SHARE
TWEET

URSNIF IOCs

Bank_Security Jun 12th, 2019 1,580 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. URSNIF IOCs
  2.  
  3. Indicators of compromise
  4. Hashes
  5.  
  6. bb5dab56181dbb0e8f3f9182a32e584315cd1e6e2fedb2db350e597983f0e880
  7. abb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
  8. 07d340cc0c476e8098a9979714f811e040076666bd8d82e229a89b0b394ae835
  9. 062389d43ee85c4b1cfda62dc09494db8f99c57aac15b2a237c4929bbf69185d
  10. f09c85e45d1d764162c44867d8944220e0d8db1cb9ed06fd9b5cc36ae28de4b8
  11. f2013e97c18531fd5a812f365dbd070e5d7e75192bfbb519261effcfd09fcd89
  12. f652a3f6cd614caede3ca57d33f530200c07798d3dc19fccf787fb93286dd87a
  13. 5aaf08c96b9704d7c968bfea8524380e5698e9f478340665623c4ac3b9b9ed24
  14. b8269764469c32d223840a8733ad08059c475c527079e606ed6aa22dff2f68bb
  15. 5b82967c329f622b387061c6de3fb05b7a7f2ba48aeef5976882dc4f2a082d67
  16. 8c33d3df82a671bf5256764468e2c9b15edabe55260393d31fbbc7d90260daf6
  17. dac0427eebc39d4b789ae71d9944ccfd622ab1da8f242a4c5a46eed32af77469
  18. ba53cf421f47a08f0cf4d1da95597ffb7199df329c005f2b0b3d96e653455e1a
  19. 32609cf05b444907eab4b97630b278ea949439dad9aa4c08c01a199cdf971dba
  20. e9c837c857defea2ab71707fbbde992876b15d51d4a35578d45f89060e722cff
  21. 2a5319491b4f025078c2a66806dc27f905a43bfc0fd74d4fa871974616a40ee1
  22. f4a8e0a0a0fda9410c783d5a78ab233432c015fe7017617c3bdbbc4ac2b72fd2
  23. 7f4996c29d6a9359f54e2afc4fa688aec4c916b27481d62c07a2dbab47f935a4
  24. b94d0b867b709a5473082168c85cab6e8048ee54c2926c91ca33707b96507fa9
  25. abb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
  26. dd4c52b299b25f1ad217fb4f9a66a915abb79888f9c6553a64949731ad92b4fb
  27. d89b3415ecc212780144cb3f74c6fea8752052c8d469debf7c12864afd1cd277
  28. dd377e2673e1f6d070272c9fbb2a63445038c710f7b83c1d8c227050c47a78d1
  29. 061281bcc63295597216a68eeceb8355b18de9e15768af48e62a9cf413d0ca37
  30. 2547089727a628ce940ab18554bde85121810cee55857089fd5914b9d972870f
  31. 5ce8d23dec401142cd35a00ea8d23eedaa64a6f7a08cadbc11c22559d5bdd4bf
  32. f075570279ac63d38b7933122c1baf82d1ae2151b0accd199f7b56ac93ae9808
  33. 8578d4261fbe0b899cb57f2c346c0961f3d44a046366d1fb0b453ce821437ab1
  34. 16b733db9fc27525d11f69457539b92f4ffc7b220ef2d6769705950626461be5
  35. 6c55e9f85a7cd1232ec94ae9c31f3b0fb2fa597ebad5a5c19e4a5d15fc9e14e0
  36. Dropurl
  37.  
  38. http[://images2[.imgbox[.com/d8/0e/eyGVup7s_o[.png
  39. https[://newupdatindef[.info////////……….[.exe
  40. http[s://i.postimg[.cc/mbBH51RX/cry[.png?dl=1
  41. C2
  42.  
  43. filomilalno[.club
  44. fileneopolo[.online
  45. reziki[.online
  46. reziki[.xyz
  47. Yara Rules
  48. import "pe"
  49. rule Ursnif_Excel_Dropper_1905 {
  50. meta:
  51.     description = "Yara Rule for Excel Ursnif Dopper of the campaign of End of May 2019"
  52.     author = "Cybaze - Yoroi ZLab"
  53.     last_updated = "2019-06-04"
  54.     tlp = "white"
  55.     category = "informational"
  56. strings:
  57.     $s1 = "TvZjuM4ku8L7D"
  58.     $s2 = "dhgfdd5d6udujdhg9"
  59.    
  60.     $a1 = { 6F 6C 65 3E 02 19 00 73 00 74 00 64 00 6F 00 80 }
  61.  
  62. condition:
  63.     all of them
  64. }
  65.  
  66. rule Ursnif_Loader_1905 {
  67. meta:
  68.     description = "Yara Rule for Ursnif Loader of the campaign of End of May 2019"
  69.     author = "Cybaze - Yoroi ZLab"
  70.     last_updated = "2019-06-04"
  71.     tlp = "white"
  72.     category = "informational"
  73. strings:
  74.     $s1 = ">rdP/dfn"
  75.     $s2 = "c:\\team\\let\\Require\\livebottom.pdb"
  76.    
  77.     $a1={ E9 5D 3C CD 49 DC 51 C8 }
  78.  
  79. condition:
  80.     all of them
  81. }
  82.  
  83. rule Ursnif_Malicious_DLL_1905 {
  84. meta:
  85.     description = "Yara Rule for Ursnif Loader of the campaign of End of May 2019"
  86.     author = "Cybaze - Yoroi ZLab"
  87.     last_updated = "2019-06-04"
  88.     tlp = "white"
  89.     category = "informational"
  90. strings:
  91.     $s1 = "GET t'=PUT t =POSTt"
  92.     $s2 = "xul.dll"
  93.     $s3 = "CHROME_CHILD.DLL"
  94.  
  95. condition:
  96.     uint16(0) == 0x5A4D and all of them
  97. }
  98. Strings
  99. May 26 2019
  100. CHROME.DLL
  101. soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
  102. version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
  103. &ip=%s
  104. &os=%s
  105. %u.%u_%u_%u_x%u
  106. &tor=1
  107. Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
  108. http://
  109. https://
  110. file://
  111. USER.ID
  112. %lu.exe
  113. /upd %lu
  114. Software\AppDataLow\Software\Microsoft\
  115. Main
  116. Block
  117. Temp
  118. Client
  119. Ini
  120. Keys
  121. Scr
  122. Kill
  123. LastTask
  124. LastConfig
  125. CrHook
  126. OpHook
  127. Exec
  128. .onion
  129. TorClient
  130. TorCrc
  131. %s %s HTTP/1.1
  132. Host: %s
  133. User-Agent: %s
  134. Connection: close;
  135. Content-length: %u
  136. http://constitution.org/usdeclar.txt
  137. C:\Program Files\Internet Explorer\iexplore.exe
  138. Software\Microsoft\Windows\CurrentVersion\Run
  139. System\CurrentControlSet\Control\Session Manager\AppCertDlls
  140. {%08X-%04X-%04X-%04X-%08X%04X}
  141. %08X-%04X-%04X-%04X-%08X%04X
  142. S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)
  143. open
  144. %lu.bat
  145. attrib -r -s -h %%1
  146. :%u
  147. del %%1
  148. if exist %%1 goto %u
  149. del %%0
  150. \Vars
  151. \Files
  152. \Config
  153. \Run
  154. /data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
  155. /UPD
  156. /SD
  157. /sd %lu
  158. \Software\Microsoft\Windows\CurrentVersion
  159. SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  160. NSPR4.DLL
  161. NSS3.DLL
  162. %APPDATA%\Mozilla\Firefox\Profiles
  163. EnableSPDY3_0
  164. \Macromedia\Flash Player\
  165. cookies.sqlite
  166. OPERA.EXE
  167. cookies.sqlite-journal
  168. EMPTY
  169. Cmd %s processed: %u
  170.  | "%s" | %u
  171. Cmd %u parsing: %u
  172. PR_Read
  173. PR_Write
  174. PR_Close
  175. .set MaxDiskSize=0
  176. .set DiskDirectory1="%s"
  177. .set CabinetName1="%s"
  178. .set DestinationDir="%S"
  179. "%s"
  180. \setup.inf
  181. \setup.rpt
  182. makecab.exe /F "%s"
  183. cmd /C "%s> %s1"
  184. systeminfo.exe
  185. tasklist.exe /SVC >
  186. driverquery.exe >
  187. reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >
  188. cmd /U /C "type %s1 > %s & del %s1"
  189. net view >
  190. nslookup 127.0.0.1 >
  191. echo -------- >
  192. nslookup myip.opendns.com resolver1.opendns.com
  193. Main
  194. Blocked
  195. user_pref("network.http.spdy.enabled", false);
  196. prefs.js
  197. %s=%s&
  198. /images/
  199. .avi
  200. HTTPMail
  201. SMTP
  202. POP3
  203. IMAP
  204. none
  205. WABOpen
  206. Software\Microsoft\Windows Mail
  207. Software\Microsoft\Windows Live Mail
  208. Store Root
  209. Salt
  210. account{*}.oeaccount
  211. Server
  212. User_Name
  213. Password2
  214. Port
  215. Secure_Connection
  216. type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
  217. NSS_Init
  218. hostname
  219. type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
  220. NSS_Shutdown
  221. mail
  222. MessageAccount
  223. PK11_FreeSlot
  224. Account_Name
  225. PK11_Authenticate
  226. SMTP_Email_Address
  227. encryptedUsername
  228. %S_%S
  229. encryptedPassword
  230. Email
  231. EmailAddressCollection/EmailAddress[%u]/Address
  232. Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
  233. &uptime=%u
  234. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
  235. Client32
  236. Client64
  237. Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
  238. %systemroot%\syswow64\cmd.exe
  239. Account Name
  240. /C pause dll
  241. .gif
  242. IMAP Server
  243. IMAP Port
  244. IMAP User
  245. IMAP Password
  246. IMAP Use SSL
  247. .jpeg
  248. POP3 User
  249. POP3 Server
  250. POP3 Port
  251. POP3 Password
  252. POP3 Use SSL
  253. .bmp
  254. .avi
  255. SMTP User
  256. SMTP Server
  257. SMTP Port
  258. SMTP Password
  259. SMTP Use SSL
  260. ICGetInfo
  261. A8000A
  262. ICSendMessage
  263. 1.0
  264. nss3.dll
  265. PK11_GetInternalKeySlot
  266. PK11SDR_Decrypt
  267. %systemroot%\system32\c_1252.nls
  268. %PROGRAMFILES%\Mozilla Thunderbird
  269. %USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default
  270. \logins.json
  271. %S %S, %S, %S
  272. %c%02X
  273. SOFTWARE\Microsoft\Windows NT\CurrentVersion
  274. InstallDate
  275. \\.\%s
  276. rundll32
  277. msvfw32
  278. ICOpen
  279. ICClose
  280. ICInfo
  281. rundll32 "%s",%S
  282. DllRegisterServer
  283. IsWow64Process
  284. Wow64EnableWow64FsRedirection
  285. D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
  286. %userprofile%\AppData\Local\Google\Chrome\User Data\Default\cache
  287. %userprofile%\AppData\Local\Mozilla\Firefox\Profiles
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top