-9999421-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 23 samples
Mutexes| Occurrences
—|—
`Bif1234`| 18
“| 5
Files and or directories created| Occurrences
—|—
`%APPDATA%addons.dat`| 2

#### File Hashes

`0585e38214fea7ac0452aa4c91ce1866a7c11196c3ac433d5d2c8f0926b1d993`
`05b60c3808ba135a4782eb1ee6bec09856f5677154ece35a180033d7cece493c`
`0a2742d35fef3309868a747e585d542912fa8e6b82ff64b6df0ddec693b954e0`
`15b848b09c13701b9cf4d7ec1546abaf4843a8cd4f93219465082594109b5a15`
`2d3c4909441820d1de63983c97ad0964558f6024da7e3df9f96175d4403bf218`
`317ad67576e5f51b4503b5a58790ae583d1298e2ad50c42f1d54f1607e740865`
`39df2f083999781a16ab03af79cae3f5e7ecb33e616d073e3669114ecc5d644b`
`3e434e528d5bdce10d103f262e13053037ba3f1d7d0cac058b697edbc5e7cf1f`
`528e5c62e0e8e3af8fc991a7c0401202675b71267e58ed2053631064b7bd0196`
`559fcab27f1bf9546475545d540aa891b901611247ede2b475c5093d31c859b3`
`70531690675458171a874b65e0446279933e41fceebb0510b43d0b910874b111`
`72d732766780f90c15b04466e29dfae232a2080b6a53a8a7d0b375f13bb59ded`
`7baa86e12a2c0cced0a644f2e0de4b34d3183e14e0ec0229decb7df669a1edf7`
`7f8ba1643800ef5c68f36fc5c7bd5f58e4bbf3488d1afe9457db3ff9f192f72c`
`8ecaeb0d4ab61d5b194f532e91402ee67f56cfeeca7f14bafe310f6c4f17ca8b`
`a25c4046bcb78ca6a41cf37262365cb6e630713d996962c5ed5624de6b70ce77`
`b1b116c818bb99e56d2bf16797fc561848ddbe2ce1fddc83a4c3533cd3686084`
`c98f65ea7dd4196e3c68318d4c51322bd5cfe6d4449dc2be633e0aab32509bdb`
`e4dc994221574eff6af87a233c7ddfa33b007293c1c8619c22414b1ff051f719`
`ea3ae31a4b957e8f7b34fe94599a2c34b0acc3dd6d8f01409fd68c90d50da2a4`
`f81ab857124dd17d90252c5b291d0e23f8d2331109a5b25f4651e4ad955e10b3`
`f90910b0082c3cb94d48d090d0910f14fc3e62d9c05781e136e99c28bc977436`
`f9aa6fa501379435e45be9a9a626ee1205b7dfa193c36c5e8530d88ec6effa28`

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| N/A
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/amp_e4dc994221574eff6af87a233c7ddfa33b007293c1c8619c22414b1ff051f719_20230429.png)

#### Secure Malware Analytics

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/tg_e4dc994221574eff6af87a233c7ddfa33b007293c1c8619c22414b1ff051f719_20230429.png)

#### MITRE ATT&CK

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/mitre_attack_33390.png)

* * *

### Win.Ransomware.Cerber-9999985-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 54 samples
Mutexes| Occurrences
—|—
`shell.{381828AA-8B28-3374-1B67-35680555C5EF}`| 54
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`94[.]21[.]172[.]0/27`| 54
`94[.]22[.]172[.]0/27`| 54
`94[.]23[.]172[.]0/22`| 54
`104[.]20[.]20[.]251`| 21
`172[.]67[.]2[.]88`| 19
`104[.]20[.]21[.]251`| 14
`178[.]128[.]255[.]179`| 12
`172[.]67[.]74[.]49`| 5
`104[.]26[.]8[.]86`| 4
`104[.]26[.]9[.]86`| 3
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`api[.]blockcypher[.]com`| 54
`hjhqmbxyinislkkt[.]1j9r76[.]top`| 42
`bitaps[.]com`| 12
`chain[.]so`| 12
`btc[.]blockr[.]io`| 12
Files and or directories created| Occurrences
—|—
`%TEMP%d19ab989`| 54
`%TEMP%d19ab9894710.tmp`| 54
`%TEMP%d19ab989a35f.tmp`| 54
`%LOCALAPPDATA%MicrosoftOfficeGroove1SystemCSMIPC.dat`| 54
`_READ_THIS_FILE__.hta`| 54
`_READ_THIS_FILE__.txt`| 54

#### File Hashes

`03611a3d29c5bfc9c60478a389999d647f07d6a906057101deace299db87ed0c`
`0c14954805c6df5ed7e3a7e6eff41d49607d6952208b1bd462f3dc416b791664`
`0fd37123332104ce76d91a35e5393992b5cd81fd977afb97aecd5e27ad8c37b1`
`15155a362eb1e40c71af031bef0dd2dd92cf5fa7b549b365b576577decf5d01c`
`18e1ec6e2bdde5242db231d2c07d951e53568017a18c21e445feb3b513e0a946`
`26688f001590ab3312067b177c7b7abe9d1519dc6736aa846d5702a27eaabd33`
`297ba2b3bc3a1cb638b8791df4e5e76a4ab55dcdea9063e9e851d41289625def`
`2aae4f76bed26ed00582a82ee73cb7b58e9d54ca568047c3b7e1d7aaa32540a4`
`2c6b60e3d9593789b7bcd045d5ace99c90fd39de1485c3f4cb32d4cad8483456`
`2db8fc26bc17121b1724d72ad7abf2672710445a6fc35a3728c23f5d7dfc9c0c`
`31f78896c577b0fd9f8de7323e3b37448f1b683b38fa338c1c10b08fab8a0489`
`32b7762b08c045e310f15f9f8fdc16cef87f1779505c922b9076b56440641636`
`33f754ae9862b34b210b14a2b5bf1a966c136c6204e2af11cbbba91d11ccdb5d`
`359f1f7442d25411e9e948fe57fddc19700af351a08252f64671d24b4bad0ae9`
`3743ee2c437b0458bcf3f0d605dd7aa9b5a6f7278463659028652c119cb90e32`
`43b84a6ad0cd2ee1d40cc93a17785e7bc01e946e4176a98a74aa98a74e50c730`
`4611109e19c031e3fff93c947cc23193e20dcc545b2837f01ab63c62b482a6c8`
`49d3e05ce3c566ab41fc5de938cbc02886b79cd62e310f5c1ab2a7ad1dd7b614`
`51729b1d1902b3b9bc628f866f60895a84b01307964fdeb9ba7cef683d9eeec4`
`51fade9c1740e082ecd32c6971fe399863e8a386eb4bcbf32b3eaf2f89845837`
`57033c8389b211d9e9726fb70bed63843ab99e1d214c5dcdc5dc9e76a53571ca`
`5c814e00d32a00c46b071595af010a1ef3109ec025068449ece9886ded140a2e`
`60507ad97df7c8e3eeda9733d926462a1def4944d8c764db869dbeb661221ce7`
`664be3a91ac7ac0e54a5a07525a9aeddf62a94df72ebc07a6ec03e26eaef0aa0`
`6d585e98246c9469086f418ec6a7645a43e3de2fa360db95f23f9a71cd6d8c77`
*See JSON for more IOCs

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/amp_359f1f7442d25411e9e948fe57fddc19700af351a08252f64671d24b4bad0ae9_20230502.png)

#### Secure Malware Analytics

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/tg_93f5647d273cf07ea7c64c426032c7fcd2093b91421943ea8934599a379f7fb5_20230502.png)

#### MITRE ATT&CK

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/mitre_attack_33396-1.png)

* * *

### Win.Dropper.Kuluoz-9999994-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 22 samples
Registry Keys| Occurrences
—|—
`SOFTWARE`| 22
`SOFTWAREWAMXWQPD
Value Name: smujtlwk`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: luvplgpk`| 1
`SOFTWAREQPVIUNPR
Value Name: frptnefc`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: rjkqqpxr`| 1
`SOFTWAREEUMGPSEO
Value Name: cbovpnfk`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: cnggsxff`| 1
`SOFTWAREETTNCOSJ
Value Name: lwbgsdcv`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: ttaxvitj`| 1
`SOFTWARECTTQGKIS
Value Name: cmxfrtnw`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: pbqsbklx`| 1
`SOFTWARENAXXBCNW
Value Name: oafjkbjk`| 1
`SOFTWARECNEBDSXT
Value Name: bchenplg`| 1
`SOFTWARECDEKCHEP
Value Name: wwbdhrid`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: rrdssxrn`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: nsungxkd`| 1
`SOFTWARERTNNUWUL
Value Name: wtmaaxmw`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: lwvjaujt`| 1
`SOFTWARECPHRRTRK
Value Name: soxcrgal`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: dptacodg`| 1
`SOFTWARECDLCLVRJ
Value Name: guiqcbwp`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: vniggsma`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: wpbtwsab`| 1
`SOFTWARELECNFNCL
Value Name: sxofspsj`| 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: qxmseevb`| 1
Mutexes| Occurrences
—|—
`2GVWNQJz1`| 22
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`5[.]39[.]86[.]97`| 17
`77[.]237[.]121[.]19`| 17
`78[.]47[.]33[.]171`| 15
`162[.]216[.]112[.]217`| 14
`194[.]146[.]226[.]81`| 13
`187[.]95[.]41[.]194`| 11
`164[.]177[.]152[.]110`| 8
`190[.]124[.]250[.]29`| 6
Files and or directories created| Occurrences
—|—
`%LOCALAPPDATA%.exe`| 22

#### File Hashes

`00417d6eb1a336d0e1414544264bff6f924822e3da217cd61892f322c30e5f9d`
`10c08a7e1cd4f6561f3996b871831d21c7c4671c9dc42176c8f560e8c515f8d2`
`19cff7bd4713b5d8103f19715c96e6878dcbb2634ba901a05719d2bd0fb2ff4b`
`1c77cbe7e26592746c4f7b8e3995234ce89efab7a1f08f4c725935ee6ed469e1`
`1e55c11a9f3bd854166e1c6ef53a384fece89b8fc421047359a2b99fa049cf6e`
`29e0a59f6d38ec701ca6aa122c6a54726d5b0ed5536d2f89abdecca3f1a2de24`
`34a354c972b87640c6dc11e76be22c81da7ead7da852e64ac5d917df6c71faa6`
`464d669aeb5c011158cf8faca6a674fdaaa7df444c91948837d3b8c75c8c9a34`
`506602749b567b9884d91c7a728764d2500d3860c32ee315703148dc594e594c`
`5a422203f58d9e0344c737cc1166aba480742ede8d3baf2903ae42c3a0279e43`
`667b0dfd97f1a4b6f66681f49621a2ec69f5f72f0aaf7d210d8fa7fca40f0d7d`
`66b435ae8f847ca30c42ff42ea504d099c04b017410b6770fb675973428c9e64`
`7ad944253149901bdadc966f740c6e56b7ce87ec2678d31bccb7b4622a3b0516`
`924a3c1317e1f4cc772b9a0de3e95ec4f9f8070f407bd537c4e51574a6c15995`
`9f07d324155b0aa405671f8e56d8a36ccbc7a66842d175f379029c6480a84077`
`aad3e3b8506fe64eaca3828050ce78be32582a621a79e869e253e924f2dca99e`
`aca38b67e6d24e77fae537d82f49ffd344ef75bc4458d626b697ac0be4ebbab4`
`ba905bf22b38e1f3869279bfef60f3998e0521c0b2f9e045adc9b517826f8dcf`
`baed3471b03a58c6e1a8eb071a7222c8b3cddc9e060b037b20f7688cab589428`
`bffc4ce4aaa6bc170bda9add99f472156487dc312fd95bf6c78ed26e2c2309a3`
`e53a65c88ac8a732e06305b6ac0fbb8fc9f6b1035f71e7191df440daa75099c1`
`f2fa0559b22f7db6171a49318175f20e70052f9c4f747e79434c419c0fba0806`

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| N/A
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/amp_bffc4ce4aaa6bc170bda9add99f472156487dc312fd95bf6c78ed26e2c2309a3_20230502.png)

#### Secure Malware Analytics

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/tg_5a422203f58d9e0344c737cc1166aba480742ede8d3baf2903ae42c3a0279e43_20230502.png)

#### MITRE ATT&CK

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/mitre_attack_33398.png)

* * *

### Win.Dropper.XtremeRAT-10000002-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 81 samples
Registry Keys| Occurrences
—|—
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESEXPLORERRUN`| 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESEXPLORERRUN`| 25
`SOFTWARE`| 14
`SOFTWARE
Value Name: NewIdentification`| 12
`SOFTWARE
Value Name: FirstExecution`| 7
`SOFTWAREREMOTE
Value Name: NewGroup`| 6
`SOFTWAREMICROSOFTINTERNET EXPLORERSEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath`| 5
`SOFTWAREMICROSOFTINTERNET EXPLORERSEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted`| 5
`SOFTWAREMICROSOFTINTERNET EXPLORERSEARCHSCOPES
Value Name: DefaultScope`| 5
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSTATS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}`| 5
`SOFTWAREDC3_FEXEC`| 3
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS NTCURRENTVERSIONWINDOWS
Value Name: Load`| 3
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINDOWS
Value Name: Load`| 3
`SOFTWAREWOW6432NODEMICROSOFTACTIVE SETUPINSTALLED COMPONENTS{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}`| 3
`SOFTWAREMASD`| 3
`SOFTWAREMASD
Value Name: NewIdentification`| 3
`SOFTWAREMASD
Value Name: NewGroup`| 3
`SOFTWAREINFECTED HACKING`| 3
`SOFTWAREINFECTED HACKING
Value Name: NewIdentification`| 3
`SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE
Value Name: EnableFirewall`| 2
`SOFTWAREWOW6432NODEMICROSOFTACTIVE SETUPINSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath`| 2
`SOFTWAREMICROSOFT–((SPYNET))–
Value Name: InstalledServer`| 2
`SOFTWAREWOW6432NODEMICROSOFTACTIVE SETUPINSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}`| 2
`SOFTWAREWOW6432NODEMICROSOFTACTIVE SETUPINSTALLED COMPONENTS{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}`| 2
`SOFTWAREMICROSOFT–((SPYNET))–`| 2
Mutexes| Occurrences
—|—
`_x_X_BLOCKMOUSE_X_x_`| 14
`_x_X_PASSWORDLIST_X_x_`| 14
`_x_X_UPDATE_X_x_`| 14
“| 12
`Administrator5`| 10
`***MUTEX***`| 8
`***MUTEX***_PERSIST`| 8
`***MUTEX***_SAIR`| 8
`_SAIR`| 8
`Administrator1`| 7
`Administrator4`| 7
“| 7
`UFR3`| 6
`SPY_NET_RATMUTEX`| 5
`Global`| 5
“| 5
`XTREMEUPDATE`| 4
`xXx_key_xXx`| 3
`–((SpyNet))–`| 2
`–((SpyNet))–CHECK`| 2
`–((SpyNet))–INJECT`| 2
`–((SpyNet))–UPDATE`| 2
`1G3W5JF701F082Administrator15`| 2
`((Mutex))`| 1
`XxXx`| 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`104[.]127[.]184[.]49`| 5
`23[.]7[.]178[.]157`| 5
`52[.]8[.]126[.]80`| 4
`13[.]107[.]21[.]200`| 1
`217[.]69[.]139[.]160`| 1
`94[.]100[.]180[.]160`| 1
`198[.]23[.]57[.]8`| 1
`66[.]220[.]9[.]50`| 1
`212[.]46[.]196[.]133`| 1
`109[.]74[.]195[.]190`| 1
`142[.]251[.]40[.]238`| 1
`23[.]62[.]230[.]159`| 1
`200[.]6[.]76[.]9`| 1
`2[.]81[.]154[.]116`| 1
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`go[.]microsoft[.]com`| 5
`www[.]bing[.]com`| 5
`learn[.]microsoft[.]com`| 5
`www[.]server[.]com`| 4
`huhu1234[.]no-ip[.]org`| 3
`gamer9090[.]no-ip[.]org`| 3
`smtp[.]mail[.]ru`| 2
`google[.]com`| 1
`vids[.]p0rn-lover[.]us`| 1
`whatismyip[.]akamai[.]com`| 1
`ftp[.]drivehq[.]com`| 1
`xtremo190278[.]zapto[.]org`| 1
`ftp[.]freehostia[.]com`| 1
`sandra81[.]no-ip[.]org`| 1
`entony[.]no-ip[.]org`| 1
`anton124354[.]aiq[.]ru`| 1
`hackermibb[.]no-ip[.]info`| 1
`amoral999[.]p[.]ht`| 1
`api[.]bitcoin[.]cz`| 1
`darkcometkiller[.]no-ip[.]biz`| 1
`ro[.]sytes[.]net`| 1
`ambrella[.]p[.]ht`| 1
`merlim2[.]no-ip[.]org`| 1
`leechersau[.]no-ip[.]biz`| 1
`m3hl2ad[.]no-ip[.]org`| 1

*See JSON for more IOCs

Files and or directories created| Occurrences
—|—
`%APPDATA%logs.dat`| 14
`%TEMP%XX–XX–XX.txt`| 13
`%TEMP%UuU.uUu`| 13
`%TEMP%XxX.xXx`| 13
`%TEMP%Administrator7`| 10
`%TEMP%Administrator8`| 10
`%TEMP%Administrator2.txt`| 10
`%APPDATA%Administratorlog.dat`| 7
`%SystemRoot%SysWOW64.exe`| 7
`%APPDATA%dclogs`| 3
`%SystemRoot%InstallDir`| 3
`%SystemRoot%InstallDirServer.exe`| 3
`%APPDATA%98B68E3C`| 3
`%APPDATA%98B68E3Cak.tmp`| 3
`%APPDATA%Administrator-wchelper.dll`| 3
`%TEMP%x.html`| 3
`%SystemRoot%SysWOW64install`| 3
`TEMPufr_reports`| 3
`%APPDATA%explorer.exe`| 3
`Win`| 3
`WinMSstart.exe`| 3
`%APPDATA%explorer.exeexplorer.exe`| 3
`directoryCyberGateinstallserver.exe`| 2
`%SystemRoot%SysWOW64installserver.exe`| 2
`%SystemRoot%SpyNetServer.exe`| 2

*See JSON for more IOCs

#### File Hashes

`013663989aa28f3582e2aa90eed455a969d0de2abe419b5b3ec8824fc7a7fef2`
`022a66b7d76fa2bbee56a8d848675aa96b3eddc509fac5d8fbdbb97bed96e9be`
`0b1a97dcdc4b5277f369f8be6df8d3cd65eecfea1f38b65bc2f296b3e55622dd`
`0c1996f1cbad0ab32bc9806290ffd696c71184ee6a5622790dde2316b6a787b0`
`0e7b5c92e2c18f75466fbc674fbb7cd728778fa094e590fea7b26def741ca48a`
`113fddf6ffad33cc8ddccabb51d1530529b5ad93f5881282ddc64977dbe32583`
`13df35df42bc3c6c1c47b18b280722923396284f9c3d5b05f6db2de90e7bb9a0`
`143cb3c0433dc9e9bdb163a08b279b8ca1df76841a62c52819fc460a86a3384c`
`1a63251dd369eecd63916d0835327d68da1aa50aa28623a2f4bd1481e968d238`
`1cd038ba74864d02eddc3eb3c3219b7fdebd00e7563229224fc06fa74f4d837d`
`1e3e862c60e25429d06231f72a5271c46528066bc82cf49431c4ad52552d0ebc`
`203652f28faffcf14891f31df19f5843c4ebca55e6c0225a2d0e17f1d610dc70`
`22037f54606da56dab0da53ba84cac987a99c1d81787a170e19812ad3ed6b0b2`
`2ec90cfa025740aa44baecf8eee2de66707678df216b4d555d95ee14221f1830`
`314e8e577dacf2287a1205ceb98ff4548ba513ee4b55a634ee48acce14f63c94`
`32fef765f38580d1c018596d379620487cb8a0ab03ac149aeef6e9b42d8c792b`
`361ecf702e46b665843216d9be94fbdd84b231575c1a2026f04e6a4cced6f577`
`38712d1de42f33c02e3ff7bd73caff8bb5e4c7f89fd11f6920207b094bc81fa6`
`3e848b438998dcd3aa40311d041d40c230ed22125625e5396f03d6265a5834fa`
`41eec2a4b3f6589097321436053722c95ab9b81f2f71c508e67a9764372e0fe7`
`4327d0f53f24d02cd6761ce90773cb02a085328ea261f7449686c4fd35e5ecca`
`457a450ff6b934e8bb4c9c96a6be3065a009221474d4a950651285c1572f5dbd`
`45bded663194abc4170e80e83abbe48e74fc91b4a2b2c5043e5479d89bd2b9e7`
`4847ff9a4a02048dd5d9fccaa0d9e1bf377193f141ed0d3ce11aa554424e1e45`
`4a20d0d4786573ffa78c283fd882080b30a860f3668c81fb027640b8e0faaf3d`
*See JSON for more IOCs

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/amp_143cb3c0433dc9e9bdb163a08b279b8ca1df76841a62c52819fc460a86a3384c_20230502.png)

#### Secure Malware Analytics

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/tg_8fbb2e6350b19ba45327ade5793b770681831057ce7e1cce8f2ecb739cccdb16_20230502.png)

#### MITRE ATT&CK

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/mitre_attack_33402.png)

* * *

### Win.Dropper.Tofsee-10000005-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 83 samples
Registry Keys| Occurrences
—|—
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERUSER SHELL FOLDERS
Value Name: Startup`| 27
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER
Value Name: DisableAntiSpyware`| 26
`SYSTEMCONTROLSET001SERVICESWINDEFEND
Value Name: Start`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: NoAutoRebootWithLoggedOnUsers`| 26
`SYSTEMCONTROLSET001SERVICESWUAUSERV
Value Name: Start`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: NoAutoUpdate`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableOnAccessProtection`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableIOAVProtection`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATE`| 26
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS DEFENDERFEATURES`| 26
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS DEFENDERFEATURES
Value Name: TamperProtection`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableRealtimeMonitoring`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER SECURITY CENTER`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: AUOptions`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: AutoInstallMinorUpdates`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER SECURITY CENTERNOTIFICATIONS`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER SECURITY CENTERNOTIFICATIONS
Value Name: DisableNotifications`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: UseWUServer`| 26
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATE
Value Name: DoNotConnectToWindowsUpdateInternetLocations`| 26
`SYSTEMCONTROLSET001SERVICESISUPLDCY
Value Name: Description`| 1
Mutexes| Occurrences
—|—
`006700e5a2ab05704bbb0c589b88924d`| 27
`Global`| 14
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`193[.]3[.]19[.]154`| 27
`194[.]25[.]134[.]115`| 1
`212[.]27[.]48[.]2`| 1
`149[.]154[.]167[.]99`| 1
`152[.]195[.]33[.]132`| 1
`31[.]13[.]65[.]52`| 1
`66[.]254[.]114[.]41`| 1
`198[.]133[.]159[.]250`| 1
`104[.]244[.]42[.]66`| 1
`176[.]113[.]115[.]136`| 1
`142[.]250[.]65[.]228`| 1
`212[.]54[.]56[.]52`| 1
`142[.]251[.]40[.]142`| 1
`20[.]103[.]85[.]33`| 1
`80[.]66[.]75[.]254`| 1
`80[.]66[.]75[.]4`| 1
`20[.]44[.]209[.]209`| 1
`176[.]113[.]115[.]239`| 1
`176[.]113[.]115[.]135`| 1
`104[.]127[.]87[.]210`| 1
`40[.]93[.]207[.]7`| 1
`176[.]124[.]192[.]33`| 1
`23[.]15[.]9[.]58`| 1
`185[.]161[.]248[.]73`| 1
`176[.]124[.]192[.]212`| 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`249[.]5[.]55[.]69[.]bl[.]spamcop[.]net`| 1
`249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org`| 1
`249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net`| 1
`249[.]5[.]55[.]69[.]in-addr[.]arpa`| 1
`249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org`| 1
`249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org`| 1
`i[.]instagram[.]com`| 1
`microsoft-com[.]mail[.]protection[.]outlook[.]com`| 1
`microsoft[.]com`| 1
`www[.]google[.]com`| 1
`www[.]youtube[.]com`| 1
`www[.]tiktok[.]com`| 1
`t[.]me`| 1
`api[.]twitter[.]com`| 1
`www[.]pornhub[.]com`| 1
`imap[.]free[.]fr`| 1
`mx01[.]bnr[.]ca`| 1
`imap[.]ntlworld[.]com`| 1
`imap[.]t-online[.]de`| 1
`steamcommunity[.]com`| 1
`api[.]steampowered[.]com`| 1
`api[.]solscan[.]io`| 1
`in-jsproxy[.]globh[.]com`| 1
`cv-h[.]phncdn[.]com`| 1
`vanaheim[.]cn`| 1

*See JSON for more IOCs

Files and or directories created| Occurrences
—|—
`%APPDATA%06700e5a2ab05`| 27
`%APPDATA%06700e5a2ab05clip64.dll`| 27
`%APPDATA%06700e5a2ab05cred64.dll`| 27
`%System32%Tasksoneetx.exe`| 27
`%TEMP%cb7ae701b3`| 27
`%TEMP%cb7ae701b3oneetx.exe`| 27
`%SystemRoot%SysWOW64configsystemprofile`| 1
`%SystemRoot%SysWOW64configsystemprofile:.repos`| 1
`%TEMP%IXP001.TMP`| 1
`%TEMP%IXP001.TMPTMP4351$.TMP`| 1
`%TEMP%IXP002.TMP`| 1
`%TEMP%IXP002.TMPTMP4351$.TMP`| 1
`%TEMP%IXP003.TMP`| 1
`%TEMP%IXP003.TMPTMP4351$.TMP`| 1
`%LOCALAPPDATA%Yandex`| 1
`%LOCALAPPDATA%YandexYaAddon`| 1
`%SystemRoot%SysWOW64isupldcy`| 1
`%SystemRoot%Temp1.exe`| 1
`%TEMP%wmixskiq.exe`| 1
`%TEMP%1000011051`| 1
`%TEMP%1000011051foto0174.exe`| 1
`%TEMP%1000012051`| 1
`%TEMP%1000012051foto34.exe`| 1
`%TEMP%IXP000.TMPs54755209.exe`| 1
`%TEMP%IXP000.TMPy52881425.exe`| 1

*See JSON for more IOCs

#### File Hashes

`015446106849e64c790d08cf9ccc81523b1022f358b7f3f22b0faf6dce4d1cd9`
`0585f6fdd47eea51bddd77a2a4ff35d8d601d1b9a0a5120d74d86887c3f31f3c`
`0ec37d41525ee0c5995446e6163fa32d0b6fd05a92bcab4b973b83791d022155`
`0f2584ba5e0633404ff7a283a0c4931c2a161c052ad6e91385744512c12972dd`
`12c4f1a7804bcd0557676c249d7ac371f2871bf8057f5ea88664f05c77bed719`
`12d076a14fa94b8e4a290a8b96afaa95fc336bdd0e2551b61694db67a1e49d43`
`1639c21ce9570b200bcbc40da2c299ef18366f24fce3f81ff4621c264128e1c4`
`19db38a3d52c3f9196ea1bf1db4b687fe8b887467213c4138b34665aa717392f`
`1b203972e5f19418d1ac3516ccd2805f2622058608e70e106bf083d06b26af6a`
`1c3641047cd096ea8ae7c13ac0dfe7e57b97920a2002c86cd1dc475782229fe7`
`1deff8f3cab9e0cb8b42a9cae86778344b69bfa227f0fc96265236a7066bfa68`
`1f2164eed8463a61b8b74c726eca872492b7998ec1b93637d88982acf677fece`
`1f5a48c6de3756ea45bc49d01425438dbef0000494d93394277e37838dd0e2c2`
`200acae29bca6ce1a2446970d7591628aa18bcaca901fb078802b36cd4bab4c1`
`2557e803f9addcdaf17a57b3bb8d424cc7befb24aa26f9e856be185897c57116`
`273530b5aa7733745abea770ee350b56d6014a763e11ddee56ebf065757ba4ca`
`2748358acbd71868da3945a1c0bff0c3f215f9a6f674e6cc7eae01da08fb3ebb`
`30f356b7c5b33da719938b1ecf3674097bb9a80373aee214dd4962712c0fc5aa`
`31460296fbfc4dcd31b5bd8978088dce48c1e60357f64730de6d952e6bee33fe`
`3341fb4c70db0226c50d769ecc2ee479890a1f42d59c8e67a90a9264dd17529f`
`347b42a92d481e418ed9b7a34d493bf53b374e4b71ac8f0431556a4912abd863`
`39e9ea2973521669029531407fad8e193a98f84d88626bb2323fd4b9d0cf389a`
`3a0821a19a70e429adf239ad8c1f36709d3a446872a0fbb7e1eec995a9ffd656`
`3d16f9d8728cf8e0e1b8e437e31f97b93c2816fcf7115b913250efa194c0708f`
`40902f59d70b569b4b240116bd43593746395042f99d96c1d31770e7fd670509`
*See JSON for more IOCs

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
WSA| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/amp_19db38a3d52c3f9196ea1bf1db4b687fe8b887467213c4138b34665aa717392f_20230502.png)

#### Secure Malware Analytics

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/tg_d813a01110e3f0b727f781f53f16cb07ae40ffd4ac2a77ea12a2f8bfdff8f3b8_20230502.png)

#### MITRE ATT&CK

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/mitre_attack_33404.png)

* * *

### Win.Trojan.Ramnit-10000021-1

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 17 samples
Registry Keys| Occurrences
—|—
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON
Value Name: Userinit`| 17
Mutexes| Occurrences
—|—
`GlobalSYSTEM_DEMETRA_CONTROL`| 17
`GlobalSYSTEM_DEMETRA_MAIN`| 17
`GlobalSYSTEM_DEMETRA_SHUTDOWN`| 17
`GlobalSYSTEM_DEMETRA_HOOK_00000000`| 17
`GlobalSYSTEM_DEMETRA_HOOK_00000004`| 17
`GlobalSYSTEM_DEMETRA_HOOK_000000CC`| 17
`GlobalSYSTEM_DEMETRA_HOOK_00000120`| 17
`GlobalSYSTEM_DEMETRA_HOOK_00000150`| 17
`GlobalSYSTEM_DEMETRA_HOOK_00000158`| 17
`GlobalSYSTEM_DEMETRA_HOOK_00000174`| 17
`GlobalSYSTEM_DEMETRA_UNIQ_00000000`| 17
`GlobalSYSTEM_DEMETRA_UNIQ_00000004`| 17
`GlobalSYSTEM_DEMETRA_UNIQ_000000CC`| 17
`GlobalSYSTEM_DEMETRA_UNIQ_00000120`| 17
`GlobalSYSTEM_DEMETRA_UNIQ_00000150`| 17
`GlobalSYSTEM_DEMETRA_UNIQ_00000158`| 17
`GlobalSYSTEM_DEMETRA_UNIQ_00000174`| 17
`GlobalSYSTEM_DEMETRA_HOOK_000001AC`| 17
`GlobalSYSTEM_DEMETRA_HOOK_000001BC`| 17
`GlobalSYSTEM_DEMETRA_HOOK_000001C4`| 17
`GlobalSYSTEM_DEMETRA_HOOK_000001F0`| 17
`GlobalSYSTEM_DEMETRA_HOOK_0000021C`| 17
`GlobalSYSTEM_DEMETRA_HOOK_0000025C`| 17
`GlobalSYSTEM_DEMETRA_HOOK_00000294`| 17
`GlobalSYSTEM_DEMETRA_HOOK_000002EC`| 17

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`72[.]26[.]218[.]70`| 17
`142[.]250[.]80[.]110`| 17
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`google[.]com`| 17
`fget-career[.]com`| 17
Files and or directories created| Occurrences
—|—
`%CommonProgramFiles(x86)%microsoft sharedTRANSLATESENMSB1ESEN.DLL`| 17
`%CommonProgramFiles(x86)%microsoft sharedTRANSLATFRENMSB1FREN.DLL`| 17
`%CommonProgramFiles(x86)%microsoft sharedTRANSLATWTSP61MS.DLL`| 17
`%CommonProgramFiles(x86)%microsoft sharedVS Help Data8.0Resources1033InterstitialPage.htm`| 17
`%CommonProgramFiles(x86)%microsoft sharedVS7Debugcoloader80.dll`| 17
`%CommonProgramFiles(x86)%microsoft sharedVS7Debugcsm.dll`| 17
`%CommonProgramFiles(x86)%microsoft sharedVS7Debugdbgautoattach.dll`| 17
`%CommonProgramFiles(x86)%microsoft sharedVS7Debugmsdbg2.dll`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14ADDINSMSVCR71.DLL`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14AccessWebCLNTWRAP.HTM`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsBlankPage.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsBrowserUpgrade.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsColorChart.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsFormTemplate.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsHomePage.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsImageTemplate.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsMacroTemplate.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsPreviewTemplate.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveForms3FormsPrintTemplate.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveFormsFormsBlankPage.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveFormsFormsBrowserUpgrade.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveFormsFormsDoNotTrust.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveFormsFormsHomePage.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveFormsFormsPreviewTemplate.html`| 17
`%ProgramFiles(x86)%Microsoft OfficeOffice14GrooveToolDatagroove.netGrooveFormsFormsPrintTemplate.html`| 17

*See JSON for more IOCs

#### File Hashes

`0101babc6de0885f68d564af2815913400e6c1ecfcec309ed358a17dfee6e4af`
`0d36eb4b1c7d8fdf73e6160144265fa488d0b5b5741d183099f77537067068b2`
`1d3ec82f736135526133101405b0287a703b7d19e55ed547ca5b38a4e0888e1c`
`2e71faa6419936869da29b10761a4cb85bfa5216f53a2a71214823cf246bb3a3`
`325c33566126539544c5ee9e20cb457768bbfd1323e7b52541ad087672289d87`
`42b2382ace5f7574144c09b28d4758ad25b369e33bb317e4f4fdb4196e1a7904`
`4c3db94d4426234d1d57ba85e99109fcac8894ce89546766b947878888e96655`
`8ddb1ac3a421311ef930fa41dc04506fd01a2d7d298e68234c26701ec1c34ee7`
`986e58cf8a11498f2eba1f93be224c9d94b6e5a0fef3e0ddb7528a6a8874773e`
`a517e2930f308f58a6a5d8fec58d523aeade89b1239335e4da38ed9062f5598f`
`afa8d3d2b57a56efc94dbacfc815eeb94fc2f88ed405b3c4f8ede6d5ca61ead4`
`b30d5cbe7413e449245f5e3a39e51c1fb77a734b6431626f0cc918892bcee0a6`
`b94712e6768ef42f5069ff432bbbf5b917b292fe43beb35c17613b1d60d3e832`
`c7d9a2c3eca11892a61ee2f55f186ce73d3f322fd7885bb1346f7e5dc0f0c495`
`cd70f028723d38966ae882a63bae7276c48e173f69b293da99d8be9ece9b0bef`
`e3004c3b51fa179d9c8f67904a94f296c130194d82aff35a25e0acfe2c13ee97`
`fe683c7b877c2d95af6922d80d88591868d7a7fd602a0ab2679c5f28fac0432e`

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 28 to May 5](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/amp_0101babc6de0885f68d564af2815913400e6c1ecfcec309ed358a17dfee6e4af_20230502.png)

#### Secure Malware Analytics

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/tg_0101babc6de0885f68d564af2815913400e6c1ecfcec309ed358a17dfee6e4af_20230502.png)

#### MITRE ATT&CK

![Threat Roundup for April 28 to May 5](https://blog.talosintelligence.com/content/images/2023/05/mitre_attack_33406.png)

* * *Read More

Back to Main

Subscribe for the latest news: