API tools faq
paste
Bank_Security

Phishing Campaign uses Hijacked Emails to Deliver URSNIF

Bank_Security
Oct 9th, 2018
6,385
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.44 KB | None | 0 0
raw download clone embed print report
  1. Phishing Campaign uses Hijacked Emails to Deliver URSNIF by Replying to Ongoing Threads
  2. Indicators of Compromise (IoCs)
  3.  
  4. Hashes of the .doc files:
  5.  
  6. Detected as TROJ_FRS.VSN0BI18 / Trojan.W97M.POWLOAD.SMY
  7.  
  8. bdd3f03fb074c55cf46d91963313966ce26afdb13b1444258f8f9e7e723d8395
  9. dd7b4fc4d5cc1c1e25c800d5622423725a1b29000f93b658a54e267bbbe6f528
  10. 4df47982fdd1ac336625600fa8c947d45909248309b117d05fc532a2260c7bc4
  11. Detected as Trojan.W97M.POWLOAD.FGAIBT
  12. f88ef62f2342f4d1105cfe85395b735efd3f0308b79551944983ce245d425510
  13. 567fe3794a9eec27697ae0634861d284279261880887f60a7374c6cbe63b7674
  14. Detected as Trojan.W97M.POWLOAD.NSFGAIBF
  15.  
  16. 52d3ece98b6b3b686925156c3d62d8ce133fe3326e11b4c981c251452e4a41d2
  17. Detected as Trojan.W97M.POWLOAD.SMEMOT
  18.  
  19. 4d0762a6b2879d2fa821716db76bc980fdb3b8507611d2853df58c0d4127f9ea
  20. Detected as Trojan.W97M.POWLOAD.SMEMOT2
  21.  
  22. 47e2c66ba16e3ffa9704a13f2c00670319bf292b3d2aa7deede5442da02181e5
  23. c2c946f7fd63fc15048a9af4043686f5a56b169e74cb36892fb8d1563b810467
  24. Detected as Trojan.W97M.POWLOAD.SMTHF3
  25.  
  26. 21ce42a1fc6631ed10db3d0e44b4ccb6d96a729fc494bd86a57cf07ff72cb8f2
  27. Detected as Trojan.W97M.POWLOAD.SMY
  28.  
  29. de8f8f39259992886da3b07635cbf121027379e5c1a156a32c6c6e5ace3cc4c3
  30. 6b387b8534da9cc7cf0af4f2fb8c2a92f9316c0ea6ffb9cfe49b09b4c3df9778
  31. 6bf99f4b17a07e788219333d96a7a19c9eddc1b49d16c2a21da255a6a16c80d5
  32. 33d078881456e3b930c480803902fa28142b17c8550f3932e7cf4a1df0eb9213
  33. 6ca2d4dcea456b9d4c87f211ed20bb32f71a0c78ee8059b934162e643d66e0c9
  34. 82bee0c249b63f349d212a36f0b9ad90f909017ac734eac133353a1135d7474d
  35. 1f2e12a58cc23f4e6e7f17b8c1a5c50b88614fda103577354b9564f2dffc257f
  36. Detected as W2KM_POWLOAD.FGAIBT
  37.  
  38. 1db71aec64d0e391a8c99f4f6ee214962a281733643ace0874cf69e2843f448c
  39. Detected as W2KM_POWLOAD.NSFGAIBF
  40.  
  41. c33d642da477f65c11daa9e8098b9917c4c5a6f131dd1369a20cb1b14c4cc261
  42. 398e677290b1db00d8751c3498847ad9c7d10721630175d2506c4d45af19d229
  43. 813a08d3b2216c89d42e8225c6de760d785905d1c76bd7428201d68c3c368f65
  44. Detected as W2KM_POWLOAD.THIACAH
  45.  
  46. 5aed7d6a3e8692143e53f9556cd3aa371149c96b91c02d1c659cb58d88572e47
  47. Downloaded URSNIF
  48.  
  49. Detected as TSPY_URSNIF.THAOOCAH
  50.  
  51. 0a38d92775cfc7182076d9a21c4937149ea8be6ebf22b9530afbca57d69c0d46
  52. Executable file payload
  53.  
  54. Detected as TrojanSpy.Win32.URSNIF.BAIEF
  55.  
  56. 358bd52ac46755b1c6fa73805a7a355450f85f4bcf1b2e798a04960743390422
  57. Detected as TSPY_URSNIF.THAOOCAH
  58.  
  59. e8633f2f2b6b0b8f7348b4660e325ab25b87ec8faa40fb49eb0215b31bd276aa
  60. Detected as TSPY_URSNIF.BAIEB
  61.  
  62. f92ba10fe245c00575ae8031d4c721fe0ebb0820a4f45f3bbce02654a6e7f18d
  63. Download URLs
  64.  
  65. hxxp://t95dfesc2mo5jr[.]com/RTT/opanskot[.]php?l=targa2[.]tkn
  66. hxxp://enduuyyhgeetyasd[.]com/RTT/opanskot[.]php?l=omg8[.]tkn
  67. hxxp://q0fpkblizxfe1l[.]com/RTT/opanskot[.]php?l=targa4[.]tkn
  68. hxxp://2dhtsif1a8jhyb[.]com/RTT/opanskot[.]php?l=okb1[.]tkn
  69. hxxp://yrtw1djmj6eth7[.]com/RTT/opanskot[.]php?l=okb7[.]tkn
  70. hxxp://popoasdzxcqe[.]com/YUY/huonasdh[.]php?l=rgr7[.]tkn
  71. hxxp://q0fpkblizxfe1l[.]com/RTT/opanskot[.]php?l=targa2[.]tkn
  72. hxxp://e3u1oz4an1dqmj[.]com/RTT/opanskot[.]php?l=okb9[.]tkn
  73. hxxp://popoasdzxcqe[.]com/YUY/huonasdh[.]php?l=rgr3[.]tkn
  74. hxxp://2dhtsif1a8jhyb[.]com/RTT/opanskot[.]php?l=okb5[.]tkn
  75. hxxp://hbhbasdqweb[.]com/YUY/huonasdh[.]php?l=rgr4[.]tkn
  76. hxxp://q0fpkblizxfe1l[.]com/RTT/opanskot[.]php?l=targa4[.]tkn
  77. Command and Control Servers
  78.  
  79. app[.]kartop[.]at
  80. doc[.]dicin[.]at
  81. doc[.]avitoon[.]at
  82. app[.]avitoon[.]at
  83. ops[.]twidix[.]at
  84. xx[.]go10og[.]at
  85. api[.]kartop[.]at
  86. m1[.]fofon[.]at
  87. cdn[.]kartop[.]at
  88. api[.]tylron[.]at
  89. chat[.]twidix[.]at
  90. api[.]kaonok[.]at
  91. chat[.]jimden[.]at
  92. mahono[.]cn
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!