2020-03-13_Japanese-reply-chain-mail-with-ursnif

1. #2020-03-13_Japanese-reply-chain-mail-with-ursnif
2.  
3. [maldoc sample]
4. info_03_13.doc
5. 03c815f9bfa9075772d7999072afd832
6. https://app.any.run/tasks/a8c4625c-e745-48e0-984a-2be782514538/
7. 2a489114b3fe3ce082f8e5dfa2065817
8. https://app.any.run/tasks/e469daeb-41fd-4e31-8685-21870929cd13/
9. #downloader
10.  
11. [Payload URL]
12. hxxp://netfletdriold[.]com/f64bj/jtrhs.php?l=ghsX.cab
13. hxxp://netretgidare[.]com/f64bj/jtrhs.php?l=ghsX.cab
14. # X : 1-3
15.  
16. [Payload sample]
17. 12345.dll
18. 4fb50ab9a84f1720f1ca173386f9338d
19. https://app.any.run/tasks/dd3ee6ee-b378-425d-b22d-751ff332010e/
20. # malware: ursnif/Dreambot
21. # export: DllRegisterServer
22. # geofenced: jp (only JP geolocation can access)
23.  
24. [C2]
25. hxxp://get.marquettburton[.]com
26. hxxp://alistherdata[.]at
27. hxxp://h33a7jzovxp2dxfg[.]onion
28.  
29. [URL QueryParameter]
30. key=s4Sc9mDb35Ayj8oO
31. soft=1
32. version=217107
33. server=12
34. id=20203
35.  
36. [Config Info]
37. 0x1c631f09 :
38. c2_domain : hxxp://h33a7jzovxp2dxfg[.]onion hxxp://get.marquettburton[.]com hxxp://alistherdata[.]at
39. dga_base_url : constitution.org/usdeclar.txt
40. 0xcd850e68 : 0x4eb7d2ca
41. dga_tld : com ru org
42. 0xdf2e7488 : 10
43. tor32_dll : google.com file://%appdata%/system32.dll
44. tor64_dll : google.com file://%appdata%/system64.dll
45. ip_check_url : curlmyip.net
46. server : 12
47. serpent_key : s4Sc9mDb35Ayj8oO
48. sleep_time : 10
49. SetWaitableTimer_value(CRC_CONFIGTIMEOUT): 150
50. time_value : 30
51. SetWaitableTimer_value(CRC_TASKTIMEOUT): 150
52. SetWaitableTimer_value(CRC_SENDTIMEOUT): 300
53. SetWaitableTimer_value(CRC_KNOCKERTIMEOUT): 150
54. not_use(CRC_BCTIMEOUT): 10
55. botnet : 20203
56. dga_seed : 1
57. SetWaitableTimer_value: 60