Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Phishing Campaign uses Hijacked Emails to Deliver URSNIF by Replying to Ongoing Threads
- Indicators of Compromise (IoCs)
- Hashes of the .doc files:
- Detected as TROJ_FRS.VSN0BI18 / Trojan.W97M.POWLOAD.SMY
- bdd3f03fb074c55cf46d91963313966ce26afdb13b1444258f8f9e7e723d8395
- dd7b4fc4d5cc1c1e25c800d5622423725a1b29000f93b658a54e267bbbe6f528
- 4df47982fdd1ac336625600fa8c947d45909248309b117d05fc532a2260c7bc4
- Detected as Trojan.W97M.POWLOAD.FGAIBT
- f88ef62f2342f4d1105cfe85395b735efd3f0308b79551944983ce245d425510
- 567fe3794a9eec27697ae0634861d284279261880887f60a7374c6cbe63b7674
- Detected as Trojan.W97M.POWLOAD.NSFGAIBF
- 52d3ece98b6b3b686925156c3d62d8ce133fe3326e11b4c981c251452e4a41d2
- Detected as Trojan.W97M.POWLOAD.SMEMOT
- 4d0762a6b2879d2fa821716db76bc980fdb3b8507611d2853df58c0d4127f9ea
- Detected as Trojan.W97M.POWLOAD.SMEMOT2
- 47e2c66ba16e3ffa9704a13f2c00670319bf292b3d2aa7deede5442da02181e5
- c2c946f7fd63fc15048a9af4043686f5a56b169e74cb36892fb8d1563b810467
- Detected as Trojan.W97M.POWLOAD.SMTHF3
- 21ce42a1fc6631ed10db3d0e44b4ccb6d96a729fc494bd86a57cf07ff72cb8f2
- Detected as Trojan.W97M.POWLOAD.SMY
- de8f8f39259992886da3b07635cbf121027379e5c1a156a32c6c6e5ace3cc4c3
- 6b387b8534da9cc7cf0af4f2fb8c2a92f9316c0ea6ffb9cfe49b09b4c3df9778
- 6bf99f4b17a07e788219333d96a7a19c9eddc1b49d16c2a21da255a6a16c80d5
- 33d078881456e3b930c480803902fa28142b17c8550f3932e7cf4a1df0eb9213
- 6ca2d4dcea456b9d4c87f211ed20bb32f71a0c78ee8059b934162e643d66e0c9
- 82bee0c249b63f349d212a36f0b9ad90f909017ac734eac133353a1135d7474d
- 1f2e12a58cc23f4e6e7f17b8c1a5c50b88614fda103577354b9564f2dffc257f
- Detected as W2KM_POWLOAD.FGAIBT
- 1db71aec64d0e391a8c99f4f6ee214962a281733643ace0874cf69e2843f448c
- Detected as W2KM_POWLOAD.NSFGAIBF
- c33d642da477f65c11daa9e8098b9917c4c5a6f131dd1369a20cb1b14c4cc261
- 398e677290b1db00d8751c3498847ad9c7d10721630175d2506c4d45af19d229
- 813a08d3b2216c89d42e8225c6de760d785905d1c76bd7428201d68c3c368f65
- Detected as W2KM_POWLOAD.THIACAH
- 5aed7d6a3e8692143e53f9556cd3aa371149c96b91c02d1c659cb58d88572e47
- Downloaded URSNIF
- Detected as TSPY_URSNIF.THAOOCAH
- 0a38d92775cfc7182076d9a21c4937149ea8be6ebf22b9530afbca57d69c0d46
- Executable file payload
- Detected as TrojanSpy.Win32.URSNIF.BAIEF
- 358bd52ac46755b1c6fa73805a7a355450f85f4bcf1b2e798a04960743390422
- Detected as TSPY_URSNIF.THAOOCAH
- e8633f2f2b6b0b8f7348b4660e325ab25b87ec8faa40fb49eb0215b31bd276aa
- Detected as TSPY_URSNIF.BAIEB
- f92ba10fe245c00575ae8031d4c721fe0ebb0820a4f45f3bbce02654a6e7f18d
- Download URLs
- hxxp://t95dfesc2mo5jr[.]com/RTT/opanskot[.]php?l=targa2[.]tkn
- hxxp://enduuyyhgeetyasd[.]com/RTT/opanskot[.]php?l=omg8[.]tkn
- hxxp://q0fpkblizxfe1l[.]com/RTT/opanskot[.]php?l=targa4[.]tkn
- hxxp://2dhtsif1a8jhyb[.]com/RTT/opanskot[.]php?l=okb1[.]tkn
- hxxp://yrtw1djmj6eth7[.]com/RTT/opanskot[.]php?l=okb7[.]tkn
- hxxp://popoasdzxcqe[.]com/YUY/huonasdh[.]php?l=rgr7[.]tkn
- hxxp://q0fpkblizxfe1l[.]com/RTT/opanskot[.]php?l=targa2[.]tkn
- hxxp://e3u1oz4an1dqmj[.]com/RTT/opanskot[.]php?l=okb9[.]tkn
- hxxp://popoasdzxcqe[.]com/YUY/huonasdh[.]php?l=rgr3[.]tkn
- hxxp://2dhtsif1a8jhyb[.]com/RTT/opanskot[.]php?l=okb5[.]tkn
- hxxp://hbhbasdqweb[.]com/YUY/huonasdh[.]php?l=rgr4[.]tkn
- hxxp://q0fpkblizxfe1l[.]com/RTT/opanskot[.]php?l=targa4[.]tkn
- Command and Control Servers
- app[.]kartop[.]at
- doc[.]dicin[.]at
- doc[.]avitoon[.]at
- app[.]avitoon[.]at
- ops[.]twidix[.]at
- xx[.]go10og[.]at
- api[.]kartop[.]at
- m1[.]fofon[.]at
- cdn[.]kartop[.]at
- api[.]tylron[.]at
- chat[.]twidix[.]at
- api[.]kaonok[.]at
- chat[.]jimden[.]at
- mahono[.]cn
Add Comment
Please, Sign In to add comment