Fake "Life Insurance Invoice" delivers Ursnif Banking Trojan

1. Fake "Life Insurance Invoice" delivers Ursnif Banking Trojan Malware
2.  
3.  
4. Indicators of Compromise
5.  
6. Infection URL: hxxp://nth-gen.co.uk/AA%20Insurance%20Invoice.zip
7.  
8. Infection URL Domain: nth-gen[.]co[.]uk
9.  
10. Infection URL IP: 46.249.205.43
11.  
12.  
13.  
14. Malicious File
15.  
16. File name: AA Insurance Invoice.zip
17.  
18. MD5: b85fddb1c4b9035138cd30d31c180faf
19.  
20. SHA256: ed4007797c15d89bca7fe4ad0411807fb1d075917f01f410f8a78648bf1a04f9
21.  
22. File size: 1062 KB
23.  
24.  
25.  
26. Malicious File
27.  
28. File name: AA Insurance Invoice.lnk
29.  
30. MD5: e0ae52a6ecdb252238e1b45fe2dede90
31.  
32. SHA256: cb6bf2ca33d4ede5fa287c432de640be75a2776947c0f402ced831a369421c6a
33.  
34. File size: 3KB
35.  
36.  
37.  
38. Malicious File
39.  
40. File name: Chaturnabte.exe
41.  
42. MD5: b42647f81a72c47095d3b9a3bb45fc2d
43.  
44. SHA256: 01b2e72a6ca18b91a382a67099d61045e167f24da53470478110ade44180186e
45.  
46. File size: 196 KB
47.  
48.  
49.  
50. Payload URL: http://katherineroper[.]co[.]uk/newsite/PACHANGAITV[.]exe
51.  
52. Payload URL Domain: katherineroper[.]co[.]uk
53.  
54. Payload URL IP: 89.145.69.72
55.  
56. Command & Control URL:
57.  
58. hxxp://86.105.18.64:443
59.  
60. hxxp://89.105.194.234:443
61.  
62.  
63.  
64. Command & Control URL IP:
65.  
66. 86.105.18[.]64
67.  
68. 89.105.194[.]234