URSNIF IOCs

1. URSNIF IOCs
2.  
3. Indicators of compromise
4. Hashes
5.  
6. bb5dab56181dbb0e8f3f9182a32e584315cd1e6e2fedb2db350e597983f0e880
7. abb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
8. 07d340cc0c476e8098a9979714f811e040076666bd8d82e229a89b0b394ae835
9. 062389d43ee85c4b1cfda62dc09494db8f99c57aac15b2a237c4929bbf69185d
10. f09c85e45d1d764162c44867d8944220e0d8db1cb9ed06fd9b5cc36ae28de4b8
11. f2013e97c18531fd5a812f365dbd070e5d7e75192bfbb519261effcfd09fcd89
12. f652a3f6cd614caede3ca57d33f530200c07798d3dc19fccf787fb93286dd87a
13. 5aaf08c96b9704d7c968bfea8524380e5698e9f478340665623c4ac3b9b9ed24
14. b8269764469c32d223840a8733ad08059c475c527079e606ed6aa22dff2f68bb
15. 5b82967c329f622b387061c6de3fb05b7a7f2ba48aeef5976882dc4f2a082d67
16. 8c33d3df82a671bf5256764468e2c9b15edabe55260393d31fbbc7d90260daf6
17. dac0427eebc39d4b789ae71d9944ccfd622ab1da8f242a4c5a46eed32af77469
18. ba53cf421f47a08f0cf4d1da95597ffb7199df329c005f2b0b3d96e653455e1a
19. 32609cf05b444907eab4b97630b278ea949439dad9aa4c08c01a199cdf971dba
20. e9c837c857defea2ab71707fbbde992876b15d51d4a35578d45f89060e722cff
21. 2a5319491b4f025078c2a66806dc27f905a43bfc0fd74d4fa871974616a40ee1
22. f4a8e0a0a0fda9410c783d5a78ab233432c015fe7017617c3bdbbc4ac2b72fd2
23. 7f4996c29d6a9359f54e2afc4fa688aec4c916b27481d62c07a2dbab47f935a4
24. b94d0b867b709a5473082168c85cab6e8048ee54c2926c91ca33707b96507fa9
25. abb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
26. dd4c52b299b25f1ad217fb4f9a66a915abb79888f9c6553a64949731ad92b4fb
27. d89b3415ecc212780144cb3f74c6fea8752052c8d469debf7c12864afd1cd277
28. dd377e2673e1f6d070272c9fbb2a63445038c710f7b83c1d8c227050c47a78d1
29. 061281bcc63295597216a68eeceb8355b18de9e15768af48e62a9cf413d0ca37
30. 2547089727a628ce940ab18554bde85121810cee55857089fd5914b9d972870f
31. 5ce8d23dec401142cd35a00ea8d23eedaa64a6f7a08cadbc11c22559d5bdd4bf
32. f075570279ac63d38b7933122c1baf82d1ae2151b0accd199f7b56ac93ae9808
33. 8578d4261fbe0b899cb57f2c346c0961f3d44a046366d1fb0b453ce821437ab1
34. 16b733db9fc27525d11f69457539b92f4ffc7b220ef2d6769705950626461be5
35. 6c55e9f85a7cd1232ec94ae9c31f3b0fb2fa597ebad5a5c19e4a5d15fc9e14e0
36. Dropurl
37.  
38. http[://images2[.imgbox[.com/d8/0e/eyGVup7s_o[.png
39. https[://newupdatindef[.info////////……….[.exe
40. http[s://i.postimg[.cc/mbBH51RX/cry[.png?dl=1
41. C2
42.  
43. filomilalno[.club
44. fileneopolo[.online
45. reziki[.online
46. reziki[.xyz
47. Yara Rules
48. import "pe"
49. rule Ursnif_Excel_Dropper_1905 {
50. meta:
51. description = "Yara Rule for Excel Ursnif Dopper of the campaign of End of May 2019"
52. author = "Cybaze - Yoroi ZLab"
53. last_updated = "2019-06-04"
54. tlp = "white"
55. category = "informational"
56. strings:
57. $s1 = "TvZjuM4ku8L7D"
58. $s2 = "dhgfdd5d6udujdhg9"
59.  
60. $a1 = { 6F 6C 65 3E 02 19 00 73 00 74 00 64 00 6F 00 80 }
61.  
62. condition:
63. all of them
64. }
65.  
66. rule Ursnif_Loader_1905 {
67. meta:
68. description = "Yara Rule for Ursnif Loader of the campaign of End of May 2019"
69. author = "Cybaze - Yoroi ZLab"
70. last_updated = "2019-06-04"
71. tlp = "white"
72. category = "informational"
73. strings:
74. $s1 = ">rdP/dfn"
75. $s2 = "c:\\team\\let\\Require\\livebottom.pdb"
76.  
77. $a1={ E9 5D 3C CD 49 DC 51 C8 }
78.  
79. condition:
80. all of them
81. }
82.  
83. rule Ursnif_Malicious_DLL_1905 {
84. meta:
85. description = "Yara Rule for Ursnif Loader of the campaign of End of May 2019"
86. author = "Cybaze - Yoroi ZLab"
87. last_updated = "2019-06-04"
88. tlp = "white"
89. category = "informational"
90. strings:
91. $s1 = "GET t'=PUT t =POSTt"
92. $s2 = "xul.dll"
93. $s3 = "CHROME_CHILD.DLL"
94.  
95. condition:
96. uint16(0) == 0x5A4D and all of them
97. }
98. Strings
99. May 26 2019
100. CHROME.DLL
101. soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
102. version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
103. &ip=%s
104. &os=%s
105. %u.%u_%u_%u_x%u
106. &tor=1
107. Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
108. http://
109. https://
110. file://
111. USER.ID
112. %lu.exe
113. /upd %lu
114. Software\AppDataLow\Software\Microsoft\
115. Main
116. Block
117. Temp
118. Client
119. Ini
120. Keys
121. Scr
122. Kill
123. LastTask
124. LastConfig
125. CrHook
126. OpHook
127. Exec
128. .onion
129. TorClient
130. TorCrc
131. %s %s HTTP/1.1
132. Host: %s
133. User-Agent: %s
134. Connection: close;
135. Content-length: %u
136. http://constitution.org/usdeclar.txt
137. C:\Program Files\Internet Explorer\iexplore.exe
138. Software\Microsoft\Windows\CurrentVersion\Run
139. System\CurrentControlSet\Control\Session Manager\AppCertDlls
140. {%08X-%04X-%04X-%04X-%08X%04X}
141. %08X-%04X-%04X-%04X-%08X%04X
142. S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)
143. open
144. %lu.bat
145. attrib -r -s -h %%1
146. :%u
147. del %%1
148. if exist %%1 goto %u
149. del %%0
150. \Vars
151. \Files
152. \Config
153. \Run
154. /data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
155. /UPD
156. /SD
157. /sd %lu
158. \Software\Microsoft\Windows\CurrentVersion
159. SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
160. NSPR4.DLL
161. NSS3.DLL
162. %APPDATA%\Mozilla\Firefox\Profiles
163. EnableSPDY3_0
164. \Macromedia\Flash Player\
165. cookies.sqlite
166. OPERA.EXE
167. cookies.sqlite-journal
168. EMPTY
169. Cmd %s processed: %u
170. | "%s" | %u
171. Cmd %u parsing: %u
172. PR_Read
173. PR_Write
174. PR_Close
175. .set MaxDiskSize=0
176. .set DiskDirectory1="%s"
177. .set CabinetName1="%s"
178. .set DestinationDir="%S"
179. "%s"
180. \setup.inf
181. \setup.rpt
182. makecab.exe /F "%s"
183. cmd /C "%s> %s1"
184. systeminfo.exe
185. tasklist.exe /SVC >
186. driverquery.exe >
187. reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >
188. cmd /U /C "type %s1 > %s & del %s1"
189. net view >
190. nslookup 127.0.0.1 >
191. echo -------- >
192. nslookup myip.opendns.com resolver1.opendns.com
193. Main
194. Blocked
195. user_pref("network.http.spdy.enabled", false);
196. prefs.js
197. %s=%s&
198. /images/
199. .avi
200. HTTPMail
201. SMTP
202. POP3
203. IMAP
204. none
205. WABOpen
206. Software\Microsoft\Windows Mail
207. Software\Microsoft\Windows Live Mail
208. Store Root
209. Salt
210. account{*}.oeaccount
211. Server
212. User_Name
213. Password2
214. Port
215. Secure_Connection
216. type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
217. NSS_Init
218. hostname
219. type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
220. NSS_Shutdown
221. mail
222. MessageAccount
223. PK11_FreeSlot
224. Account_Name
225. PK11_Authenticate
226. SMTP_Email_Address
227. encryptedUsername
228. %S_%S
229. encryptedPassword
230. Email
231. EmailAddressCollection/EmailAddress[%u]/Address
232. Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
233. &uptime=%u
234. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
235. Client32
236. Client64
237. Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
238. %systemroot%\syswow64\cmd.exe
239. Account Name
240. /C pause dll
241. .gif
242. IMAP Server
243. IMAP Port
244. IMAP User
245. IMAP Password
246. IMAP Use SSL
247. .jpeg
248. POP3 User
249. POP3 Server
250. POP3 Port
251. POP3 Password
252. POP3 Use SSL
253. .bmp
254. .avi
255. SMTP User
256. SMTP Server
257. SMTP Port
258. SMTP Password
259. SMTP Use SSL
260. ICGetInfo
261. A8000A
262. ICSendMessage
263. 1.0
264. nss3.dll
265. PK11_GetInternalKeySlot
266. PK11SDR_Decrypt
267. %systemroot%\system32\c_1252.nls
268. %PROGRAMFILES%\Mozilla Thunderbird
269. %USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default
270. \logins.json
271. %S %S, %S, %S
272. %c%02X
273. SOFTWARE\Microsoft\Windows NT\CurrentVersion
274. InstallDate
275. \\.\%s
276. rundll32
277. msvfw32
278. ICOpen
279. ICClose
280. ICInfo
281. rundll32 "%s",%S
282. DllRegisterServer
283. IsWow64Process
284. Wow64EnableWow64FsRedirection
285. D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
286. %userprofile%\AppData\Local\Google\Chrome\User Data\Default\cache
287. %userprofile%\AppData\Local\Mozilla\Firefox\Profiles