MVISION Insights: SocGholish and BLISTER loaders dropping LockBit Ransomware

Technical Articles ID: KB95720
Last Modified: 6/8/2022

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.

Summary

Description of Campaign
The BLISTER and SocGholish malware families were used to deliver malware onto systems including LockBit ransomware as the final payload. Successful infections also resulted in the malware performing multiple discovery commands and downloading a Cobalt Strike beacon to execute remote commands. The infection process started with a user downloading a fake Google Chrome browser update from a compromised legitimate website.

Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Trend Micro and shared publicly.

How to use this article:

If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
Review KB91836 - Countermeasures for entry vector threats.
Review KB87843 - Dynamic Application Containment rules and best practices.
Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.

Campaign IOC

Type	Value
SHA256	9472D4CB393256A62A466F6601014E5CB04A71F115499C320DC615245C7594D4
SHA256	84A67F191A93EE827C4829498D2CB1D27BDD9E47E136DC6652A5414DAB440B74
SHA256	CB949EBE87C55C0BA6CF0525161E2E6670C1AE186AB83CE46047446E9753A926
SHA256	CC31C124FC39025F5C3A410ED4108A56BB7C6E90B5819167A06800D02EF1F028
SHA256	294C710F4074B37ADE714C83B6B7BF722A46AEF61C02BA6543DE5D59EDC97B60
SHA256	ED6910FD51D6373065A2F1D3580AD645F443BF0BADC398AA77185324B0284DB8
SHA256	4FE551BCEA5E07879EC84A7F1CEA1036CFD0A3B03151403542CAB6BD8541F8E5
SHA256	7B9091C41525F1721B12DCEF601117737EA990CEE17A8EECF81DCFB25CCB5A8F
SHA256	73BAA040CD6879D1D83C5AFAB29F61C3734136BFFE03C72F520E025385F4E9A2
SHA256	C3509BA690A1FCB549B95AD4625F094963EFFC037DF37BD96F9D8ED5C7136D94
SHA256	A403B82A14B392F8485A22F105C00455B82E7B8A3E7F90F460157811445A8776
SHA256	F74A32A67A94FD711DA78AF2F8F4BDB83FE7DEAA049AD11F2F980BB6E3C037A7
SHA256	A69CF4FA61217F8230E032089A8F56F7EBF31E4CD35124E6AD104DB86851F17F
SHA256	812263EA9C6C44EF6B4D3950C5A316F765B62404391DDB6482BDC9A23D6CC4A6
SHA256	E0888B80220F200E522E42EC2F15629CAA5A11111B8D1BABFF509D0DA2B948F4
SHA256	D08F9390FA610DC3976D309A859B9ABC8404CEE1EF8AEB886F3F9E524C1D2B9F
SHA256	C4520713189D27E21B0F9060BA95CBFE4F49CC0F348854F08D1ED3AA577E9BD0
SHA256	2EAB76F1D46BE74C68D9562B4B32C44606FA23C0D7897F9D89A3E2534BE6F2C7
SHA256	4FAF362B3FE403975938E27195959871523689D0BF7FBA757DDFA7D00D437FD4
SHA256	D3D48AA32B062B6E767966A8BAB354EDED60E0A11BE5BC5B7AD8329AA5718C76
SHA256	C9CC4D95CA1197328A743A41B09C2375D54AC97FCDDE5E07BDA660396710ECCD
SHA256	C08D467966D6CA60A68FFE1715851EEA366EED6B35E033A43437128C05D441DC
SHA256	ACB37A4C2552AE2F9B9BBB8EBBB9A501AD6B5787E40867270D7FF3A5369E3632
SHA256	CCCD4FB8900DF5F8939E589F4E66D6819796D84620AE97E7EFA2CFD7237B27CF
SHA256	CFA85CC84451B870F26515DA705783A3B0616B54CD2CE350281B3B0A3383A3E8
SHA256	EBF40E12590FCC955B4DF4EC3129CD379A6834013DAE9BB18E0EC6F23F935BBA
SHA256	5006AD8BA0CC6D68626FA7789A62F8256C5F28A7A86903B60EF203D16944DF99
SHA256	2AAA916D56CFE95ABB65FBC222BFDFA2B16A3FFB6660C1BDC211004302A1AEF3
SHA256	546ACB39C89B8B72923AAC98DD68369AA4AB8440B5EA122301626C6B082F95DE
SHA256	E5EBB489A8AC483AD3DAF258F6FF74AE7BEC6B67B0DEB9A571F8CE90C82D7380
SHA256	5EA74BCA527F7F6EA8394D9D78E085BED065516ECA0151A54474FFFE91664198
SHA256	C0F1EBCCA8A8094853AA65210DDDE80F6A9FFE7B3F2D75D5652B166722B3AA4A
SHA256	42D737487DACCF77F7C80FFD1D823BA4E51CF154E8486F420BA958E1DF2A150D
SHA256	49BA10B4264A68605D0B9EA7891B7078AEEF4FA0A7B7831F2DF6B600AAE77776
SHA256	F6F116E43261AD432B5C5EDD44FAA01641621E9C728902053F235877FF22431D
SHA256	E30503082D3257737BBA788396D7798E27977EDF68B9DBA7712A605577649FFB
SHA256	CC2FE3129D312648B6BE28E4D8046C36F19E0553283E64A4AF7CC5EFE8586C57
SHA256	3AC3FD9DE619C934B0FAD04B0384898D98CD69444DA2D2BBF3BDD6A7E922FCE2
SHA256	D625D21F6AC0677CE386E09CA1D78EEFD3F223991642CABC72C756DA5EC048DC
SHA256	EFBFFC6D81425FFB0D81E6771215C0A0E77D55D7F271EC685B38A1DE7CC606A8
SHA256	72C410EEA75347E8C5BD7E1CB6AE7D1DD0EC5C73DD7B53BC8C2155CBD3E60961
SHA256	B062DD516CFA972993B6109E68A4A023CCC501C9613634468B2A5A508760873E
SHA256	6098371970CCF86AA5E70EBFE4F0622CDC2E2AE19FB85B17F6CB79BDE981EA0B
SHA256	B959B003C1E558FF0CCF1D0F96509B155D6F86EB20CAA97B470F3422494D8D74
SHA256	94646F971C52C5725A7872006C9C80B10271A838D87F20C85247C357F6EC35EB
SHA256	B91EB833DE386EA3D73D2954F0DCE9FE38E4BF96594620AF6C0935B9EE0D7E81
SHA256	722E75932C75A37BB9B616093C77611433DA35236182615162CB4C9D6FAB34F0
SHA256	E7A070ADB5D238CCD7DAA249F26516E2BDBF72E1E866D54189E96272117720C0
SHA256	96823BB6BEFE5899739BD69AB00A6B4AE1256FD586159968301A4A69D675A5EC
SHA256	84B2D16124B690D77C5C43C3A0D4AD78AAF10D38F88D9851DE45D6073D8FCB65
SHA256	8E6C0D338F201630B5C5BA4F1757E931BC065C49559C514658B4C2090A23E57B
SHA256	EBA37E8CEA693569462061FBC0A82C609E4E855C827A6228BABCDF798C3C9885
SHA256	D439F941B293E3DED35BF52FAC7F20F6A2B7F2E4B189AD2AC7F50B8358110491
SHA256	49925637250438B05D3AEBAAC70BB180A0825EC4272FBE74C6FECB5E085BCF10
HOSTNAME	host.integrativehealthpartners.com
HOSTNAME	apps.weightlossihp.com
HOSTNAME	xen.hill-family.us
HOSTNAME	platform.windsorbongvape.ca
IP-DST	87.249.50.201
IP-DST	91.219.236.192
IP-DST	91.219.236.202
IP-DST	184.168.131.241
IP-DST	184.168.221.18
IP-DST	72.167.106.35
DOMAIN	sikescomposites.com
DOMAIN	bootsinthebigcity.com
DOMAIN	couponbrothers.com
DOMAIN	discountshadesdirect.com
DOMAIN	bimelectrical.com
DOMAIN	setechnowork.com
DOMAIN	braprest.com
DOMAIN	pastor.com
DOMAIN	hardwarebajaar.com
DOMAIN	wasfatsahla.com
DOMAIN	technicollit.com
DOMAIN	clippershipintl.com
DOMAIN	ksplsoft.com
DOMAIN	geotypico.com
DOMAIN	bookmark-tag.com
DOMAIN	altreeservicellc.com
DOMAIN	imsensors.com
DOMAIN	propertyexpoandshowcase.com

Minimum Content Versions

Content Type	Version
V2 DAT (VirusScan Enterprise)	10339
V3 DAT (Endpoint Security)	4791

Detection Summary

IOC	Scanner	Detection
9472D4CB393256A62A466F6601014E5CB04A71F115499C320DC615245C7594D4	AVEngine V2	Generic trojan.wv
	AVEngine V3	Generic trojan.wv
	JTI (ATP Rules)	JTI/Suspect.196612!8a900862cc45
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
84A67F191A93EE827C4829498D2CB1D27BDD9E47E136DC6652A5414DAB440B74	AVEngine V2	Trojan-FULO!C409F9534BE5
	AVEngine V3	Trojan-FULO!C409F9534BE5
	JTI (ATP Rules)	JTI/Suspect.196612!34be19566307
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
CB949EBE87C55C0BA6CF0525161E2E6670C1AE186AB83CE46047446E9753A926	AVEngine V2	Trojan-FULO!365EED1BB1AF
	AVEngine V3	Trojan-FULO!365EED1BB1AF
	JTI (ATP Rules)	JTI/Suspect.196612!755f50457416
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
CC31C124FC39025F5C3A410ED4108A56BB7C6E90B5819167A06800D02EF1F028	AVEngine V2	Trojan-FULO!365EED1BB1AF
	AVEngine V3	Trojan-FULO!365EED1BB1AF
	JTI (ATP Rules)	JTI/Suspect.196612!3440cced6ec7
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
294C710F4074B37ADE714C83B6B7BF722A46AEF61C02BA6543DE5D59EDC97B60	AVEngine V2	Generic trojan.nw
	AVEngine V3	Generic trojan.nw
	JTI (ATP Rules)	JTI/Suspect.196612!076ee5595285
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
ED6910FD51D6373065A2F1D3580AD645F443BF0BADC398AA77185324B0284DB8	AVEngine V2	Generic Trojan.nd
	AVEngine V3	Generic Trojan.nd
	JTI (ATP Rules)	JTI/Suspect.196612!255997aaa25f
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
4FE551BCEA5E07879EC84A7F1CEA1036CFD0A3B03151403542CAB6BD8541F8E5	AVEngine V2	Generic trojan.px
	AVEngine V3	Generic trojan.px
	JTI (ATP Rules)	JTI/Suspect.196612!97784e623f9e
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
7B9091C41525F1721B12DCEF601117737EA990CEE17A8EECF81DCFB25CCB5A8F	AVEngine V2	Trojan-FULO!E6404260B4E4
	AVEngine V3	Trojan-FULO!E6404260B4E4
	JTI (ATP Rules)	JTI/Suspect.196612!f4056a6b3b36
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
73BAA040CD6879D1D83C5AFAB29F61C3734136BFFE03C72F520E025385F4E9A2	AVEngine V2	Trojan-FULQ!63DD2D927ADC
	AVEngine V3	Trojan-FULQ!63DD2D927ADC
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C3509BA690A1FCB549B95AD4625F094963EFFC037DF37BD96F9D8ED5C7136D94	AVEngine V2	Trojan-FULS!457109014255
	AVEngine V3	Trojan-FULS!457109014255
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
A403B82A14B392F8485A22F105C00455B82E7B8A3E7F90F460157811445A8776	AVEngine V2	Trojan-FULQ!A7B671F5592E
	AVEngine V3	Trojan-FULQ!A7B671F5592E
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
F74A32A67A94FD711DA78AF2F8F4BDB83FE7DEAA049AD11F2F980BB6E3C037A7	AVEngine V2	Trojan-FULO!C7E4751C628C
	AVEngine V3	Trojan-FULO!C7E4751C628C
	JTI (ATP Rules)	JTI/Suspect.196612!a1bf87a11666
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
A69CF4FA61217F8230E032089A8F56F7EBF31E4CD35124E6AD104DB86851F17F	AVEngine V2	Trojan-FULQ!51CFA7A4384A
	AVEngine V3	Trojan-FULQ!51CFA7A4384A
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
812263EA9C6C44EF6B4D3950C5A316F765B62404391DDB6482BDC9A23D6CC4A6	AVEngine V2	Trojan-FULQ!2302DE9A094E
	AVEngine V3	Trojan-FULQ!2302DE9A094E
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
E0888B80220F200E522E42EC2F15629CAA5A11111B8D1BABFF509D0DA2B948F4	AVEngine V2	Trojan-FULS!8737C4DC92BD
	AVEngine V3	Trojan-FULS!8737C4DC92BD
	JTI (ATP Rules)	JTI/Suspect.196612!8737c4dc92bd
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D08F9390FA610DC3976D309A859B9ABC8404CEE1EF8AEB886F3F9E524C1D2B9F	AVEngine V2	Trojan-FULO!91FED07FED96
	AVEngine V3	Trojan-FULO!91FED07FED96
	JTI (ATP Rules)	JTI/Suspect.196612!7ee33e00c1ca
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C4520713189D27E21B0F9060BA95CBFE4F49CC0F348854F08D1ED3AA577E9BD0	AVEngine V2	Trojan-FULO!91FED07FED96
	AVEngine V3	Trojan-FULO!91FED07FED96
	JTI (ATP Rules)	JTI/Suspect.196612!1872b893256f
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
2EAB76F1D46BE74C68D9562B4B32C44606FA23C0D7897F9D89A3E2534BE6F2C7	AVEngine V2	Trojan-FULO!9792434C97FD
	AVEngine V3	Trojan-FULO!9792434C97FD
	JTI (ATP Rules)	JTI/Suspect.196612!9792434c97fd
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
4FAF362B3FE403975938E27195959871523689D0BF7FBA757DDFA7D00D437FD4	AVEngine V2	Trojan-FULQ!B921815594F3
	AVEngine V3	Trojan-FULQ!B921815594F3
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D3D48AA32B062B6E767966A8BAB354EDED60E0A11BE5BC5B7AD8329AA5718C76	AVEngine V2	Trojan-FULQ!51CFA7A4384A
	AVEngine V3	Trojan-FULQ!51CFA7A4384A
	JTI (ATP Rules)	JTI/Suspect.262201!c3fa9493f5bd
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C9CC4D95CA1197328A743A41B09C2375D54AC97FCDDE5E07BDA660396710ECCD	AVEngine V2	Trojan-FULO!007236733E6E
	AVEngine V3	Trojan-FULO!007236733E6E
	JTI (ATP Rules)	JTI/Suspect.262201!61a5cbc68cc4
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C08D467966D6CA60A68FFE1715851EEA366EED6B35E033A43437128C05D441DC	AVEngine V2	Trojan-FULO!F6C4126A7BF8
	AVEngine V3	Trojan-FULO!F6C4126A7BF8
	JTI (ATP Rules)	JTI/Suspect.196612!dc2435add53c
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
ACB37A4C2552AE2F9B9BBB8EBBB9A501AD6B5787E40867270D7FF3A5369E3632	AVEngine V2	Generic trojan.wv
	AVEngine V3	Generic trojan.wv
	JTI (ATP Rules)	JTI/Suspect.196612!d2ebbb1f58a8
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
CCCD4FB8900DF5F8939E589F4E66D6819796D84620AE97E7EFA2CFD7237B27CF	AVEngine V2	Trojan-FULO!A02156B573F2
	AVEngine V3	Trojan-FULO!A02156B573F2
	JTI (ATP Rules)	JTI/Suspect.262201!439be7e25585
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
CFA85CC84451B870F26515DA705783A3B0616B54CD2CE350281B3B0A3383A3E8	AVEngine V2	Trojan-FULO!A91BA8F4A339
	AVEngine V3	Trojan-FULO!A91BA8F4A339
	JTI (ATP Rules)	JTI/Suspect.196612!33209c0b6b42
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
EBF40E12590FCC955B4DF4EC3129CD379A6834013DAE9BB18E0EC6F23F935BBA	AVEngine V2	Trojan-FULQ!7ACFDDC5DFD7
	AVEngine V3	Trojan-FULQ!7ACFDDC5DFD7
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
5006AD8BA0CC6D68626FA7789A62F8256C5F28A7A86903B60EF203D16944DF99	AVEngine V2	Trojan-FULO!89609E0097CE
	AVEngine V3	Trojan-FULO!89609E0097CE
	JTI (ATP Rules)	JTI/Suspect.196612!ad9da7cd33eb
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
2AAA916D56CFE95ABB65FBC222BFDFA2B16A3FFB6660C1BDC211004302A1AEF3	AVEngine V2	Trojan-FULP!A6D49B646ED6
	AVEngine V3	Trojan-FULP!A6D49B646ED6
	JTI (ATP Rules)	JTI/Suspect.196612!70f3bf9c3136
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
546ACB39C89B8B72923AAC98DD68369AA4AB8440B5EA122301626C6B082F95DE	AVEngine V2	Generic trojan.wv
	AVEngine V3	Generic trojan.wv
	JTI (ATP Rules)	JTI/Suspect.196612!fd100bb027ca
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
E5EBB489A8AC483AD3DAF258F6FF74AE7BEC6B67B0DEB9A571F8CE90C82D7380	AVEngine V2	Trojan-FULP!1575713BC936
	AVEngine V3	Trojan-FULP!1575713BC936
	JTI (ATP Rules)	JTI/Suspect.196612!4ea49856f271
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
5EA74BCA527F7F6EA8394D9D78E085BED065516ECA0151A54474FFFE91664198	AVEngine V2	Trojan-FULR!36D7DA730624
	AVEngine V3	Trojan-FULR!36D7DA730624
	JTI (ATP Rules)	JTI/Suspect.196612!36d7da730624
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C0F1EBCCA8A8094853AA65210DDDE80F6A9FFE7B3F2D75D5652B166722B3AA4A	AVEngine V2	Trojan-FULO!C7428D3DCBEF
	AVEngine V3	Trojan-FULO!C7428D3DCBEF
	JTI (ATP Rules)	JTI/Suspect.196612!1fc7bfc48c95
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
42D737487DACCF77F7C80FFD1D823BA4E51CF154E8486F420BA958E1DF2A150D	AVEngine V2	Trojan-FULO!007236733E6E
	AVEngine V3	Trojan-FULO!007236733E6E
	JTI (ATP Rules)	JTI/Suspect.196612!73fbccc25909
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
49BA10B4264A68605D0B9EA7891B7078AEEF4FA0A7B7831F2DF6B600AAE77776	AVEngine V2	Trojan-FULR!229A758E232A
	AVEngine V3	Trojan-FULR!229A758E232A
	JTI (ATP Rules)	JTI/Suspect.196612!229a758e232a
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
F6F116E43261AD432B5C5EDD44FAA01641621E9C728902053F235877FF22431D	AVEngine V2	Trojan-FULP!5C5EBB7537F3
	AVEngine V3	Trojan-FULP!5C5EBB7537F3
	JTI (ATP Rules)	JTI/Suspect.196612!ee366a16c716
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
E30503082D3257737BBA788396D7798E27977EDF68B9DBA7712A605577649FFB	AVEngine V2	Trojan-FULQ!3440CCED6EC7
	AVEngine V3	Trojan-FULQ!3440CCED6EC7
	JTI (ATP Rules)	JTI/Suspect.196612!3440cced6ec7
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
CC2FE3129D312648B6BE28E4D8046C36F19E0553283E64A4AF7CC5EFE8586C57	AVEngine V2	Trojan-FULO!3EFCD76417A1
	AVEngine V3	Trojan-FULO!3EFCD76417A1
	JTI (ATP Rules)	JTI/Suspect.196612!59c81100e3c0
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
3AC3FD9DE619C934B0FAD04B0384898D98CD69444DA2D2BBF3BDD6A7E922FCE2	AVEngine V2	Trojan-FULO!51C97B49AC56
	AVEngine V3	Trojan-FULO!51C97B49AC56
	JTI (ATP Rules)	JTI/Suspect.196612!5a400b8c8efe
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D625D21F6AC0677CE386E09CA1D78EEFD3F223991642CABC72C756DA5EC048DC	AVEngine V2	Generic trojan.wv
	AVEngine V3	Generic trojan.wv
	JTI (ATP Rules)	JTI/Suspect.196612!233dcc3ed90d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
EFBFFC6D81425FFB0D81E6771215C0A0E77D55D7F271EC685B38A1DE7CC606A8	AVEngine V2	Trojan-FULS!FFF8792DDF96
	AVEngine V3	Trojan-FULS!FFF8792DDF96
	JTI (ATP Rules)	JTI/Suspect.196612!fff8792ddf96
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
72C410EEA75347E8C5BD7E1CB6AE7D1DD0EC5C73DD7B53BC8C2155CBD3E60961	AVEngine V2	Trojan-FULO!8D3FE6001F72
	AVEngine V3	Trojan-FULO!8D3FE6001F72
	JTI (ATP Rules)	JTI/Suspect.196612!53ed259569d5
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
B062DD516CFA972993B6109E68A4A023CCC501C9613634468B2A5A508760873E	AVEngine V2	Trojan-FULR!3C5C693BA9B1
	AVEngine V3	Trojan-FULR!3C5C693BA9B1
	JTI (ATP Rules)	JTI/Suspect.196612!3c5c693ba9b1
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
6098371970CCF86AA5E70EBFE4F0622CDC2E2AE19FB85B17F6CB79BDE981EA0B	AVEngine V2	Trojan-FULO!9792434C97FD
	AVEngine V3	Trojan-FULO!9792434C97FD
	JTI (ATP Rules)	JTI/Suspect.196612!9792434c97fd
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
B959B003C1E558FF0CCF1D0F96509B155D6F86EB20CAA97B470F3422494D8D74	AVEngine V2	Trojan-FULO!6F522C8DA98B
	AVEngine V3	Trojan-FULO!6F522C8DA98B
	JTI (ATP Rules)	JTI/Suspect.196612!9dbbbe699a03
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
94646F971C52C5725A7872006C9C80B10271A838D87F20C85247C357F6EC35EB	AVEngine V2	Trojan-FULO!90512C79F23B
	AVEngine V3	Trojan-FULO!90512C79F23B
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
B91EB833DE386EA3D73D2954F0DCE9FE38E4BF96594620AF6C0935B9EE0D7E81	AVEngine V2	Trojan-FULO!672780F51DCA
	AVEngine V3	Trojan-FULO!672780F51DCA
	JTI (ATP Rules)	JTI/Suspect.196612!fb22207876c2
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
722E75932C75A37BB9B616093C77611433DA35236182615162CB4C9D6FAB34F0	AVEngine V2	Trojan-FULP!FEF99673D4EA
	AVEngine V3	Trojan-FULP!FEF99673D4EA
	JTI (ATP Rules)	JTI/Suspect.196612!a5f72ee6d549
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
E7A070ADB5D238CCD7DAA249F26516E2BDBF72E1E866D54189E96272117720C0	AVEngine V2	Trojan-FULO!6A1123558097
	AVEngine V3	Trojan-FULO!6A1123558097
	JTI (ATP Rules)	JTI/Suspect.196612!052aa1baa94c
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
96823BB6BEFE5899739BD69AB00A6B4AE1256FD586159968301A4A69D675A5EC	AVEngine V2	Trojan-FULS!3E0FE537124E
	AVEngine V3	Trojan-FULS!3E0FE537124E
	JTI (ATP Rules)	JTI/Suspect.196612!3e0fe537124e
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
84B2D16124B690D77C5C43C3A0D4AD78AAF10D38F88D9851DE45D6073D8FCB65	AVEngine V2	Trojan-FULQ!E41379630DAF
	AVEngine V3	Trojan-FULQ!E41379630DAF
	JTI (ATP Rules)	JTI/Suspect.196612!7d96d4b85486
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
8E6C0D338F201630B5C5BA4F1757E931BC065C49559C514658B4C2090A23E57B	AVEngine V2	Trojan-FULQ!642AA70B188E
	AVEngine V3	Trojan-FULQ!642AA70B188E
	JTI (ATP Rules)	JTI/Suspect.196612!642aa70b188e
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
EBA37E8CEA693569462061FBC0A82C609E4E855C827A6228BABCDF798C3C9885	AVEngine V2	Trojan-FULP!17583622C57D
	AVEngine V3	Trojan-FULP!17583622C57D
	JTI (ATP Rules)	JTI/Suspect.196612!af4ea89297f2
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D439F941B293E3DED35BF52FAC7F20F6A2B7F2E4B189AD2AC7F50B8358110491	AVEngine V2	Trojan-FULQ!E000FFF91EF8
	AVEngine V3	Trojan-FULQ!E000FFF91EF8
	JTI (ATP Rules)	JTI/Suspect.196612!d46109be314b
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
49925637250438B05D3AEBAAC70BB180A0825EC4272FBE74C6FECB5E085BCF10	AVEngine V2	Trojan-FULQ!74E595A993FF
	AVEngine V3	Trojan-FULQ!74E595A993FF
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

Minimum set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Endpoint Security - Advanced Threat Protection:

Rule ID: 239 Identify suspicious command parameter execution
Rule ID: 57 Use GTI file reputation to identify files that Might be Trusted or Might be Malicious
Rule ID: 4 Use GTI file reputation to identify trusted or malicious files

Endpoint Security - Exploit Prevention:

Rule ID: 6086 PowerShell Command Restriction - Command
Rule ID: 6113 T1055 - Fileless Threat: Reflective Self Injection
Rule ID: 8004 Fileless Threat: Malicious PowerShell Behavior Detected
Rule ID: 6081 PowerShell Command Restriction - NoProfile
Rule ID: 6083 PowerShell Command Restriction - NonInteractive
Rule ID: 6143 T1003 - Attempt to Dump Password Hash from SAM Database
Rule ID: 6127 Suspicious LSASS Access from PowerShell
Rule ID: 6135 Unmanaged PowerShell Detected
Rule ID: 6070 Hidden PowerShell Detected

Host Intrusion Prevention:

Rule ID: 6113 T1055 - Fileless Threat: Reflective Self Injection
Rule ID: 6081 PowerShell Command Restriction - NoProfile
Rule ID: 6083 PowerShell Command Restriction - NonInteractive
Rule ID: 6070 Hidden PowerShell Detected
Rule ID: 6135 Unmanaged PowerShell Detected

Aggressive set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

VirusScan Enterprise - Access Protection Rules:

Prevent creation of new executable files in the Windows folder

Host Intrusion Prevention:

Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 2806 Attempt to create a hardlink to a file
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 6010 Generic Application Hooking Protection

Endpoint Security - Access Protection Rules:

Creating new executable files in the Windows folder

Affected Products

MVISION Insights

Knowledge Center

MVISION Insights: SocGholish and BLISTER loaders dropping LockBit Ransomware

Environment

Summary

Affected Products

Title

Title

Knowledge Center

MVISION Insights: SocGholish and BLISTER loaders dropping LockBit Ransomware

Environment

Summary

Affected Products

Choose your region

Title

Title