{
	"id": "5eab77a2-3c34-47ff-a85a-bc9a28fa49a9",
	"created_at": "2026-04-06T00:21:49.746277Z",
	"updated_at": "2026-04-10T13:12:50.988785Z",
	"deleted_at": null,
	"sha1_hash": "225ed588bd8c82ad7981353135fac5791c83c62c",
	"title": "Threat Round-up for Mar 24 - Mar 31",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1428351,
	"plain_text": "Threat Round-up for Mar 24 - Mar 31\r\nBy Alexander Chiu\r\nPublished: 2017-03-31 · Archived: 2026-04-05 21:46:14 UTC\r\nFriday, March 31, 2017 17:18\r\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As\r\nwith previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've\r\nobserved by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically\r\nprotected from these threats.\r\nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of\r\npublication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability\r\nanalysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.\r\nThis week's most prevalent threats are:\r\nWin.Ransomware.Cerber-6162243-1\r\nWindows ransomware\r\nCerber is a popular ransomware family that continues to undergo active development to continue being dropped in\r\nthe wild. It still drops multiple ransom notes, including a desktop wallpaper as a warning post. Unfortunately, these\r\nrecent samples are protected with heavy crypters.\r\nWin.Trojan.Wabot-6113548-0\r\nBackdoor\r\nThis is an IRC worm written in Delphi. The code is not obfuscated. It drops several files in the system32 directory,\r\nand a text file with the word \"marijuana\" written in ASCII art to the root of the system drive. After waiting for some\r\ntime, it will try to connect to an IRC server and join the channel '#HelloThere'. From there it receives backdoor\r\ncommands.\r\nDoc.Macro.HeuristicReplaceFuncs-6169546-0\r\nMacro Obfuscation Technique\r\nTo prevent quick understanding and basic detection of malicious macros developers use different obfuscation\r\ntechniques to hide the macro's functionality\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 1 of 22\n\nDoc.Macro.ReplaceFuncs-6171292-0\r\nMacro\r\nThis sample is a Microsoft Word document that uses a macro to launch a PowerShell script to download and execute\r\nanother executable payload. Unfortunately, this secondary payload was unavailable at the time of this execution\r\nreport.\r\nJs.Trojan.Diplugem\r\nAdware\r\nThis family installs browser extensions in your browsers without your permission. It's main functionality is to show\r\nadvertisements in different ways, such as opening tabs, potentially interfering with usual navigation.\r\nDoc.Macro.ObfuscatedObj\r\nMacro Obfuscation Technique\r\nThis obfuscation technique utilizes macro string operations to prevent direct static detection of the string\r\nWSCRIPT.SHELL, which is the object used to execute commands outside of the Office system. As an obfuscation\r\ntechnique, these droppers are being discovered delivering payloads of all sorts and sizes.\r\nWin.Trojan.VBCryptLaser\r\nTrojan/Info stealer\r\nThis malware is mainly an information stealer and it is able to detect an instrumented environment such as a sandbox.\r\nMoreover, the malware injects itself in legitimate processes and it persists reboot by invoking either Javascript or\r\nmshta . This family is highly obfuscated and considering its behavior is a variant of the infamous Kovter trojan.\r\nWin.Virus.Virut-6171773\r\nVirus\r\nThis is a virus which is well know for opening back door on TCP Port 80 using the irc server ircd.zief.pl allowing\r\nremote attacker to download and execute additional files. It's looking for firewall and antivirus instances, as well\r\nmodifying host file and internet explorer proxy settings.\r\nWin.Ransomware.Spora-6172235\r\nRansomware\r\nThis ransomware is encrypting files and not adding any specific extensions. It's also deleting volume shadow copy to\r\navoid system restore point. It install a startup link and modify internet explorer proxies and create an html file with a\r\ndynamic filename. One difference with other ransomware is that no network traffic is generated as everything is done\r\nlocally.\r\nWin.Ransomware.Cerber-6162243-1\r\nIndicators of Compromise Registry Keys\r\nN/A Mutexes\r\nN/A IP Addresses\r\n54.87.5.88 Domain Names\r\napi[.]blockcypher[.]com\r\nhjhqmbxyinislkkt[.]1efxa8[.]top Files and or directories created\r\n%APPDATA%\\Microsoft\\Outlook\\\u003cRANDOM_FILENAME\u003e.8a2a\r\n%APPDATA%\\Microsoft\\Outlook\\_HELP_HELP_HELP_1YI7CF_.hta\r\n%APPDATA%\\Microsoft\\Outlook\\_HELP_HELP_HELP_2NN4UMV_.png\r\n%USERPROFILE%\\Desktop\\_HELP_HELP_HELP_J81LBSA_.hta\r\n%USERPROFILE%\\Desktop\\_HELP_HELP_HELP_L1JAF_.png\r\n%APPDATA%\\Microsoft\\Outlook\\_HELP_HELP_HELP_6MTGJWJ_.png\r\n%APPDATA%\\Microsoft\\Outlook\\_HELP_HELP_HELP_LKCGK3Y_.hta File Hashes\r\ndc184001af08dd043150c350c94304041b2c8e995ce62f05f846d776b450f80f\r\n57288de46d603910b1d6eb88390a4b7083b3f060e75bd76023a8a13f7c40633f\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 2 of 22\n\nc0ab4ccdef7ad4fb6b1af396a29cbb4220dc720acfec091fa5d6484656fec63f\r\nca7d955a40f2d7a969245884fffd0189402b05af3f9896d10e476cbdaa1b0829\r\nCoverage\r\nScreenshots of Detection AMP\r\nThreatGrid\r\nUmbrella\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 3 of 22\n\nMalware screenshot(s)\r\nWin.Trojan.Wabot-6113548-0\r\nIndicators of Compromise Registry Keys\r\nHKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\shell\r\nis changed to point to the malware binary Mutexes\r\n\\BaseNamedObjects\\sIRC4 IP Addresses\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 4 of 22\n\nN/A Domain Names\r\nuk[.]undernet[.]org Files dropped\r\n%System32%\\sIRC4.exe\r\n%SystemDrive%\\marijuana.txt\r\n%System32%\\DC++ Share (several files are created in this directory)\r\n%SYSTEM32%\\xdccPrograms (several files are created in this directory)\r\nCoverage\r\nScreenshots of Detection AMP\r\nThreatGrid\r\nMalware Screenshot\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 5 of 22\n\nDoc.Macro.HeuristicReplaceFuncs-6169546-0\r\nIndicators of Compromise Registry Keys\r\nN/A Mutexes\r\nN/A IP Addresses\r\nN/A Domain Names\r\nwww[.]cleverdotl[.]top Files and or directories created\r\nN/A File Hashes\r\nd183f2200ed5f510888a80e95d99aa5a3c8408dee7f0c9b8330fc52fb0592dce\r\nee6284d966eb9f510a1b44ef6ba435048729c8ce8a741fb33575d5b1b6d347f5\r\nbafa3a9e5b2f290eabce23811c6309209d281f31bc6eee25b4eb739bce1800ce\r\n1480d45ed9841d055e4e04ade87f7785b3006fb62c8060616ed7507185df2b77\r\n13d61439ede67b78a536ea3c510534db0ab7d295ef1275645b7981814909d0db\r\nb70497f0e50fcbfe83a7b92021db30e14f3fd6a829ab9948f828d46048cdbdd6\r\n42ddcf96146d3be84bf36abe71fd6780abf79aa1ccb2ba65093c9b46a3d76b03\r\n1fdb9f23b2d7dbe849f38f79f88449fe3f327e76585b202d914718036245c469\r\n9948928059c4676f6b6f8519fc39eaab89a027159577dbc3ceac4833ef35167f\r\n3fd05d08c135075d2f4a72652746bc42e359b9d1658d4f3b41d5f95bb7216649\r\ndb7d22c806ca4a305a317df58a65bef8e2195bb0a8ac223313a8a18c37f5c143\r\n5ee9f3b87db48f41eaaffd9a7fc9cc76920dd498237a23e1ad7585f4e2be02d8\r\n6dfb35527b23ca769510228498c8de68cfc93d5c2b83246d8e9b338d2717481f\r\nfe257b7da01cfc247564f2e7b36b19b8af548c2f3ffbee2b9d8d552a71502d78\r\ndec3c2f1b1de6d70fc566f036ab320decc88ed5418e429feae45189e458bf5e4\r\nd4175848a03cab54f856d41c51ac4ede18c01382a5ebc4ed40c4e27f2e45244b\r\nc19a7af6c3846bd433765c027149ff838482a55624a5e603d395ad83d6f24129\r\nCoverage\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 6 of 22\n\nScreenshots of Detection AMP\r\nThreatGrid\r\nUmbrella\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 7 of 22\n\nMalware Screenshot\r\nDoc.Macro.ReplaceFuncs-6171292-0\r\nIndicators of Compromise\r\nIP Addresses\r\n35.166.163.174Domain Names\r\notweeytl[.]bid File Hashes\r\n77bccf5e4175d11971399f89abe0256c230e1757a3d0804737b14a0ac839890b\r\nCoverage\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 8 of 22\n\nScreenshots of Detection AMP\r\nThreatGrid\r\nUmbrella\r\nMalware Screenshot\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 9 of 22\n\nJs.Trojan.Diplugem\r\nIndicators of Compromise Registry keys\r\nUSER\\$UUID$\\Software\\Classes\\SystemFileAssociations\\.aHTML\\shell\\Edit\\command\r\nUSER\\$UUID$\\Software\\Classes\\__aHTML\\shell\\Edit\\command\r\nUSER\\$UUID$\\Software\\Classes\\__aHTML\\shell\r\nUSER\\$UUID$\\Software\\Classes\\__aHTML\\shell\\Edit\\ddeexec\r\nUSER\\$UUID$\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aHTML\r\nUSER\\$UUID$\\Software\\Classes\\__aHTML\\shell\\Edit\r\nUSER\\$UUID$\\Software\\Classes\\SystemFileAssociations\\.aHTML\\shell\\Edit\r\nUSER\\$UUID$\\Software\\Classes\\SystemFileAssociations\r\nUSER\\$UUID$\\Software\\Classes\\SystemFileAssociations\\.aHTML\r\nUSER\\$UUID$\\Software\\Classes\\SystemFileAssociations\\.aHTML\\shell\\Edit\\ddeexec\r\nUSER\\$UUID$\\Software\\Classes\\.aHTML\\OpenWithProgids\r\nUSER\\$UUID$\\Software\\Classes\\.aHTML\r\nUSER\\$UUID$\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.aHTML\\OpenWithProgids\r\nUSER\\$UUID$\\Software\\Classes\\__aHTML\r\nUSER\\$UUID$\\Software\\Classes\\SystemFileAssociations\\.aHTML\\shell Domain Names\r\ngetlikemobj[.]info Files and or directories created\r\n0doGTj9XEZ5tbV5.dat\r\n0doGTj9XEZ5tbV5.exe\r\nUtE5FnEWw87hxH.dll\r\nUtE5FnEWw87hxH.tlb\r\nUtE5FnEWw87hxH.x64.dll\r\nbackground.html\r\ncontent.js\r\nlsdb.js\r\nmanifest.json\r\nuui.js\r\nbootstrap.js\r\nchrome.manifest\r\nbg.js\r\nInstall.rdf Installed services\r\nregsvr32.exe /u /s \".\\\\UtE5FnEWw87hxH.x64.dll\" File Hashes\r\n0333de69ebe7ef58889c39c6ee10b33e8fa4299849c760e6f018bac5ae2212aa\r\n9eb18b9091281aa25afa4ced079024a043913e179a03947f73dabe121f36dc2b\r\n07e32a2e78410eb73f525032636894e82193d5806c85a132c7efd31a76abc862\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 10 of 22\n\na441bf44fec8d08481920e240281afccdcef2f0cfadb681b7b6ce50be495fc01\r\n0aa8272fc12da7273cdc3573ee4e78849fe187f01eca9cda4b7941de99d8bb83\r\na6ac9b2e5211f3feb41a91a5c82992de483b56c142dc35e84439a965c8250f50\r\n0591e02001c57dccc0062765240c0766fd24a2fb0af37a6e32a211ea202074b3\r\nCoverage\r\nScreenshots of Detection AMP\r\nThreatGrid\r\nUmbrella\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 11 of 22\n\nDoc.Macro.ObfuscatedObj\r\nIndicators of Compromise File Hashes\r\nPlease note this is not an exhaustive list.\r\n00151e030408a5183d92132652d5a0c5eb2f9e073209cb7ee12060312c5f400c\r\n01f9d4276b16af80bb29dd195d343e1844062f0d86115ec5ace3234cd510b403\r\n033f7a9d6ed8cbb6ecb958c9db9ab7794d37c9e763b029329b2fdf431c172be4\r\n03ade17b4ad71a395b4ba657171537d4e643f3686b7c1072208366bba26c9fdf\r\n08aed8b4e7f420d1c08f7fa3de86143af13ba61313e5d98f7ce552e554c991b4\r\n0a3693404f2b073d62c8b7bfbd4701fec0a2b6bb6efe7b91f274065e0b7540ff\r\n0cb8d7a50e1e1d36be68bf6686f7772d1fc60f7a03ec9900d5abf842546b7ab8\r\n0d1fd8c7ddf4abe530008971c2fe7f239c90052ad426ba480205c1e335db7966\r\n0d69b76da355e4a7cb36976626d540cefd9ae8e1fd96f0c7ae7f7e582f1aa96e\r\n125df53cab91b182b0c7d5cec5e310b3471e1b4f640edc8ec9c499f1f41df237\r\n12b9b3f8c125a75653fe2e19f361d8a164e1c9d4653fd8690b4f197495cba580\r\n19642ed34dc6e68b8a29075c3886027530d08351a588e1ccfa368df2ce2350dd\r\n1c438d063a759da25a2517d4ca81f92606225d372143c978fa30cd4769025863\r\n1d4d3da400696861a219e02ada9c730bf825484327322ea8a1b27ff7a3c11de4\r\n1e316a875a347ae678fa11f12b08885e0b62a8abc3ca41cd7bed8f0d421c09a1\r\n1e7ffa8b2f7b2dec0ff62a1ef51fe5a4adc6d11cf7e1d004d9e09dfdceaacb7a\r\n1f49b218b1e4afb4b15124acd9c9a8eb8a1ba9d87fa91e8d255bb73c14a37f9f\r\n25d93ab8a663df35b9752edc3bf7a1a2f563f626ff405f6b05386ad4df3fb776\r\n2bcd02fc25eece8a348d96b80fa8933ff1411fd96f7e5116a14fc8d65ac2f4b8\r\n2ca2cc8af7e0d37bdb2dbba9abf8399e4db695a7d6b31d050950a68d2635f260\r\n2d8900fceeb3ec6a064420d662e7422d4ebc1230479b9c330661e10ef1b21881\r\n2fe88a9c446bfb5cb93c948cfcb9d781a03a8422d5307e0ac4e987f16c46abd2\r\n3393ddf44d6636bbc1d45c26b3a9c5073217a95d7506ddf7756e813e445a9ecb\r\n348aee4ee9827c954854a496f24f2c4d2ba96853344884e8a5cf616d07d7236d\r\n35582cb16758ed296fad554830cca279fce0d7512851ba0a382373f2d8ed32d2\r\n368fc1d3fe0de1e9a73c7c5dd840d2f769e8c3d1a32a86390905d45e9ab2d9ff\r\n3739cb9ef330544fc349da2c9cbc66151205904f625acda85bbe16152943830d\r\n3a01219542a25bab989ffd78af40a4b13a636e9cdd50f92d659e9dbf253abf94\r\n3becf2e1eb115dc2e41d947826b59ab8fd83b3f825b9cd3bb9f8003dd1d02416\r\n48b565b639fa5d532b65246f82e66b325b7e8549f9bf04d27955a1b3a98fa281\r\n53c50bf3bdfa58b66565071e82bb7ba40ac3cc344893b0aeeaa15502483ec3f6\r\n54b5776a210ac4b6a00eca3efa2f0b665616f706a813cf29fe2ecf19cd90887c\r\n5549e374040cd995939b24a8095c74e9fec188a04ca9a0189a289d3be0bfdc37\r\n5617e4b5e25a41d5a491b3e36fcd165a1a7b999ea0de567ca63baec40b757ddf\r\n5854de47ff6fedc84cc6fb73760763b8e427164bf3369e89d3e4b3b42483103d\r\n5b34c3c2ec780258644c3245693dfef254cb91716c35ae33937f637bd8e04978\r\n5d996e33e92e6f7b83867ccad52be72274bfd79d964bc4988043d91231369650\r\n60979006e12a42b7f781adb2b1f8fe05836db0683abe0efc05b822dad5d1a9f7\r\n6556d7052f3c3fafe15aa3ee81dbbb4b1caee88fd7e65788c1f90bfd940be7b0\r\n69e7d856dc8e0b5508b8a4050c36451a0dc0164b856e1bd1efdbc6f8ec6de66e\r\n709fe7d54e5ba52f2e45c4c62fdf1636ed64be0ae367bd992eb212aa234200cc\r\n7120ecc9c04b8f9d93829210f3168b14cfecd45dec52478ff87d0ee86324cc0c\r\n71715f32e3cb54756b39716f8dd33c503eabbb054f4a4e82d5e2b9a9b96ed46f\r\n77d049ad71ea81f13e89d82ed398e59e95085d10cb0041eb6ef5ed48c0fd95e2\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 12 of 22\n\n77d11af8d4b7f9e48764d285e801f1db3d7dffcd6a0ba17bb9bb75c178227b96\r\n7dc0651c4258b079fe68acbddfcbedd89a94448bffbf4ca93c231fca171dda09\r\n805d74474a13e5a3be13c73bb1d0dbb1b33dfc9dcaf067b4aea5d2a8584a29eb\r\n80a05b5499539e7bbdd3dd34f04a940c5d36f8d44d7725c6530bf3872966a27a\r\n85d95919960cab3788b587008fa49b61c230bbbe28cd9d000f0cb179abbbb0f5\r\n896dc5b55cd8c0e160dc52ac9b21ed4c46da22ed3c369eb5dee856edb88f46e1\r\n8caf0f703a108a6fec8d55e8f1a028814a3f26afb2f8a58a96576e1042f99874\r\n8e8cd4aefc8422ba176d009d90ddcd65f72161a2576ab443f69480bb30050825\r\n8f9292e116fb2a07838724e648e17d2a5e5e3e074232dbd83bfe624391acafee\r\n9009b9ad9547af92f68b01f09200a043da6be1a65b274129a7c47532f3f966b0\r\n99d311cef89fade4d29e3e33df256029841d59d2ee06579dbeac2c9519ef7cb3\r\n9a80fde74d9e7674be309f44f6fa7b5e53f34a0d6f2fcc084d733c42bf95c4a5\r\n9ba0d666293490f051b1612e6c8bd635dc382ae4e931fff5fe9ba7fa926d6b82\r\na32c4d11737b59236b47b73fe20952a3827593b52f241100ba77648e60e1d42c\r\na49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62\r\na69f4d4eddbd656a6ae061cc001ae245db87eced67015365cca1834179845290\r\na8a449812c89915a1872aeed6424abdf7fc1f4b8d8ae35deee3f3c04104c2a79\r\na9e9af82ef11cc51091426afd0784ad62c57dbeeecccd566f8cdf6be2fd8258e\r\nadb6155ed8d5b3e7c4a2c6fc58108382313b05f171336c52cb1ae7119dfee540\r\nae01487921a5e8538f1599c3b0d467328992b32aace53b776180c6071bbae2fb\r\naeb6e8a86ce9c7a9cfc0efe82038932ec1c9ca150279f151574233777b4ee69f\r\nb3551d5d465a7e7315a5c5ad15c99393f1dd77732ff2ddcbd96c0907c3b6e84b\r\nb402f8acfdbfd194baa2736b45b6529dbc2a6e523f7a7f15470765019387eb6d\r\nb47ba806ce07000e7fc3365da81afcd6783308e2077391f80e3a272d8090d95c\r\nb4d192f5122872145142b32a8c11253d70c83a5c23963da0c7f3408593e81238\r\nb55375ea1eac3f1967483e18c6b32cb5332d281975d54913c6fd3156129574f0\r\nb5df216db89067df157bab2c5e0042985e03aba5d1807551a069cf800b21d385\r\nb5ea73190ced08e3694d27d298a69f040cf70b05f21812f60334444102eb875e\r\nb798f6c32168e8c598af8b795924d42334dc1dbe9d5888125e39c0d3f03cda69\r\nb831e804d52760572bb4f77d9b62a2da6bbd6c7c4f5ddb0f1b5731e47fa784e7\r\nb9dd997c2f141fc0dea676b42dd962050f2886f2a1398a14f8e91498486eac90\r\nbbcf611f3d1da4aa31cd953d7372c50d8ce9a49af8664a86eb804adad390f0e6\r\nbcdd7ae916d59519521e9c3e96980092c0ad84db98b1f1301eee6899fa599769\r\nc3a0e9b007795db909245c18f597b4ece53dea011b088abd4f0717208dd3253c\r\nc3abbd74785fa3d8eb51f0f99fa568e566f864244ea2f4fda9971cda661036da\r\nca4607f2cabdd6d3693ad3405085abd1e92112cf7a9fe56a2e52615778bfe79a\r\ncb10ef20a93542eb0e8ec1e9c921ad120454156c8ec5e431b3b1afa27afd8bbc\r\ncf0ee89b626684ed9f9f60823531dd1ed38cfd46395036209a274cadaf123575\r\nd10fa5c1a6bd4da0a3f9d0ee605fa906db9a7e0fe2cc213339d5af8cbee80855\r\nd20e3bad471429f04e0ca1b28fcf1177cac689394f39dcb20379935dbea883cc\r\nd314d825d85787833886b1a8c4cf882f8b25f268206e23372cdf3cc67d15e162\r\nd543f49808fc093e31f8282407d2b520678f041a5c43646b235116743b2e0eaf\r\ndafaa5c3d3ef49d1f17027cd33a6172b4ac35defaa12f136503200104eebfa1c\r\ndb5e3b35e653690b164bb3aa7f9e8caa9e77f9233d846fbda27f616eb7334aff\r\ndccc34da745ee2d9464a643be8b4239f3f592498d5362b29dedb30c259878404\r\ndd926e46cf871d98cfb025896bbcb5a5c71025f5573f5ad1eb0ee77aa3bf5546\r\nddc9d38524dc6f2ac918c5f0cb251cc2916f063835414bf34a58cc0c997acccf\r\ne4921ad4b0561e8c4dfbe0f72aff53d9bc06eaf177a9dbca7e538a6f1312ba1d\r\ne49328097b3531fb8981531e931b3cd1e2adcc22c8a89781260e0bd779705143\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 13 of 22\n\ne96d823ab4de0dde23a564e327d610d933051d6664df685278f85e6d096e25a5\r\nf3f8905a5ddc3074a367095a51662d4ac434dbe9e680d0b94bfa71f6b5875329\r\nf6c8e3c90fbc309e3d25c7b08609684e7ca16d93d7a568b702910222af9a4d4f\r\nf8ca6ffd131b738a30c90b486a839010a85a31d7675e090ea1c850529962bdfd\r\nf969874b93e7cd1fc2b14a750e4cc8fc778f70e9991a3109ace4e188d568442a\r\nfbeed70655a2eaf30ca878e1ddf4985a99a767a014adcd00a2150cc270315fe7\r\nfcc6f903c83a63e8579d1db1940d23294a13a288960d9d07052d978dff9b9e8c\r\nfe592fb50f84f5a8f10fd14a2a01a0c167a11c1c2242196e2b626a581ca5ac28\r\nff198bf3509d1ff43c5529fdd16b160505117bec958363e7e385b4ca1bb4dc73\r\nCoverage\r\nScreenshots of Detection AMP\r\nThreatGrid\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 14 of 22\n\nWin.Trojan.VBCryptLaser\r\nIndicators of Compromise Registry Keys\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DisableOSUpgrade\r\nThis key is created and set to 1. In this way, the malware prevents any OS upgrade\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\OSUpgrade\\ReservationsAllo\r\nKey necessary to disable any OS update. It is set to 0.\r\nHKEY_USERS\\Software\\[a-z]{8}\\[a-z]{10}\r\nThis registry key contains an encrypted copy of the malware binary.\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nThe persistance method invokes at every login Javascript code. Mutexes\r\nN/A IP Addresses\r\n185.117.72.90\r\n12.190.56.53\r\n104.193.109.67\r\n133.28.94.49\r\n19.131.186.114\r\n109.152.13.49\r\n46.248.138.70\r\n36.150.95.154\r\n151.126.133.167\r\n49.117.103.250\r\n145.85.32.96\r\n244.159.110.110\r\n8.19.53.244\r\n218.255.128.133\r\n110.200.102.30\r\n161.133.250.103\r\n216.115.112.112\r\n93.10.53.55\r\n214.28.222.43\r\n194.59.147.179\r\n206.213.193.26\r\n140.192.50.4\r\n170.54.3.5\r\n202.161.197.181\r\n3.166.202.197\r\n187.23.153.218\r\n69.81.37.149\r\n138.142.156.77\r\n97.207.252.167\r\n153.74.137.236\r\n32.144.23.231\r\n203.4.193.199\r\n193.212.108.131\r\n27.32.23.117\r\n116.67.48.94\r\n236.43.120.190\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 15 of 22\n\n248.100.151.74\r\n140.178.134.108\r\n71.40.250.251\r\n2.170.194.13\r\n188.121.121.90\r\n103.182.107.224\r\n238.44.206.248\r\n185.196.78.227\r\n241.117.137.46\r\n27.184.52.156\r\n17.100.187.246\r\n142.159.223.136\r\n53.154.160.76\r\n74.112.68.147\r\n150.158.250.75\r\n153.11.186.249\r\n83.172.78.89\r\n89.50.100.129\r\n252.84.7.113\r\n112.84.131.231\r\n156.116.8.163\r\n109.137.79.244 Domain Names\r\npuresourcecollective[.]com\r\nappollobafh[.]com Files and or directories created\r\nN/A File Hashes\r\n2acfab58519552eaed08a1a40cf92368e28b3a665b7d6851b47e38f2bd8f598e\r\n3e2f71a4dd6bc8e866325ccee3d780b029532e83d5aef69825d1a583205a6f4c\r\n455f53b882d1648694d8b8cbcc625c2ee2a5f7400f0db70bd7385284304751f4\r\n56ded612854f90cf5ba70daba78308a9e46198444ea3b63b0c2707c6776a1b4d\r\n58f3fd45631a08818d44c8c7f555f46d2817d4ef804a8faf80c47faa388e436f\r\n68f3ed6d61556fd899e95d2b5b43a266cd23fb763b6e1f02dff2e2d62a27a41f\r\n6a9b132e407edec1c06ebec33a47ff0a1f44968679f88c2584c380d033b748e3\r\nc2bacb6a9ddf8eca886f083c9f52d8979cfd29b3f0b97fbb0c76ca86373562a8\r\nFaa87134b84133b85c42cb1997c96b04021b2848369599e555b100981fbc7cad\r\nCoverage\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 16 of 22\n\nScreenshots of DetectionAMP\r\nThreatGrid\r\nUmbrella\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 17 of 22\n\nWin.Virus.Virut-6171773\r\nIndicators of Compromise Registry Keys\r\nN/AMutexes\r\nN/A  IP Addresses\r\nN/A Domain Names\r\njl[.]chura[.]pl\r\nsys[.]zief[.]pl Files and or directories created\r\nModify host files File Hashes\r\na477f53caa2a04835db7e3e02238fd90b92930738e6d512543bb4b6114b28d81\r\nef1070106dbad598487ddd22a8fe7d40d8cc30a49e8c48d19ea02c76497a062c\r\n7075a7fb70a46dc02460abc92b890b6e9f43ab20e4d47d16435dc133c218cd42\r\n128debd4fa18c3ad5ff49925ea3d8a3ccd013e82950cde429b09e8d58878f27c\r\n1319090b4d1d8b9815005585ee3fa15ac1df4f2eca0e22e22bc317e52a520c4e\r\nbd92f8a83f0fbebc76749c41916fa212b75b386386c25e1203f53657adf07aac\r\n6d71a5594dc5adc2bab1fd2ead630a705c7c0e02e2a5a20994584a1fb1effa4f\r\nba9cdbb4b0f43daa78bd8cb9cc4f842fb970bdbf0ed012760a55e2df34778232\r\nfbb151befa1d287d49870fa9fc6254036452c4ca3e80da7bb19d529a8a4382ea\r\n6f1cebb94490adcd133bba22a6ba9aafce96d84c76dc4007bbe5ff0c83431462\r\n1f6984b9f0dc7009a91577b3868d8980c5ee47a161559f56878e5e80424e01a7\r\na2d5c82fe41f613c159d6952c9ff3aa2a1b059ce4692e20292ba2e01effb2e9e\r\n62796ad8ede80f59beb4f4b40d68cc4e5477cecd10f2b7993d25cdeac9535bd0\r\n1c752622d01064f0adf1962e1d5671cff249be495bea9bbaf200fdfd2124f9b2\r\ndb97b4f3aa56a8111d007c2581379d827e97994843d0d7b4d461ba151db52988\r\nb0b0ae2afa85dac9f3d289059a06cde24e33308dae64f11fa3ee68a93f8a6b67\r\n6e27d1b6622efc68e98acc87e9356a78af7d942e0cba0d3aa97809cecec6bdf9\r\n2a0ea00ae1634818d3d84d699a54ad9cb28c71dddf24b0340c9a6b1449d2d966\r\n348713e66c6ddc09dbcf95ca50cfe384987031fc787249fa14d10aacdb3b7e1c\r\nd754e1fac2ae13b1cbc6d7beec8f37c1f304a52120e6e6878b06d8183f659c17\r\n0e653eb48d3718b3abd3459386795a3802bde8aad920a33cc2d8d632138b0a61\r\n8e431f2bf003132434c5fca097c60240fee7f1e9ca30bc7a063dabcd7d902841\r\n683192a27d4316eb1073522de5fb3fa1e3923b5e7d6cdb979d4bd82ed317fa47\r\n8f0058f2fa085a4cf8ee5dc01250aa18dd624187d527b5521438cfcda2a4fbe4\r\nb89927a14e2e54b2bd917904b38737ce96f3bc004215c5a0486fc0a96a6c47d5\r\nebf6f32cf12e0839338564a6edef3d8ec8b7ebd1d93bc09c3359a69a4803460d\r\n68ef4a3024eeadab44169cb292f897e66e57342dd65c9b63fda5fad6cb517e53\r\nCoverage\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 18 of 22\n\nScreenshots of Detection AMP\r\nUmbrella\r\nThreatGrid\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 19 of 22\n\nMalware Screenshot\r\nWin.Ransomware.Spora-6172235\r\nIndicators of Compromise Registry Keys\r\nN/AMutexes\r\n\\Sessions\\1\\BaseNamedObjects\\m[0-9]{9} IP Addresses\r\nN/A Domain Names\r\nN/A Files and or directories created\r\n%APPDATA%\\[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z]{5}-[A-Z]{5}-[A-Z]{5}.html File Hashes\r\nf8bf2eb6481164e4a8cae0dc1114044a9ba81d41350edd1be19021e2cbdab749\r\n5e7a7f4ef9ba326e3650c4ee58bdfafb3661fa50f680d78d5868240120c553be\r\nb64639ae67147ff584507627713db60baf8050cedb9a7e4d3b68b521ca54ad36\r\ne849051316cc2cf869f80f66cd2b48b436d51cc7544bad3309774aebf101c889\r\n81cc065fc899b98f774708d8176ad4319311ff8643138705b24fbeb439f6e0d0\r\n6c191a684907ec323516c837f66cd7331acbdad65220b73dba9307dffaa284f9\r\n8a8ebf400b190a6fabf6d0e5f6756dfd1d856395161e522a7efe43342531894e\r\nec31d44d1c2eae34897001c41e14ed26c03d8acaabf00ee31183021f7a2fd141\r\ne1a3784ef065cea4a8c8402015028494c18e3cd235cbb13785d269452376b2f1\r\n9232ac662ebf2460bc2eb68875b548eb2547f62c5f7799861cfc0bebf5bf1e53\r\n23a91bb1cf1019f1b6aabfc249df42b57a76d78d09a33b39441206d62f416fc8\r\nb3b489585e8d6714ac05b79ae3e01cf3c93e51ebb5d16ccec2a6afcf4eb4c325\r\nc0f7e40dd057ab32aaecad7df71b22433ef7474a57e5a2e58ec7fd613dfc30b5\r\na25bafcf74304d56beeb5395a0f801a743e27381ca95626f4720a48c966e3129\r\n66449dde7d12706fb9ab6aafd690e077f5f37f11aa8b372a95d9e962763c7bc1\r\ne1f992137562f1cfe5d38f57f36ffac76dda729e102b6abaedda89970ba8c493\r\n6072804f727f1f237b4fcdeec9428449311d3cc54d9e0d284a68d300f3c858f6\r\n2432fad4d84816155ea80075d686896de32304c8f453c01b029ad21e7eb17b13\r\n9c93758e4b5767edaebb8bb39e0b7566715e2b610d2117bc6e1acf2578c973f5\r\n67342ca4bada435d4e8d03d65342434f70909f54d4951412e18c49aeb72dcf47\r\n346cf5120e5d1512f879d14111254ba68e3eaa3d3ea6f02977cd835725521984\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 20 of 22\n\n288384c983496978fdda879847525e26194761394d62febeb922284cbeba0c9d\r\n722b92a1f10fd2cac878ab7f9e3a120d656a245e40cc13a0bc619eb63362768d\r\n5a011ceb0bf539ac5cc7e89b85dd7b742d94093fe84153d647fa18f16e7cac06\r\n0304ce1dbaf1cf933f7d63dc559101b5899af7e07fef52abc38de430a428fce2\r\n1f63371f2b2a5f340ea3c4d211b1fe0d6197e3a00e87cae49e873ae8964e8810\r\nCoverage\r\nScreenshots of Detection AMP\r\nThreatGrid\r\nMalware Screenshot\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 21 of 22\n\nSource: https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nhttps://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html"
	],
	"report_names": [
		"threat-roundup-0324-0331.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/225ed588bd8c82ad7981353135fac5791c83c62c.pdf",
		"text": "https://archive.orkl.eu/225ed588bd8c82ad7981353135fac5791c83c62c.txt",
		"img": "https://archive.orkl.eu/225ed588bd8c82ad7981353135fac5791c83c62c.jpg"
	}
}