API tools faq
paste
Bank_Security

New campaign that delivers Ursnif

Bank_Security
Jan 25th, 2019
17,247
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.77 KB | None | 0 0
raw download clone embed print report
  1. AMP tracks new campaign that delivers Ursnif
  2.  
  3. Malicious documents:
  4.  
  5. db7f0dab70e1da8ef7a6a6d938531f2a6773c0c5f925f19874fd3e764aa45833
  6. e58827967cba544cc1db3d751095878115f4247982fb514bbd7b98bced8de6c0
  7. 3846fe442df0175461081dd63299144a233debbd2453deeeb405126042ef72d1
  8. 982cf7af71d0fe54cbdfac74fd2985c48a011e6ffffe65012ee4496bb669b321
  9. cbc10db9d7609e548e550e79f45940125895374b9a97e133020d5585bfd183ed
  10. 2dbd942ac2f0b92d497fa6595f638cbddc24eab8beffb7cc648a91d65b45fa09
  11. 38c459e56997e759ca680f88aae4428d9c76e9fae323b4d2238adf203036007c
  12. 153c191ef4afd3eba9df89150ac728757efcba1293716c23f019e35270a388c4
  13. 95f5f2ecdce872f5b96739f548e4b73bb8b7a2c11c46cfddf3e20fd04abfc091
  14. 1cf5de71d51d2769079a8cb64e05f80e72e88846987602ad7302478c0d574caa
  15. c9f42b866fc203b4cd9d09cfcb0f8fca41097548393c15adb0557652526d818a
  16. ba332017cbf16842170788f5688e3b8a79c821ef1331e428d77af238c379be4f
  17. b278b0e63acbbb92396da41bffb99b9ef09dff1b1b838f69e29245c6731269f7
  18. b6837f46124a360ffff235824cc1decda2b97d6daf73e80f3615bce7781a86aa
  19. 12e3140656d7df63a1c444b0ebdae75039a18799e2ebd03a80eeb26ce5dbb66c
  20. d3383c7ee9704b51b302d7e611214a78050fcc7ad0969682355894af58f63cdf
  21. 3eff10af3f2afbcf59d5cf77f470abe3cfafbe48255e7f6ea56a22608e332824
  22. ad87dcc617e9914e28f76d071b586ac2cca9454078f3141c17e0102c9e2eebaa
  23. 65f81148184a7ec71a43e9cd50e1267ab3fc64f3ef5f41f9da8bd74000baad30
  24. f7cc1b8f93831f7170e5317b5b79aaa9ceb2bc6724f21bc4e2c6cccb71655624
  25. d08e92af78cbf7049e8a9ca7b6ab61e8dc42729848e73b980b7cf5ac74d505af
  26. 1b0b9cfaa78fac0875d10d087b8354d52bffb1f576eec7d49acab9d3394ccd9a
  27. d48f2cb5cc595f5cea29b7fd2bd8463fdfaf980c48792294ebb4c798516a7eae
  28. 5a739f018675094baf0b61ff8462b1c946410f4776be877719cb20f9a9c16dfd
  29. d53ace589ad1a39487f36dd3e516ac2a5af0aec521f28c5b78b3a47636cfb068
  30. 0778ef085fdebd39856ebfa4bf1203dcb7ee59fa4fc82a71a2ef3a949143c543
  31. 4ffe626708fa6a2d76366a962359658e0d919544260aa2179727964c34e12080
  32. 4dedf0b96b253b8fc15b007e4f61eb85d0345ef19f5a1fc6ea0772614375f606
  33. f3c7d7c0e71d15dc03614964c887a2459bd0ae4a97a324018a97dff27608e4b2
  34. 8b73b12aad16a58d07048a307a7a558755d0f5ca369dbee8b808a9d9c941a25d
  35. a2ae329bf70c24e4380d6133a4c02127e09597111e4edfd7808aa471450d2332
  36. 001f52a0fa8d4abe34bfff6c96b423435c0ad3e06d40ece228fe2db3bc0d1067
  37. b4b56db2ce95d52b018edee05f996a1b5ae11a289979e984157a0efb7bbbc9b9
  38. 617f1260e18929704c0ef45dae5eee7b9690b7a95f66e76ac00cf9dd2fca465b
  39. c283c26a991fd3599e8fd91bf059c2dbb07d3d630caf699531c48737faedc325
  40. 447f249e60df0324f74a40a4b35f432b2e19f801ce2d4d6efa126a6841836b11
  41. d7aeacb2b12cef81315a64670a27575d84ac1af4541000d0093fdb3676afc515
  42. d200cbc2b28811bf4762d664a4b3f9f58f6b20af03981910dc2317751f91027d
  43. b409ee2691e7b2d2598cd01ac28a0914d4778da8d8b7a62d2f78492b14790917
  44. e95af1012346ab3edbb365f3463bd060bfa7f194b7c68c8e680dfbde43c57eb7
  45. 015e2b8de525789f551abb4af169ad914f218fb07df2496c6f23d51d6a711688
  46.  
  47. C2 Server Domains:
  48.  
  49. levocumbut[.]com
  50. rapworeepa[.]com
  51. wegatamata[.]com
  52. roevinguef[.]com
  53. pivactubmi[.]com
  54. biesbetiop[.]com
  55. navectrece[.]com
  56. yancommato[.]com
  57. dewirasute[.]com
  58. ptyptossen[.]com
  59. mochigokat[.]com
  60. tubpariang[.]com
  61. zardinglog[.]com
  62. abregeousn[.]com
  63. aplatmesse[.]com
  64. abeelepach[.]com
  65. teomengura[.]com
  66. allooalel[.]club
  67. nublatoste[.]com
  68. ledibermen[.]com
  69. lootototic[.]com
  70. acnessempo[.]com
  71. usteouraph[.]com
  72. izzlebutas[.]com
  73. sfernacrif[.]com
  74. isatawatag[.]com
  75. duenexacch[.]com
  76. kyllborena[.]com
  77. bawknogeni[.]com
  78. kicensinfa[.]com
  79. uvuladitur[.]com
  80.  
  81. Files Dropped:
  82.  
  83.  
  84. Note, that filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means that these indicators aren't necessarily malicious on their own as filenames might collide with benign ones. If found with other indicators, its likely a Ursnif infection.
  85.  
  86. %AppData%/137d1dc1.exe
  87. %AppData%/1688e8b.exe
  88. %AppData%/1bdf65af.exe
  89. %AppData%/1cf8f7bb.exe
  90. %AppData%/2662438a.exe
  91. %AppData%/284ca7b3.exe
  92. %AppData%/31d073c1.exe
  93. %AppData%/3209f93c.exe
  94. %AppData%/3d4480c4.exe
  95. %AppData%/3fabbd27.exe
  96. %AppData%/40dc969c.exe
  97. %AppData%/4d46c42f.exe
  98. %AppData%/530ddba6.exe
  99. %AppData%/56ef205c.exe
  100. %AppData%/58b00f30.exe
  101. %AppData%/58f9603c.exe
  102. %AppData%/60404124.exe
  103. %AppData%/62574d8.exe
  104. %AppData%/6420f61f.exe
  105. %AppData%/6aad9e36.exe
  106. %AppData%/6ed4c1be.exe
  107. %AppData%/71bdcc14.exe
  108. %AppData%/75e1d341.exe
  109. %AppData%/7bc0a512.exe
  110. %AppData%/7df15b.exe
  111. %AppData%/8428791f.exe
  112. %AppData%/8c1d4ca.exe
  113. %AppData%/8d04e64a.exe
  114. %AppData%/97729da0.exe
  115. %AppData%/97979225.exe
  116. %AppData%/9835041d.exe
  117. %AppData%/9eb826ef.exe
  118. %AppData%/a54ab0bc.exe
  119. %AppData%/a9f1df84.exe
  120. %AppData%/aa5cc687.exe
  121. %AppData%/af74ae98.exe
  122. %AppData%/b034a4.exe
  123. %AppData%/bb5144e8.exe
  124. %AppData%/c1a17119.exe
  125. %AppData%/cbd42398.exe
  126. %AppData%/cf63b795.exe
  127. %AppData%/d5e1b91a.exe
  128. %AppData%/da0170a9.exe
  129. %AppData%/def4b6bf.exe
  130. %AppData%/e199be3d.exe
  131. %AppData%/e5920466.exe
  132. %AppData%/e7972c72.exe
  133. %AppData%/f005cb48.exe
  134. %AppData%/f0107edb.exe
  135. %AppData%/f2134754.exe
  136. %AppData%/fa408793.exe
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!