ZLoader 4.0 Macrosheets Evolution

Posted on 2020-05-06 by William MacArthur, Amirreza Niakanlahiji, and Pedram Amini.
In January of 2019, we published a blog titled ["Extracting 'Sneaky' Excel XLM Macros"](https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files) that detailed a technique attackers had adopted for embedding malicious logic under a less understood facet of Excel Spreadsheets, Excel 4.0 macros aka XLM macros. In March of this year, we published ["Getting Sneakier: Hidden Sheets, Data Connections, and XLM Macros"](https://inquest.net/blog/2020/03/18/Getting-Sneakier-Hidden-Sheets-Data-Connections-and-XLM-Macros), that evolved the stealthiness of the approach through the remote embedding of later-stage content via Excel DCONN records. Today, we uncover yet another iteration on this tactic. We are examining a novel and advanced obfuscation scheme with macrosheets embedded in the (newer) Office 2007+ format, versus the legacy OLE format (Object Linking and Embedding). Initial Samples, Low Detection Rates Tracing back through recent history, the first sample we're able to identify from this campaign appeared on VirusTotal on Monday, [May 4th (Star Wars Day)](https://en.wikipedia.org/wiki/Star_Wars_Day): * [InQuest Labs: 955d59e66e24b4585dd044b1576f03ff0e6d8306397766420806979475eededd](https://labs.inquest.net/dfi/sha256/955d59e66e24b4585dd044b1576f03ff0e6d8306397766420806979475eededd) * [VirusTotal: 1/58](https://www.virustotal.com/gui/file/955d59e66e24b4585dd044b1576f03ff0e6d8306397766420806979475eededd/detection) Detection rates for this and all related samples is rather abysmal, with decent coverage coming from just a single vendor, Qihoo-360, identifying the threat as Macro.office.07defname.gen. While this sample was the earliest, the first sample that caught our eye, and the primary one we'll be examining below is: * 8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf You can download this sample to follow along yourself through our open data portal, [InQuest Labs](https://labs.inquest.net/dfi/sha256/8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf). Let's start by highlighting the "hidden" / "very-hidden" sheets and obfuscated AutoOpen hook from xl/workbook.xml: ... <sheets> <sheet name="Sheet1" sheetId="1" r:id="rId1"/> <sheet name="Izdxo9x56IFL1JQZhlGzFBCxVIEmmW" sheetId="2" state="veryHidden" r:id="rId2"/> </sheets> <definedNames> <definedName name="_xlnm.Auto_openhFX8u" hidden="1">Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!$AG$4609</definedName> </definedNames> ... The Microsoft Office suite provides a large, feature-rich, backwards compatible, and ever-changing landscape for malicious actors to discover and leverage new threat tactics. Weighing in at 10's of millions of lines and countless installations globally, it's not hard to see why attackers favor the platform. This novel tactic for pivoting to the execution of embedded logic is the latest in a long and seemingly never-ending trail of successful creativity. An Effective Detection Anchor One consistency among non-exploit-based malware lures is the need to coerce the target into enabling the execution pivot. The requirement for user consent is a double-edged sword. On the one hand, it reduces the immediate impact of the threat. On the other, multiple interactions (consider the [DDE based command execution tactic from 2017](https://inquest.net/blog/2017/10/13/microsoft-office-dde-macro-less-command-execution-vulnerability)) can result in lower detection rates. A common tactic that has remained consistent for years is the usage of embedded media to coerce the target user into taking a wary action. This campaign is no different; here's an example sourced from xl/media/image1.jpg: Fig 1. Coercion Lure. Notice the feint green-on-green coloring and low image fidelity. Undoubtedly designed to bypass attempts at Optical Character Recognition (OCR). The choice of JPG over PNG for this image would make a graphic designer cringe, but the lossy format plays to the attackers favor. It's prudent for us to note that InQuest OCR is more than capable of discerning accurate text and producing an alert on the image alone. We can [search InQuest Labs](https://labs.inquest.net/dfi/search/alert/Macro%20Execution%20Coercion) for samples that trigger our coercion heuristics. From a sampling of lures associated with this campaign, here is the breakdown of embedded image hashes: Key|Ct (Pct) Histogram 6b435bbf9b254681dafd6abf783632ac|10 (13.16%) ----------------------------------- 667de8e48255ae7183077b889a271c1e| 8 (10.53%) ---------------------------- d98d763d6ca4f1c736b3fbc163669224| 7 (9.21%) ------------------------ d59b82fd9504ba9b130c0d048b492a10| 6 (7.89%) --------------------- cdb3950c2a0e342c793ccdc1eb566803| 5 (6.58%) ------------------ 98e8cd0a87fb4f3549a15c1e52043df4| 5 (6.58%) ------------------ 879ee929dd80ff750e442e3e0befda6b| 4 (5.26%) -------------- 63282400dbdeb0dc7382bd86d768cfd7| 4 (5.26%) -------------- 4a20b2d5bb46837bae61d73291712319| 4 (5.26%) -------------- 444520d98f7fe4b6dd0da106ab87a1fb| 4 (5.26%) -------------- 075356a385451f7a14d7322cd334f2b7| 4 (5.26%) -------------- fa9dbfda5aebfd3d4a8b4c198e38e4bb| 3 (3.95%) ----------- dd607e4daa5b52d1cc0353bf484296e4| 3 (3.95%) ----------- 2764db07e1a670674a65b9f7c3417487| 3 (3.95%) ----------- 01ef5c035ec3aa501b9ab085e862a34f| 3 (3.95%) ----------- Intelligently, the attackers have decided to modify the image dimensions slightly to reduce detection exposure on the media asset. This is a less commonly seen tactic, let's explore the most common images by dimension (instead of cryptographic hash): Key|Ct (Pct) Histogram 574x345|29 (38.16%) ------------------------------------------------------------ 579x345|20 (26.32%) ----------------------------------------- 568x345|13 (17.11%) --------------------------- 563x345| 8 (10.53%) ----------------- 585x345| 4 (5.26%) --------- 607x361| 1 (1.32%) --- 385x393| 1 (1.32%) --- We can see more overlap with this "fuzzier" approach. This extra step taken by the operators to evade detection shows an increased level of sophistication, especially when you consider that many attackers leave valuable [XMP identifiers in their graphical assets](https://inquest.net/blog/2019/09/30/Adobe-XMP-Tales-of-an-Overlooked-Anchor) that can be used as a fast/ accurate detection anchor, as well as a pivot point for mapping relationships between samples. Browsing the graphics embedded in the variety of captured samples, they're all the same with the exception of that last one (385x393), which belongs to sample [e468618f7c42c2348ef72fb3a733a1fe3e6992d742f3ce2791f5630bc4d40f2a](https://labs.inquest.net/dfi/sha256/e468618f7c42c2348ef72fb3a733a1fe3e6992d742f3ce2791f5630bc4d40f2a) and carries the following image: Fig 2. Roflanbuldiga. Apparently a "[roflanbuldiga](https://www.google.com/search?q=roflanbuldiga)"? [@RoflanB](https://twitter.com/roflanb). No conclusions can or have been drawn from this graphical asset, it's just interesting to note. In the next section we'll take a glance at some of the novel obfuscation tactics employed by this campaign to deter detection. Obfuscated Macrosheet Download either the extracted macrosheet with XML tags stripped, or, a trivially reformatted version that we've prepared to ease readability: * XML stripped macrosheet: [8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf](https://github.com/InQuest/malware-samples/blob/master/2020-05-ZLoader-Evolution/8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf.macrosheet) * Formatted macrosheet: [8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf.formatted](https://github.com/InQuest/malware-samples/blob/master/2020-05-ZLoader-Evolution/8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf.formatted) There are several interesting obfuscation techniques that are used to evade detection and also complicate automated / manual deobfuscation processes. Fig 3. "veryHidden". The macrosheet is flagged as veryHidden (recall from our previous blog that the BIFF file format supports binary level flags for hidden and very-hidden) and contains a defined name that will execute automatically on open \_xlnm.Auto\_openhFX8u, this is different than the familiar auto_open and related derivatives. Defenders should note that these names are NOT case-sensitive and that regardless of what suffix is appended to the defined name, Microsoft Excel will autostart the embedded logic. Digging further, note the following: Fig 4. FORMULA.FILL(). It relies on FORMULA.FILL() to generate code. After each FORMULA.FILL() we have a "jump" through usage of the RUN function. While still under active development and not currently supporting all the features of this sample, usage of [XLMMacroDeobfuscator](https://github.com/InQuest/XLMMacroDeobfuscator) can assist us in dissecting further: Fig 5. Loading Cells. The code first fills several cells with a few numbers derived from the current date (NOW()) and the properties of several cells such as their height or their font color (GET.CELL()). For example, GET.CELL(17, EC9093) returns the height of the row which cell EC9093 resides on (i.e., row 9093). To learn more about GET.CELL() take a look at this [Excel 4.0 Functions Reference](https://d13ot9o61jdzpp.cloudfront.net/files/Excel%204.0%20Macro%20Functions%20Reference.pdf). The first cell that contains the obfuscated formula is AK47754: Fig 6. Cell AK47754. To deobfuscate each character of the formula, the macrosheet logic performs calculations based on two cell values, the value of one cell is already there, the value of the other one calculated based on the current date or some properties of the other cells. In previous samples, they relied only on one calculated value (current date or properties of some cells) to decode all the characters in one formula. As a result, if we could guess what would be one of the deobfuscated characters in the formula, we could find out the calculated value. In fact, we know that the formula always starts with an equal sign (=). As a result, it was trivial to compute the calculated value without knowing the target date or retrieving the properties of other cells. For reference, see the following [Tweet from Amir (@DissectMalware)](https://twitter.com/DissectMalware/status/1252673693911834626). Unfortunately, this oversight has been since addressed by the campaign operators. To deobfuscate a formula, we must now calculate several values. Another change is that all the deobfuscated formulas are scattered over the macrosheet makes it harder to analyze the whole code. In the following YouTube video, we describe in details how one can manually deobfuscate macros in these samples: YARA Hunt Rule, Samples, Shunting InQuest customers can find protection for this and related samples through both our signature-less machine-learning model-based detection engine, as well as a number of our bundled heuristic signatures including event IDs: 1000037, 1000047, 3000562, and 4000173. These signatures rely heavily on the pre-processing and normalizing from our [Deep File Inspection](https://inquest.net/blog/2018/02/12/deep-file-inspection) (DFI) engine. Additionally, we're open-sourcing a suitable YARA hunting rule for Virus Total Intelligence. A simple rule that looks for standard named macrosheets (note, these names can be altered) within the compressed XLS* format can be found in our public yara-rules Github repository [Github/InQuest/yara-rules](https://github.com/InQuest/yara-rules/blob/master/Microsoft_XLSX_with_Macrosheet.rule). While the complete collection of malware samples can be found on InQuest Labs. We have additionally made a collection of 20 samples and their extracted macrosheets available for download in our public malware-samples Github repository our Github repository [Github/InQuest/malware-samples](https://github.com/InQuest/malware-samples/tree/master/2020-05-ZLoader-Evolution). Shout out to [@seraphimdomain](https://twitter.com/seraphimdomain) and [@James_inthe_box](https://twitter.com/James_inthe_box) for initially collaborating with us! As mentioned, this threat evaded detection by most static and dynamic analysis tools we tested. One of our sandbox partners, [Joe Security](https://inquest.net/press-releases/inquest-partners-with-joe-security-to-exclusively-deliver-joe-sandbox-to-the-us-public-sector) was able to detect the obfuscated macrosheet. Additionally, note that in the behavior graph excerpt from Joe below, the network connectivity is benign. The malware sample is able to "shunt" between the operator's real infrastructure and benign infrastructure based on the validity of the target. Again, a sign of sophistication. The full behavior report is available [here](https://jbxcloud.joesecurity.org/analysis/1127745/1/html). Fig 7. Joe Sandbox Behavior. Let's dive deeper into this concept of network shunting, a tactic known to be in use by the Zloader operators. If the underlying system does not meet the infection requirements as defined by the operators, then the malware logic suddenly changes paths, and "shunts" to an alternative payload. Here is an example of the operating system of the analysis machine not meeting the proper criteria and being "shunted" to a benign Microsoft Azure Cloud IP and domain. skypedataprdcoluks04.cloudapp[.]net 52.114.158[.]91 AS8075 | US | MICROSOFT-CORP-MSN-A An example where the criteria requirements are satisfied and the resulting network traffic connects to actual infrastructure, can be found in this behavioral analysis report from [any.run](https://app.any.run/tasks/e95e5d05-8b7e-4d35-8707-c17b5cdaa241/). Fig 9. GET Request. Unfortunately, the payload was offline by the time we attempted to acquire it: hacked wordpress account: shetkarimarket[.]com shared hosting IP: 160.153.133[.]148 AS21501 | DE | GODADDY-AMS Relationship Graphing A core facet of the InQuest platform is drawing relationships between related campaigns through a variety of identified "pivot anchor" such as embedded IOCs. You can get an idea for some of these capabilities through the DFI section on InQuest Labs, which allows for searching for and clustering samples based on a variety of shared anchors. Researchers with access to Virus Total Intelligence can leverage the graph interface to build visual clusters of these representations. This is a work in progress that we'll add additional information to in the future, but to give a high-level glance at the process, we depict an overview here: Fig 8. Virus Total Intelligence Graph. Additional Observations and IOCs As another quite aside, we can automate the extraction of relevant IOCs from InQuest Labs via our open API. In the following example we're mixing direct access via 'curl' as well as showing off [python-inquestlabs](https://github.com/InQuest/python-inquestlabs) a command-line interface and importable library that provides a Pythonic interface over the API: $ for hash in `curl -s "https://labs.inquest.net/api/dfi/search/alert?title=Macrosheet%20CHAR%20Obfuscation" | jq -r '.data[].sha256' | sort` do echo $hash; for ioc in `curl -s "https://labs.inquest.net/api/dfi/details/attributes?sha256=$hash" | jq -r '.data[] | select(.attribute=="url") | .value'` do echo " $ioc"; done done For an continuously updating list of matching samples, search InQuest Labs for the [CHAR() Obfuscation](https://labs.inquest.net/dfi/search/alert/Macrosheet%20CHAR%20Obfuscation), as of the time of this writing, the following list of hashes is nearly complete: * 01b9b8580230a33a84fa39cf8238fef4d428cd9cf83f9acfb449626ee5b8ea8c [InQuest Labs](https://labs.inquest.net/dfi/sha256/01b9b8580230a33a84fa39cf8238fef4d428cd9cf83f9acfb449626ee5b8ea8c), [VT](https://virustotal.com/gui/file/01b9b8580230a33a84fa39cf8238fef4d428cd9cf83f9acfb449626ee5b8ea8c/detection) * 01eb92643ad7c0d6f962cef1058c0b7bf2cea2ffb26f1addb528aa51d0d801be [InQuest Labs](https://labs.inquest.net/dfi/sha256/01eb92643ad7c0d6f962cef1058c0b7bf2cea2ffb26f1addb528aa51d0d801be), [VT](https://virustotal.com/gui/file/01eb92643ad7c0d6f962cef1058c0b7bf2cea2ffb26f1addb528aa51d0d801be/detection) * 034727d9d7d2405e5c8dc7e7389fbbdee22e9a30da244eb5d5bf91e4a1ba8ea7 [InQuest Labs](https://labs.inquest.net/dfi/sha256/034727d9d7d2405e5c8dc7e7389fbbdee22e9a30da244eb5d5bf91e4a1ba8ea7), [VT](https://virustotal.com/gui/file/034727d9d7d2405e5c8dc7e7389fbbdee22e9a30da244eb5d5bf91e4a1ba8ea7/detection) * 05d8a7144a984b5f9530f0f9abe96546cfec0ad2c8cdc213bc733d7e14e750df [InQuest Labs](https://labs.inquest.net/dfi/sha256/05d8a7144a984b5f9530f0f9abe96546cfec0ad2c8cdc213bc733d7e14e750df), [VT](https://virustotal.com/gui/file/05d8a7144a984b5f9530f0f9abe96546cfec0ad2c8cdc213bc733d7e14e750df/detection) * 06ac09e487c9892aa0389ab18eaf49b3156ccb385c73eea17ebee49ffc6cc2c9 [InQuest Labs](https://labs.inquest.net/dfi/sha256/06ac09e487c9892aa0389ab18eaf49b3156ccb385c73eea17ebee49ffc6cc2c9), [VT](https://virustotal.com/gui/file/06ac09e487c9892aa0389ab18eaf49b3156ccb385c73eea17ebee49ffc6cc2c9/detection) * 0de8f64c4547649d613fec45cb7a3c6b878753045c448ac5aa4a09879ed14c9c [InQuest Labs](https://labs.inquest.net/dfi/sha256/0de8f64c4547649d613fec45cb7a3c6b878753045c448ac5aa4a09879ed14c9c), [VT](https://virustotal.com/gui/file/0de8f64c4547649d613fec45cb7a3c6b878753045c448ac5aa4a09879ed14c9c/detection) * 0f27a954be7a868f71e0635e1f31c294a3dbd48839372c05b99de981789f162d [InQuest Labs](https://labs.inquest.net/dfi/sha256/0f27a954be7a868f71e0635e1f31c294a3dbd48839372c05b99de981789f162d), [VT](https://virustotal.com/gui/file/0f27a954be7a868f71e0635e1f31c294a3dbd48839372c05b99de981789f162d/detection) * 0f75b7f01e21ea4fa028c2098f5e98ef2cb5b65aea0799a38323ea762c84ea21 [InQuest Labs](https://labs.inquest.net/dfi/sha256/0f75b7f01e21ea4fa028c2098f5e98ef2cb5b65aea0799a38323ea762c84ea21), [VT](https://virustotal.com/gui/file/0f75b7f01e21ea4fa028c2098f5e98ef2cb5b65aea0799a38323ea762c84ea21/detection) * 10f79daf80a8c4c608fb6cfa7e1d7764dbf569a9a15832174225dda3c981062a [InQuest Labs](https://labs.inquest.net/dfi/sha256/10f79daf80a8c4c608fb6cfa7e1d7764dbf569a9a15832174225dda3c981062a), [VT](https://virustotal.com/gui/file/10f79daf80a8c4c608fb6cfa7e1d7764dbf569a9a15832174225dda3c981062a/detection) * 16fc7fc8328ebb1e695917017bfda60408e2c6d0b6de5d56f4e14b0dca05cb06 [InQuest Labs](https://labs.inquest.net/dfi/sha256/16fc7fc8328ebb1e695917017bfda60408e2c6d0b6de5d56f4e14b0dca05cb06), [VT](https://virustotal.com/gui/file/16fc7fc8328ebb1e695917017bfda60408e2c6d0b6de5d56f4e14b0dca05cb06/detection) * 18305d1efe2efa29dfcdffbfbb8a9f7900ae09f4a3c833aa1a756dea150a1733 [InQuest Labs](https://labs.inquest.net/dfi/sha256/18305d1efe2efa29dfcdffbfbb8a9f7900ae09f4a3c833aa1a756dea150a1733), [VT](https://virustotal.com/gui/file/18305d1efe2efa29dfcdffbfbb8a9f7900ae09f4a3c833aa1a756dea150a1733/detection) * 23378ceac2d30515419a0a4e51c009eba6f910173e09e1292820277804e6b26b [InQuest Labs](https://labs.inquest.net/dfi/sha256/23378ceac2d30515419a0a4e51c009eba6f910173e09e1292820277804e6b26b), [VT](https://virustotal.com/gui/file/23378ceac2d30515419a0a4e51c009eba6f910173e09e1292820277804e6b26b/detection) * 2418faaee50d2f14c9d2140d2d5e08933b3ce772cc624540f60baaa6757c8ae6 [InQuest Labs](https://labs.inquest.net/dfi/sha256/2418faaee50d2f14c9d2140d2d5e08933b3ce772cc624540f60baaa6757c8ae6), [VT](https://virustotal.com/gui/file/2418faaee50d2f14c9d2140d2d5e08933b3ce772cc624540f60baaa6757c8ae6/detection) * 284c7be60b77434f91fce2572e45adddca0cdfb25cce4cf63bc4f7e1c17e1025 [InQuest Labs](https://labs.inquest.net/dfi/sha256/284c7be60b77434f91fce2572e45adddca0cdfb25cce4cf63bc4f7e1c17e1025), [VT](https://virustotal.com/gui/file/284c7be60b77434f91fce2572e45adddca0cdfb25cce4cf63bc4f7e1c17e1025/detection) * 2abbf872f2f44cb8b8fb2bbd7bb0fdc4f6be4eec8098ce97dd931e5953082010 [InQuest Labs](https://labs.inquest.net/dfi/sha256/2abbf872f2f44cb8b8fb2bbd7bb0fdc4f6be4eec8098ce97dd931e5953082010), [VT](https://virustotal.com/gui/file/2abbf872f2f44cb8b8fb2bbd7bb0fdc4f6be4eec8098ce97dd931e5953082010/detection) * 3611917480763942f7b8a2e7b407b081059a305bd6fa2a2c0f017a5f8520dbac [InQuest Labs](https://labs.inquest.net/dfi/sha256/3611917480763942f7b8a2e7b407b081059a305bd6fa2a2c0f017a5f8520dbac), [VT](https://virustotal.com/gui/file/3611917480763942f7b8a2e7b407b081059a305bd6fa2a2c0f017a5f8520dbac/detection) * 3c4d881f9b9ca8a4a2387f79640d914b0c14792030fb9c762bf65b9e3503f3b8 [InQuest Labs](https://labs.inquest.net/dfi/sha256/3c4d881f9b9ca8a4a2387f79640d914b0c14792030fb9c762bf65b9e3503f3b8), [VT](https://virustotal.com/gui/file/3c4d881f9b9ca8a4a2387f79640d914b0c14792030fb9c762bf65b9e3503f3b8/detection) * 3f73d0063b3eb141f7847c2f5477aff0c95a8f70998b9baa55059bdf74f70525 [InQuest Labs](https://labs.inquest.net/dfi/sha256/3f73d0063b3eb141f7847c2f5477aff0c95a8f70998b9baa55059bdf74f70525), [VT](https://virustotal.com/gui/file/3f73d0063b3eb141f7847c2f5477aff0c95a8f70998b9baa55059bdf74f70525/detection) * 44457b45620327b7bddd7e441a8a369de22dd568457193de0e3317bdda09b4fd [InQuest Labs](https://labs.inquest.net/dfi/sha256/44457b45620327b7bddd7e441a8a369de22dd568457193de0e3317bdda09b4fd), [VT](https://virustotal.com/gui/file/44457b45620327b7bddd7e441a8a369de22dd568457193de0e3317bdda09b4fd/detection) * 44558f2bf67d9fb936abd4d28df3efedfa9a863db88158ec3a8d31463c4033e1 [InQuest Labs](https://labs.inquest.net/dfi/sha256/44558f2bf67d9fb936abd4d28df3efedfa9a863db88158ec3a8d31463c4033e1), [VT](https://virustotal.com/gui/file/44558f2bf67d9fb936abd4d28df3efedfa9a863db88158ec3a8d31463c4033e1/detection) * 4538af0fe8dd2c8477f4f0f62a1b468de0af46a681a79ffbc2b99d839c13b826 [InQuest Labs](https://labs.inquest.net/dfi/sha256/4538af0fe8dd2c8477f4f0f62a1b468de0af46a681a79ffbc2b99d839c13b826), [VT](https://virustotal.com/gui/file/4538af0fe8dd2c8477f4f0f62a1b468de0af46a681a79ffbc2b99d839c13b826/detection) * 467c668373171fa4900025633e43ddb6e2aea0a2b44573f0648323374404b4ab [InQuest Labs](https://labs.inquest.net/dfi/sha256/467c668373171fa4900025633e43ddb6e2aea0a2b44573f0648323374404b4ab), [VT](https://virustotal.com/gui/file/467c668373171fa4900025633e43ddb6e2aea0a2b44573f0648323374404b4ab/detection) * 477bf4d158decc2388692fce07c01c73ab94b1002938b50e9df20422230e48da [InQuest Labs](https://labs.inquest.net/dfi/sha256/477bf4d158decc2388692fce07c01c73ab94b1002938b50e9df20422230e48da), [VT](https://virustotal.com/gui/file/477bf4d158decc2388692fce07c01c73ab94b1002938b50e9df20422230e48da/detection) * 4977447b055636772f26ab45416a2580c40bd49963e49687327958fd1700af84 [InQuest Labs](https://labs.inquest.net/dfi/sha256/4977447b055636772f26ab45416a2580c40bd49963e49687327958fd1700af84), [VT](https://virustotal.com/gui/file/4977447b055636772f26ab45416a2580c40bd49963e49687327958fd1700af84/detection) * 4c01b534c5a654e7d1441c34bbc842d6616164f6d547f1c5e8d72040bd934d90 [InQuest Labs](https://labs.inquest.net/dfi/sha256/4c01b534c5a654e7d1441c34bbc842d6616164f6d547f1c5e8d72040bd934d90), [VT](https://virustotal.com/gui/file/4c01b534c5a654e7d1441c34bbc842d6616164f6d547f1c5e8d72040bd934d90/detection) * 4e105f96511b17aab8bbf9d241a665b466e4d0c4dd93af83710ec6423ceb1b0f [InQuest Labs](https://labs.inquest.net/dfi/sha256/4e105f96511b17aab8bbf9d241a665b466e4d0c4dd93af83710ec6423ceb1b0f), [VT](https://virustotal.com/gui/file/4e105f96511b17aab8bbf9d241a665b466e4d0c4dd93af83710ec6423ceb1b0f/detection) * 54e24143d4534279197382e3de600d9c9da61809044608d2a0dde59234b9dfe6 [InQuest Labs](https://labs.inquest.net/dfi/sha256/54e24143d4534279197382e3de600d9c9da61809044608d2a0dde59234b9dfe6), [VT](https://virustotal.com/gui/file/54e24143d4534279197382e3de600d9c9da61809044608d2a0dde59234b9dfe6/detection) * 5690149163be72ab526817ce42254efdfac36cc909656fc9e681a1fc2dec5c68 [InQuest Labs](https://labs.inquest.net/dfi/sha256/5690149163be72ab526817ce42254efdfac36cc909656fc9e681a1fc2dec5c68), [VT](https://virustotal.com/gui/file/5690149163be72ab526817ce42254efdfac36cc909656fc9e681a1fc2dec5c68/detection) * 56f1feda6292a6d09ad5fae817bdd384e7644a9990a9fe2fdabf2df013018d54 [InQuest Labs](https://labs.inquest.net/dfi/sha256/56f1feda6292a6d09ad5fae817bdd384e7644a9990a9fe2fdabf2df013018d54), [VT](https://virustotal.com/gui/file/56f1feda6292a6d09ad5fae817bdd384e7644a9990a9fe2fdabf2df013018d54/detection) * 58e2b09425bb741c3e61f76d59d4528a548fbad248649c50fc38b37044ad7947 [InQuest Labs](https://labs.inquest.net/dfi/sha256/58e2b09425bb741c3e61f76d59d4528a548fbad248649c50fc38b37044ad7947), [VT](https://virustotal.com/gui/file/58e2b09425bb741c3e61f76d59d4528a548fbad248649c50fc38b37044ad7947/detection) * 5d126829d37640cd200e99af723b681eff45ed1de3bfbcb0e3c1721c15dfc651 [InQuest Labs](https://labs.inquest.net/dfi/sha256/5d126829d37640cd200e99af723b681eff45ed1de3bfbcb0e3c1721c15dfc651), [VT](https://virustotal.com/gui/file/5d126829d37640cd200e99af723b681eff45ed1de3bfbcb0e3c1721c15dfc651/detection) * 60e71559052012c4ba8c306057712da64d8f9f0a9767ed8e69cd38609841e079 [InQuest Labs](https://labs.inquest.net/dfi/sha256/60e71559052012c4ba8c306057712da64d8f9f0a9767ed8e69cd38609841e079), [VT](https://virustotal.com/gui/file/60e71559052012c4ba8c306057712da64d8f9f0a9767ed8e69cd38609841e079/detection) * 6654a38cba97469680b916233fa9e3a2cf97a1f6f043def9c76a64fb285f32de [InQuest Labs](https://labs.inquest.net/dfi/sha256/6654a38cba97469680b916233fa9e3a2cf97a1f6f043def9c76a64fb285f32de), [VT](https://virustotal.com/gui/file/6654a38cba97469680b916233fa9e3a2cf97a1f6f043def9c76a64fb285f32de/detection) * 6d61f0ca90d9872906dd224ff4757150b346acba0977a1106bf51b45b8229db1 [InQuest Labs](https://labs.inquest.net/dfi/sha256/6d61f0ca90d9872906dd224ff4757150b346acba0977a1106bf51b45b8229db1), [VT](https://virustotal.com/gui/file/6d61f0ca90d9872906dd224ff4757150b346acba0977a1106bf51b45b8229db1/detection) * 7951eeb4e888889f8384c75bcf094c5d901ea036c09af0ab0a6bcccfa9375e2d [InQuest Labs](https://labs.inquest.net/dfi/sha256/7951eeb4e888889f8384c75bcf094c5d901ea036c09af0ab0a6bcccfa9375e2d), [VT](https://virustotal.com/gui/file/7951eeb4e888889f8384c75bcf094c5d901ea036c09af0ab0a6bcccfa9375e2d/detection) * 7b40c9372dbf3bf008d07fcd94cf9677d80771be5cbf2682ea2004c4c27b2cd2 [InQuest Labs](https://labs.inquest.net/dfi/sha256/7b40c9372dbf3bf008d07fcd94cf9677d80771be5cbf2682ea2004c4c27b2cd2), [VT](https://virustotal.com/gui/file/7b40c9372dbf3bf008d07fcd94cf9677d80771be5cbf2682ea2004c4c27b2cd2/detection) * 7cce4070d19cb5aaaf5d8ebc92fc3d5fa1cc15112fb2ce750106baca1cfd76c8 [InQuest Labs](https://labs.inquest.net/dfi/sha256/7cce4070d19cb5aaaf5d8ebc92fc3d5fa1cc15112fb2ce750106baca1cfd76c8), [VT](https://virustotal.com/gui/file/7cce4070d19cb5aaaf5d8ebc92fc3d5fa1cc15112fb2ce750106baca1cfd76c8/detection) * 8718b3c22083fe5185a6781ac1c58a009e859c0e0e00833f0b4a6df58e4468e4 [InQuest Labs](https://labs.inquest.net/dfi/sha256/8718b3c22083fe5185a6781ac1c58a009e859c0e0e00833f0b4a6df58e4468e4), [VT](https://virustotal.com/gui/file/8718b3c22083fe5185a6781ac1c58a009e859c0e0e00833f0b4a6df58e4468e4/detection) * 89a2f612e3b86974e862334844991e0fc60ff1c2aca26498722670713bb2553a [InQuest Labs](https://labs.inquest.net/dfi/sha256/89a2f612e3b86974e862334844991e0fc60ff1c2aca26498722670713bb2553a), [VT](https://virustotal.com/gui/file/89a2f612e3b86974e862334844991e0fc60ff1c2aca26498722670713bb2553a/detection) * 8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf [InQuest Labs](https://labs.inquest.net/dfi/sha256/8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf), [VT](https://virustotal.com/gui/file/8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf/detection) * 8e0ffc819b4abaa2753120547ffd70d0d1868b5ad6f269c06eb2ef19cf24eefc [InQuest Labs](https://labs.inquest.net/dfi/sha256/8e0ffc819b4abaa2753120547ffd70d0d1868b5ad6f269c06eb2ef19cf24eefc), [VT](https://virustotal.com/gui/file/8e0ffc819b4abaa2753120547ffd70d0d1868b5ad6f269c06eb2ef19cf24eefc/detection) * 905bd680d5fcb70da36847406655dd9aaafabff2329e46e2dd89667f9434de92 [InQuest Labs](https://labs.inquest.net/dfi/sha256/905bd680d5fcb70da36847406655dd9aaafabff2329e46e2dd89667f9434de92), [VT](https://virustotal.com/gui/file/905bd680d5fcb70da36847406655dd9aaafabff2329e46e2dd89667f9434de92/detection) * 9267ebb91110d9c686bd83ed9c6bade5c5066220873f11e756112dd5a53a4eca [InQuest Labs](https://labs.inquest.net/dfi/sha256/9267ebb91110d9c686bd83ed9c6bade5c5066220873f11e756112dd5a53a4eca), [VT](https://virustotal.com/gui/file/9267ebb91110d9c686bd83ed9c6bade5c5066220873f11e756112dd5a53a4eca/detection) * 9309ec88e2ce12fd2304a5007feee41f11b3ce51510c96f95bf64d3770a2064b [InQuest Labs](https://labs.inquest.net/dfi/sha256/9309ec88e2ce12fd2304a5007feee41f11b3ce51510c96f95bf64d3770a2064b), [VT](https://virustotal.com/gui/file/9309ec88e2ce12fd2304a5007feee41f11b3ce51510c96f95bf64d3770a2064b/detection) * 955d59e66e24b4585dd044b1576f03ff0e6d8306397766420806979475eededd [InQuest Labs](https://labs.inquest.net/dfi/sha256/955d59e66e24b4585dd044b1576f03ff0e6d8306397766420806979475eededd), [VT](https://virustotal.com/gui/file/955d59e66e24b4585dd044b1576f03ff0e6d8306397766420806979475eededd/detection) * 95d7f675d8c63be4aa86df6670537638557589b2e98a0d3f4087800d05fb7e04 [InQuest Labs](https://labs.inquest.net/dfi/sha256/95d7f675d8c63be4aa86df6670537638557589b2e98a0d3f4087800d05fb7e04), [VT](https://virustotal.com/gui/file/95d7f675d8c63be4aa86df6670537638557589b2e98a0d3f4087800d05fb7e04/detection) * 97489f14edf02081943ba6bdc4f8ddc61b489c2d114eff2fc560f6225f3c8907 [InQuest Labs](https://labs.inquest.net/dfi/sha256/97489f14edf02081943ba6bdc4f8ddc61b489c2d114eff2fc560f6225f3c8907), [VT](https://virustotal.com/gui/file/97489f14edf02081943ba6bdc4f8ddc61b489c2d114eff2fc560f6225f3c8907/detection) * 9a986ac244f8f65bc151cac813228ab38c9882b37f40d0e4c44ca15ac5ef6353 [InQuest Labs](https://labs.inquest.net/dfi/sha256/9a986ac244f8f65bc151cac813228ab38c9882b37f40d0e4c44ca15ac5ef6353), [VT](https://virustotal.com/gui/file/9a986ac244f8f65bc151cac813228ab38c9882b37f40d0e4c44ca15ac5ef6353/detection) * a3c2b927224bf96e9c92c7430a42dd0b399d72e27d54edafada375ab5a91871c [InQuest Labs](https://labs.inquest.net/dfi/sha256/a3c2b927224bf96e9c92c7430a42dd0b399d72e27d54edafada375ab5a91871c), [VT](https://virustotal.com/gui/file/a3c2b927224bf96e9c92c7430a42dd0b399d72e27d54edafada375ab5a91871c/detection) * a86275faa2934c1b5de6796b7aba5b4b17d1bc33c2c69eeb0aa8a6d560fb3230 [InQuest Labs](https://labs.inquest.net/dfi/sha256/a86275faa2934c1b5de6796b7aba5b4b17d1bc33c2c69eeb0aa8a6d560fb3230), [VT](https://virustotal.com/gui/file/a86275faa2934c1b5de6796b7aba5b4b17d1bc33c2c69eeb0aa8a6d560fb3230/detection) * ac1faa3883789dfe81791ba5e653a38b2a89a397dab952a962c642dc89f2c514 [InQuest Labs](https://labs.inquest.net/dfi/sha256/ac1faa3883789dfe81791ba5e653a38b2a89a397dab952a962c642dc89f2c514), [VT](https://virustotal.com/gui/file/ac1faa3883789dfe81791ba5e653a38b2a89a397dab952a962c642dc89f2c514/detection) * ad2089580d0aa874ef3ecdc8e88487f552e760d32028ddf35574f3d7020ec61c [InQuest Labs](https://labs.inquest.net/dfi/sha256/ad2089580d0aa874ef3ecdc8e88487f552e760d32028ddf35574f3d7020ec61c), [VT](https://virustotal.com/gui/file/ad2089580d0aa874ef3ecdc8e88487f552e760d32028ddf35574f3d7020ec61c/detection) * b77d17b89be9ae351c496c22750a132020668ae4342b05f00f8430ce4cbb4792 [InQuest Labs](https://labs.inquest.net/dfi/sha256/b77d17b89be9ae351c496c22750a132020668ae4342b05f00f8430ce4cbb4792), [VT](https://virustotal.com/gui/file/b77d17b89be9ae351c496c22750a132020668ae4342b05f00f8430ce4cbb4792/detection) * bd7cdfe5d7164ccfd251fbec6d2256a765b496bfff8e72358800fd6f416f785f [InQuest Labs](https://labs.inquest.net/dfi/sha256/bd7cdfe5d7164ccfd251fbec6d2256a765b496bfff8e72358800fd6f416f785f), [VT](https://virustotal.com/gui/file/bd7cdfe5d7164ccfd251fbec6d2256a765b496bfff8e72358800fd6f416f785f/detection) * bd8e014f428f455df4347aa27a9281a6cfdb6b3375699ef8e581ca05790c5aa1 [InQuest Labs](https://labs.inquest.net/dfi/sha256/bd8e014f428f455df4347aa27a9281a6cfdb6b3375699ef8e581ca05790c5aa1), [VT](https://virustotal.com/gui/file/bd8e014f428f455df4347aa27a9281a6cfdb6b3375699ef8e581ca05790c5aa1/detection) * c5ef34f410d708520bc5d56cac0d418fed0a8316d53c5e737c28d1a3480fd559 [InQuest Labs](https://labs.inquest.net/dfi/sha256/c5ef34f410d708520bc5d56cac0d418fed0a8316d53c5e737c28d1a3480fd559), [VT](https://virustotal.com/gui/file/c5ef34f410d708520bc5d56cac0d418fed0a8316d53c5e737c28d1a3480fd559/detection) * cdacf5204c7c0ccb7d936ddb684306a80e54a177735c8742eb38d600eb6e7eb7 [InQuest Labs](https://labs.inquest.net/dfi/sha256/cdacf5204c7c0ccb7d936ddb684306a80e54a177735c8742eb38d600eb6e7eb7), [VT](https://virustotal.com/gui/file/cdacf5204c7c0ccb7d936ddb684306a80e54a177735c8742eb38d600eb6e7eb7/detection) * d07556af26a8c273f112725a4171898fb7a29ac9b5c1e075cfa2494d4ab9a820 [InQuest Labs](https://labs.inquest.net/dfi/sha256/d07556af26a8c273f112725a4171898fb7a29ac9b5c1e075cfa2494d4ab9a820), [VT](https://virustotal.com/gui/file/d07556af26a8c273f112725a4171898fb7a29ac9b5c1e075cfa2494d4ab9a820/detection) * d1506e2684cba9fc75b909d2b6acbcd9ba8c7ce613fd464e147bd6d2e217ae78 [InQuest Labs](https://labs.inquest.net/dfi/sha256/d1506e2684cba9fc75b909d2b6acbcd9ba8c7ce613fd464e147bd6d2e217ae78), [VT](https://virustotal.com/gui/file/d1506e2684cba9fc75b909d2b6acbcd9ba8c7ce613fd464e147bd6d2e217ae78/detection) * d8374f78c29ed45265ca65a13b4a84bb2ad6eed434fdd2d9af75394753a7cfb8 [InQuest Labs](https://labs.inquest.net/dfi/sha256/d8374f78c29ed45265ca65a13b4a84bb2ad6eed434fdd2d9af75394753a7cfb8), [VT](https://virustotal.com/gui/file/d8374f78c29ed45265ca65a13b4a84bb2ad6eed434fdd2d9af75394753a7cfb8/detection) * d886df7150bc956ecdae96ad119845558c4413b03383c219c99e175ab219a39e [InQuest Labs](https://labs.inquest.net/dfi/sha256/d886df7150bc956ecdae96ad119845558c4413b03383c219c99e175ab219a39e), [VT](https://virustotal.com/gui/file/d886df7150bc956ecdae96ad119845558c4413b03383c219c99e175ab219a39e/detection) * dbc2e390b9fbd9bbb046cb38582a125aec405cda17a71c29ed2a25abb6c63855 [InQuest Labs](https://labs.inquest.net/dfi/sha256/dbc2e390b9fbd9bbb046cb38582a125aec405cda17a71c29ed2a25abb6c63855), [VT](https://virustotal.com/gui/file/dbc2e390b9fbd9bbb046cb38582a125aec405cda17a71c29ed2a25abb6c63855/detection) * dbfd7810f2198eee4d92313db61b13ca702946a72c38c3498a99d5ac3943c0de [InQuest Labs](https://labs.inquest.net/dfi/sha256/dbfd7810f2198eee4d92313db61b13ca702946a72c38c3498a99d5ac3943c0de), [VT](https://virustotal.com/gui/file/dbfd7810f2198eee4d92313db61b13ca702946a72c38c3498a99d5ac3943c0de/detection) * de511a3682b5a7a0c239395eb53fcce01b2f2d265ce56f477ab246b0df63c9cc [InQuest Labs](https://labs.inquest.net/dfi/sha256/de511a3682b5a7a0c239395eb53fcce01b2f2d265ce56f477ab246b0df63c9cc), [VT](https://virustotal.com/gui/file/de511a3682b5a7a0c239395eb53fcce01b2f2d265ce56f477ab246b0df63c9cc/detection) * de534a59a6b5a0dab1cde353473657d1a3fb2bd4a8839cf8555afadc8aabbf72 [InQuest Labs](https://labs.inquest.net/dfi/sha256/de534a59a6b5a0dab1cde353473657d1a3fb2bd4a8839cf8555afadc8aabbf72), [VT](https://virustotal.com/gui/file/de534a59a6b5a0dab1cde353473657d1a3fb2bd4a8839cf8555afadc8aabbf72/detection) * de9ef9ddcc649559b3166ba13b73da19da93b33bda401e4007190253964aaed4 [InQuest Labs](https://labs.inquest.net/dfi/sha256/de9ef9ddcc649559b3166ba13b73da19da93b33bda401e4007190253964aaed4), [VT](https://virustotal.com/gui/file/de9ef9ddcc649559b3166ba13b73da19da93b33bda401e4007190253964aaed4/detection) * e11f77f4fb5dfa34ad52137aa8bda5555ba962528b7e39db4b0a71ec138ed79f [InQuest Labs](https://labs.inquest.net/dfi/sha256/e11f77f4fb5dfa34ad52137aa8bda5555ba962528b7e39db4b0a71ec138ed79f), [VT](https://virustotal.com/gui/file/e11f77f4fb5dfa34ad52137aa8bda5555ba962528b7e39db4b0a71ec138ed79f/detection) * e468618f7c42c2348ef72fb3a733a1fe3e6992d742f3ce2791f5630bc4d40f2a [InQuest Labs](https://labs.inquest.net/dfi/sha256/e468618f7c42c2348ef72fb3a733a1fe3e6992d742f3ce2791f5630bc4d40f2a), [VT](https://virustotal.com/gui/file/e468618f7c42c2348ef72fb3a733a1fe3e6992d742f3ce2791f5630bc4d40f2a/detection) * e75c0c54aeffac6316e56d1e9c363008b5de12de264da4498efa5d56b14e153f [InQuest Labs](https://labs.inquest.net/dfi/sha256/e75c0c54aeffac6316e56d1e9c363008b5de12de264da4498efa5d56b14e153f), [VT](https://virustotal.com/gui/file/e75c0c54aeffac6316e56d1e9c363008b5de12de264da4498efa5d56b14e153f/detection) * f2a41bbae3de5c4561410e71f7c7005710d1f6f0874f6add0ec5f797dce98076 [InQuest Labs](https://labs.inquest.net/dfi/sha256/f2a41bbae3de5c4561410e71f7c7005710d1f6f0874f6add0ec5f797dce98076), [VT](https://virustotal.com/gui/file/f2a41bbae3de5c4561410e71f7c7005710d1f6f0874f6add0ec5f797dce98076/detection) * f39f7ee103e33432a5faa62ab94bbf29476f0f7d41f5683a257e648a11d69e43 [InQuest Labs](https://labs.inquest.net/dfi/sha256/f39f7ee103e33432a5faa62ab94bbf29476f0f7d41f5683a257e648a11d69e43), [VT](https://virustotal.com/gui/file/f39f7ee103e33432a5faa62ab94bbf29476f0f7d41f5683a257e648a11d69e43/detection) * f405e108872cdfe8ea3d9a57a564c272c2d738316bce3c40df79eeeb312409ab [InQuest Labs](https://labs.inquest.net/dfi/sha256/f405e108872cdfe8ea3d9a57a564c272c2d738316bce3c40df79eeeb312409ab), [VT](https://virustotal.com/gui/file/f405e108872cdfe8ea3d9a57a564c272c2d738316bce3c40df79eeeb312409ab/detection) * f4e43a4ef567bf7f3c057478f6eaefb62f7ef57e76bce2275e3eb536be942480 [InQuest Labs](https://labs.inquest.net/dfi/sha256/f4e43a4ef567bf7f3c057478f6eaefb62f7ef57e76bce2275e3eb536be942480), [VT](https://virustotal.com/gui/file/f4e43a4ef567bf7f3c057478f6eaefb62f7ef57e76bce2275e3eb536be942480/detection) * fd493baba5aaf55b0d9a6f317b66983b20559a673358f472991c528823257b40 [InQuest Labs](https://labs.inquest.net/dfi/sha256/fd493baba5aaf55b0d9a6f317b66983b20559a673358f472991c528823257b40), [VT](https://virustotal.com/gui/file/fd493baba5aaf55b0d9a6f317b66983b20559a673358f472991c528823257b40/detection) * fd961ad277c047ec93d0fb8561ecce285bb9263de2408ba60ef8efd53013549d [InQuest Labs](https://labs.inquest.net/dfi/sha256/fd961ad277c047ec93d0fb8561ecce285bb9263de2408ba60ef8efd53013549d), [VT](https://virustotal.com/gui/file/fd961ad277c047ec93d0fb8561ecce285bb9263de2408ba60ef8efd53013549d/detection) * fe13dcf6fe72e89413d4b4297205b4ffeab39384f127d18b1d43c89aebe6d6a8 [InQuest Labs](https://labs.inquest.net/dfi/sha256/fe13dcf6fe72e89413d4b4297205b4ffeab39384f127d18b1d43c89aebe6d6a8), [VT](https://virustotal.com/gui/file/fe13dcf6fe72e89413d4b4297205b4ffeab39384f127d18b1d43c89aebe6d6a8/detection) The following samples were observed to follow a different attack sequence while matching Zloader sample patterns. After further analysis, these hashes were discovered to belong to the Dridex family of banking trojans: * 1cddbb162a43e08997bab20b8a2926495763a117dec8c0cbf898844a23d7d2b1 [InQuest Labs](https://labs.inquest.net/dfi/sha256/1cddbb162a43e08997bab20b8a2926495763a117dec8c0cbf898844a23d7d2b1), [VT](https://virustotal.com/gui/file/1cddbb162a43e08997bab20b8a2926495763a117dec8c0cbf898844a23d7d2b1/detection) * 316edaff165c6148de4f6672c867da1a3ac3ababd2d1709f2f4c695d4fe637fc [InQuest Labs](https://labs.inquest.net/dfi/sha256/316edaff165c6148de4f6672c867da1a3ac3ababd2d1709f2f4c695d4fe637fc), [VT](https://virustotal.com/gui/file/316edaff165c6148de4f6672c867da1a3ac3ababd2d1709f2f4c695d4fe637fc/detection) * 7217d06b0c3860cd671a95db5df024b64592788634e71683389843693f1ef9cf [InQuest Labs](https://labs.inquest.net/dfi/sha256/7217d06b0c3860cd671a95db5df024b64592788634e71683389843693f1ef9cf), [VT](https://virustotal.com/gui/file/7217d06b0c3860cd671a95db5df024b64592788634e71683389843693f1ef9cf/detection) * 79f8ab4f45113916fcc6e46289f38df6e3db49e47621b439d4df4c3e0145f3d7 [InQuest Labs](https://labs.inquest.net/dfi/sha256/79f8ab4f45113916fcc6e46289f38df6e3db49e47621b439d4df4c3e0145f3d7), [VT](https://virustotal.com/gui/file/79f8ab4f45113916fcc6e46289f38df6e3db49e47621b439d4df4c3e0145f3d7/detection) * c01e9dc36e11c8ea226f076e31914272e6f6dc58afea557242c6da44d9985fbb [InQuest Labs](https://labs.inquest.net/dfi/sha256/c01e9dc36e11c8ea226f076e31914272e6f6dc58afea557242c6da44d9985fbb), [VT](https://virustotal.com/gui/file/c01e9dc36e11c8ea226f076e31914272e6f6dc58afea557242c6da44d9985fbb/detection) * c07f9c7bc2614979354299183a4b0bdf1729af65b36d6b3bc612b8e7947737b0 [InQuest Labs](https://labs.inquest.net/dfi/sha256/c07f9c7bc2614979354299183a4b0bdf1729af65b36d6b3bc612b8e7947737b0), [VT](https://virustotal.com/gui/file/c07f9c7bc2614979354299183a4b0bdf1729af65b36d6b3bc612b8e7947737b0/detection) * c5b99d2371f542cf90063ce1ea55c2dd621658baeb19520737faa7850b1dd9f6 [InQuest Labs](https://labs.inquest.net/dfi/sha256/c5b99d2371f542cf90063ce1ea55c2dd621658baeb19520737faa7850b1dd9f6), [VT](https://virustotal.com/gui/file/c5b99d2371f542cf90063ce1ea55c2dd621658baeb19520737faa7850b1dd9f6/detection) * d1c53de4faccb95a8fe202541aa17147dc5e171dee6f2a26b167794bb7f335ad [InQuest Labs](https://labs.inquest.net/dfi/sha256/d1c53de4faccb95a8fe202541aa17147dc5e171dee6f2a26b167794bb7f335ad), [VT](https://virustotal.com/gui/file/d1c53de4faccb95a8fe202541aa17147dc5e171dee6f2a26b167794bb7f335ad/detection) * ff0f168140bc9deba47986c40e1b43c31b817ad2169e898d62f4f59bb4996252 [InQuest Labs](https://labs.inquest.net/dfi/sha256/ff0f168140bc9deba47986c40e1b43c31b817ad2169e898d62f4f59bb4996252), [VT](https://virustotal.com/gui/file/ff0f168140bc9deba47986c40e1b43c31b817ad2169e898d62f4f59bb4996252/detection) Payload URL: hxxp://ginduq[.]com/glex.exe (registered in the past few days and can be heavily pivoted on to gain traction on the Dridex malware campaign). 8.208.78.74 AS45102 | CN | CNNIC-ALIBABA-US-NET - Alibaba (US) Technology Co., Ltd. For further details, comments, and suggestions... please reach out to the team on [Twitter @InQuest](https://twitter.com/inquest).

Tags
deep-file-inspection malware-analysis threat-hunting

Get The InQuest Insider

Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.