SHARE
TWEET

2019-03-05 and 06: malware from malspam pushing Ursnif/Gozi

malware_traffic Mar 6th, 2019 (edited) 461 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-03-05 AND 06: MALWARE FROM MALSPAM PUSHING URSNIF/GOZI
  2.  
  3. EXAMPLES OF SHA256 HAHSES FOR ASSOCIATED WORD DOCS WITH MACROS:
  4.  
  5. 1022c65615fa34947847ed76fc0fcc6f32c0f53c6a3fbab5cc7d05955216da55
  6. 1334b8b21c911ebf226d9757d1468dbf000ec62de114cfe59a79ec30735bcb1c
  7. 2052343e468a67f6d8bae96b93299a99141937c535d0a7c2b45fbc48221c5951
  8. 2b1b6402200f2c5fdb12b5df1927177db9be8e7374c497ac31848b2c4a01714a
  9. 48a99d007f50db9e00f64cc4176618c619af0c48eab602c833db4277d4b215c7
  10. 564328a57f35e0d93d102ec34e084a4d2e458540ca25be4744aed85469e5432b
  11. 569a8cd62c3aa8162189901bae682998548317094a670cd7c9fb9365fc4c5a97
  12. 73c89f03c3ff997fdd2825cca0c721e72d1082b26c018e150f12b5cefe677782
  13. 9548cdc40e0d16eae2e0f9969dd861bb37654f7b6d2dc5ca0faadf6b0599d221
  14. a8023050e5e22c284597784f8b7f1c3f2a4913fe932cc13a9c1442012d15718f
  15. ac4cf830907382507f97e241a8ca9ae39c3dba5ee5f435ee6cec8147364cabdd
  16. b23191a23277e3a22b8912d7bb95c83cee0ded5252ad2e9ec028ca9714da52b8
  17. b4cc5702a9ace666880377838ec6d679866665c2055bf6e7cdd0708a344b7a78
  18. b819e5a71bbd81af0221a482446890c280ce0be57d9b911a3912434b829cbf6d
  19. c206f21571bb807783aabfe1fff0a203490da4e7667e469dca777049b6d3e180
  20.  
  21. EXAMPLES OF SHA256 HASHES FOR ASSOCIATED XML DOCS WITH MACROS:
  22.  
  23. 20606803947ff3829a2c597f8c1b4de9017c3c834f9d0843d93d8264104f9322
  24. 724bcde664d8c90357808566e5a405b1a12ecf54ef098b223dfa13b6b6e24246
  25. b0cbf0627c5dd1b6024cfaee94609bfe10c311d0f81392986d5b42163e1701d4
  26.  
  27. URLS FOR URSNIF/GOZI CAUSED BY MACROS:
  28.  
  29. - 46.29.165[.]85 port 80 - hkristinah[.]city - GET /hssuwpqksm/o.php?l=mxap1.bz2  (up to mxap15.bz2)
  30. - 46.29.165[.]85 port 80 - liumelvin89oayy[.]email - GET /hssuwpqksm/o.php?l=mxap1.bz2  (up to mxap15.bz2)
  31. - 89.223.90[.]27 port 80 - v73adrian79[.]company - GET /hssuwpqksm/o.php?l=koagura1.bz2  (up to koagura15.bz2)
  32. - 89.223.90[.]27 port 80 - xe7nikkij[.]email - GET /hssuwpqksm/o.php?l=koagura1.bz2  (up to koagura15.bz2)
  33.  
  34. EXAMPLES OF SHA256 HASHES FOR FOLLOW-UP URSNIF/GOZI EXE:
  35.  
  36. 02b4cab8bf05d48cea63e40af44991c9985763fb8175411c69380730984f8631
  37. 06243684f00de6c618dfc851c783033f3657043529b278f175fd82a5520d785d
  38. 06e65ed65e62067c1913af3eda0117157251b9de454f465b19115afb25285150
  39. 0937c16bc256ec992913ca949fa1310c984d3b523a62ad0ce7595a0ffa82910e
  40. 0bab4ce13b8896f805841c97754b1cd6451468d0d29cec3c700678147947aef2
  41. 1411344d63ba80d718a6a98a1de0354aa4ce8ce91257a4408ef81d3fc9542cc0
  42. 14641b7be9df7b04a7f5060c95e799e03d625d51eabbd9b105e5195408570ec4
  43. 24357b663f5e2eb60aeb28840da94008c521bd8cd1c042725abb3fa165229754
  44. 279e3b322b88bd08a4d3d2b9b01505f97b0de82e71bfa90463e0f33baeb0c299
  45. 27da297ad66f7ab09ab4b5c2e3eb7209b04a50c9fe936f732587141e06ca2635
  46. 2a4433975b598054944e1af3d559db223f4fd92030456caeb14c00f32f4401f5
  47. 331fee4f87aa24f9bbe2f96319632e5ec9484f568073eff3d4037f295cb941b5
  48. 3700397d30aeae3dce64cd86c1e036ce8feaa3c5f4c779d19b93c1649c967a4e
  49. 38e4a44e022ede5d27eed27d251dc54a7ffddd830906bf7dde863116c721563e
  50. 391428aa95ce2059671335fdf617360c274a73e7b6575a4b5cd9164fef27acdc
  51. 3b05e754fd59194fd8b5158d1df4a86249c10204444048527846ff8888c9badd
  52. 3d96419d4c307864a79a39772785a9c8f4b655d92ffeabc27d6cb9ad728485fc
  53. 4274124b1b9e95d24167a5c49bac9c376d2d3f368471981a2ab64a79d4ea5587
  54. 4554d84be9d973ec89767a7095040da1121e337959f34f9aa42825d4268ee283
  55. 47a2a72efbd28ac7df1ef0ce71cbefbdd4677a9d8fb862b84471be1e1c931ad4
  56. 4c1021ca411f11c58fc3d16e43a24d4842c5dd5d27939fb88aebcef785796c1e
  57. 4d98d60093f1bd12c7abc8f6b08ba4341522a147bc40233363de55804fb6ec74
  58. 4e755ac584a5537c491ee133aeea4289ca2942456aa18c710391fb0f92acf4d9
  59. 4f6b9f7600098121489c3f053a63ed85a0fe49a899d513c38888588369259b9d
  60. 58dad0d5e05f6d61c75b17cf580eb64c93b578c1d578d3239513618f2d241dbb
  61. 59c8147ea2b258f8d212dc7b5f963adc1e1f25495fc5f2c30bbf459af7e0c67f
  62. 59edc52658004655281d116ba63fb86e1f4e4cb539483832624555adfc268b9c
  63. 5b2a51c737f0c6d74ebd4d199ea03e3c699a7a74e445bfaebb6fcfa2b50d7069
  64. 5d7aaa2a436a7b97bcd80caf228c5184341d8fecc0bf46e58d5387618bb200ce
  65. 61a7617b332de0bf083d847fb95503bc5b4c5620750c39f8be7b6f1b56db3fd6
  66. 670e0d46859e3243625f9d0057b168f893c8cde9d222c197eee715342e79ca04
  67. 6c246e9f47a5ead5bfad7f62c776fc228574f18515d68dc92d1b3a5e1b8bd7f5
  68. 7435082d61ce50440c6c5ff63082cbf56d1139a71fb4499d289b99f28c6c9a15
  69. 74743be3a5dae53e61aa5d189c47c827197b29d1f0ee5563b91868d7984dff27
  70. 79326f02fc0e3fa9d57f0880b8ce1ff38df48dc8f9a278e017ebad658e0d782a
  71. 7bd10cf93053f31c554cbc1fd23b9b2d371491a64db0e11d77b1b9c5c6adb25b
  72. 81e754d96064990f3f0f71f1993ef2549c0ca9f65e09798ba1369ef39788751b
  73. 872252ab5b2b2b125bf53011469fb563a8dd06c9d55416546fe9e82857fa376e
  74. 95a1805c45668779cf0793e4ebb2a5cfdce779c0f87bb5b9a8296171b34fae9f
  75. 96e6425f90c8b8ba1a8f9b43fe42d127aa314ec827f96069b81d4f3625118690
  76. 9779dc58dd04accfddb931928d3fd214389b1b8871ce0dc8d6323800c0bd26f4
  77. a2bf302d6ca0a06ff9fb1b625ecbd05fee3fe46a9eba7ad674d7ccc3dde26f31
  78. a3d4cae9f295728f57d79a4b6c1655cad455772fcaf06a8427a06e5ec3300aee
  79. ae3ff84eb528fd23baa040fef6eee2ee1b40acd26f77b481c22ff3e871e93728
  80. ae5639d803ce7e5193d59f2d1d861ec813be641d1b328ebe88050edbfc4c8ee7
  81. af9e4591744117eb9a86f5877d818f2a685f3ba9d47bba593d6014005a0d194e
  82. b1b4fd251c1b080a88ca6a74d421a8b055674da546e26936062c607142908d93
  83. b205069799a5c0e894a21982a13f9b3773fa98eaf25e502668192d77a9479335
  84. b650058eda36f87916e616cc1ffd21b4200719e4c95a1c06aed7dbc8839eb30d
  85. b814384063ec1b52de4097687be26d1d9f1350fcc50b3f70fdf758d01eb5a615
  86. b937c6caa11891423f0c8c70d23b9c52e8a0e5571f172c9076cc48a0019234b0
  87. bb4e404bd278a4d06c666dbc29aff7b04092c96aa62c0c99dda1abb0107c2c6a
  88. cc6f41cda64e9728689127c57a1f12c2d71d8a6841ffbf79ef0d63cfb58bc301
  89. dafc28a58d6c829ec203c0a9b30f6631c30ced1e1324c8cfcd5db3222203bf1b
  90. e308a457dc786f31b6a1c53a38d2a09ab38e43b01d3cb7729dffb524f43da56c
  91. e547ddb18dd4c7797c9e89630c175b3e986d728300ec6b2e984be4262a4f665e
  92. e643e3936816130ea1415b4eaeb86833b412837985d8e1da87459d2cfef8defb
  93. f52e4f5da6e53a3221a1d8ca63b8261075b919c26a7c25a1065ba4570f4c90eb
  94. f8d9600b699f5ce999bbe223b9a0a3446343bde79daeef48e5deadcb8f913689
  95. f922575fef0258c122ae793eb74496eb12faf7c091cbdd39c0ee6396c96b66d9
  96.  
  97. SANDBOX ANALYSIS FOR ONE OF THE WORD DOCS:
  98.  
  99. - https://app.any.run/tasks/6a2644b1-51ec-4702-8eb7-ec9a4b04c41e
  100. - https://cape.contextis.com/analysis/43022/
  101. - https://www.reverse.it/sample/1022c65615fa34947847ed76fc0fcc6f32c0f53c6a3fbab5cc7d05955216da55
  102.  
  103. SANDBOX ANALYSIS FOR ONE OF THE EXE FILES:
  104.  
  105. - https://app.any.run/tasks/243cdc24-35fb-46dd-a4b4-a354cf871eab
  106. - https://cape.contextis.com/analysis/43026/
  107. - https://www.reverse.it/sample/02b4cab8bf05d48cea63e40af44991c9985763fb8175411c69380730984f8631
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top