Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- URSNIF IOCs
- Indicators of compromise
- Hashes
- bb5dab56181dbb0e8f3f9182a32e584315cd1e6e2fedb2db350e597983f0e880
- abb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
- 07d340cc0c476e8098a9979714f811e040076666bd8d82e229a89b0b394ae835
- 062389d43ee85c4b1cfda62dc09494db8f99c57aac15b2a237c4929bbf69185d
- f09c85e45d1d764162c44867d8944220e0d8db1cb9ed06fd9b5cc36ae28de4b8
- f2013e97c18531fd5a812f365dbd070e5d7e75192bfbb519261effcfd09fcd89
- f652a3f6cd614caede3ca57d33f530200c07798d3dc19fccf787fb93286dd87a
- 5aaf08c96b9704d7c968bfea8524380e5698e9f478340665623c4ac3b9b9ed24
- b8269764469c32d223840a8733ad08059c475c527079e606ed6aa22dff2f68bb
- 5b82967c329f622b387061c6de3fb05b7a7f2ba48aeef5976882dc4f2a082d67
- 8c33d3df82a671bf5256764468e2c9b15edabe55260393d31fbbc7d90260daf6
- dac0427eebc39d4b789ae71d9944ccfd622ab1da8f242a4c5a46eed32af77469
- ba53cf421f47a08f0cf4d1da95597ffb7199df329c005f2b0b3d96e653455e1a
- 32609cf05b444907eab4b97630b278ea949439dad9aa4c08c01a199cdf971dba
- e9c837c857defea2ab71707fbbde992876b15d51d4a35578d45f89060e722cff
- 2a5319491b4f025078c2a66806dc27f905a43bfc0fd74d4fa871974616a40ee1
- f4a8e0a0a0fda9410c783d5a78ab233432c015fe7017617c3bdbbc4ac2b72fd2
- 7f4996c29d6a9359f54e2afc4fa688aec4c916b27481d62c07a2dbab47f935a4
- b94d0b867b709a5473082168c85cab6e8048ee54c2926c91ca33707b96507fa9
- abb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
- dd4c52b299b25f1ad217fb4f9a66a915abb79888f9c6553a64949731ad92b4fb
- d89b3415ecc212780144cb3f74c6fea8752052c8d469debf7c12864afd1cd277
- dd377e2673e1f6d070272c9fbb2a63445038c710f7b83c1d8c227050c47a78d1
- 061281bcc63295597216a68eeceb8355b18de9e15768af48e62a9cf413d0ca37
- 2547089727a628ce940ab18554bde85121810cee55857089fd5914b9d972870f
- 5ce8d23dec401142cd35a00ea8d23eedaa64a6f7a08cadbc11c22559d5bdd4bf
- f075570279ac63d38b7933122c1baf82d1ae2151b0accd199f7b56ac93ae9808
- 8578d4261fbe0b899cb57f2c346c0961f3d44a046366d1fb0b453ce821437ab1
- 16b733db9fc27525d11f69457539b92f4ffc7b220ef2d6769705950626461be5
- 6c55e9f85a7cd1232ec94ae9c31f3b0fb2fa597ebad5a5c19e4a5d15fc9e14e0
- Dropurl
- http[://images2[.imgbox[.com/d8/0e/eyGVup7s_o[.png
- https[://newupdatindef[.info////////……….[.exe
- http[s://i.postimg[.cc/mbBH51RX/cry[.png?dl=1
- C2
- filomilalno[.club
- fileneopolo[.online
- reziki[.online
- reziki[.xyz
- Yara Rules
- import "pe"
- rule Ursnif_Excel_Dropper_1905 {
- meta:
- description = "Yara Rule for Excel Ursnif Dopper of the campaign of End of May 2019"
- author = "Cybaze - Yoroi ZLab"
- last_updated = "2019-06-04"
- tlp = "white"
- category = "informational"
- strings:
- $s1 = "TvZjuM4ku8L7D"
- $s2 = "dhgfdd5d6udujdhg9"
- $a1 = { 6F 6C 65 3E 02 19 00 73 00 74 00 64 00 6F 00 80 }
- condition:
- all of them
- }
- rule Ursnif_Loader_1905 {
- meta:
- description = "Yara Rule for Ursnif Loader of the campaign of End of May 2019"
- author = "Cybaze - Yoroi ZLab"
- last_updated = "2019-06-04"
- tlp = "white"
- category = "informational"
- strings:
- $s1 = ">rdP/dfn"
- $s2 = "c:\\team\\let\\Require\\livebottom.pdb"
- $a1={ E9 5D 3C CD 49 DC 51 C8 }
- condition:
- all of them
- }
- rule Ursnif_Malicious_DLL_1905 {
- meta:
- description = "Yara Rule for Ursnif Loader of the campaign of End of May 2019"
- author = "Cybaze - Yoroi ZLab"
- last_updated = "2019-06-04"
- tlp = "white"
- category = "informational"
- strings:
- $s1 = "GET t'=PUT t =POSTt"
- $s2 = "xul.dll"
- $s3 = "CHROME_CHILD.DLL"
- condition:
- uint16(0) == 0x5A4D and all of them
- }
- Strings
- May 26 2019
- CHROME.DLL
- soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- &ip=%s
- &os=%s
- %u.%u_%u_%u_x%u
- &tor=1
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- http://
- https://
- file://
- USER.ID
- %lu.exe
- /upd %lu
- Software\AppDataLow\Software\Microsoft\
- Main
- Block
- Temp
- Client
- Ini
- Keys
- Scr
- Kill
- LastTask
- LastConfig
- CrHook
- OpHook
- Exec
- .onion
- TorClient
- TorCrc
- %s %s HTTP/1.1
- Host: %s
- User-Agent: %s
- Connection: close;
- Content-length: %u
- http://constitution.org/usdeclar.txt
- C:\Program Files\Internet Explorer\iexplore.exe
- Software\Microsoft\Windows\CurrentVersion\Run
- System\CurrentControlSet\Control\Session Manager\AppCertDlls
- {%08X-%04X-%04X-%04X-%08X%04X}
- %08X-%04X-%04X-%04X-%08X%04X
- S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)
- open
- %lu.bat
- attrib -r -s -h %%1
- :%u
- del %%1
- if exist %%1 goto %u
- del %%0
- \Vars
- \Files
- \Config
- \Run
- /data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- /UPD
- /SD
- /sd %lu
- \Software\Microsoft\Windows\CurrentVersion
- SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- NSPR4.DLL
- NSS3.DLL
- %APPDATA%\Mozilla\Firefox\Profiles
- EnableSPDY3_0
- \Macromedia\Flash Player\
- cookies.sqlite
- OPERA.EXE
- cookies.sqlite-journal
- EMPTY
- Cmd %s processed: %u
- | "%s" | %u
- Cmd %u parsing: %u
- PR_Read
- PR_Write
- PR_Close
- .set MaxDiskSize=0
- .set DiskDirectory1="%s"
- .set CabinetName1="%s"
- .set DestinationDir="%S"
- "%s"
- \setup.inf
- \setup.rpt
- makecab.exe /F "%s"
- cmd /C "%s> %s1"
- systeminfo.exe
- tasklist.exe /SVC >
- driverquery.exe >
- reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >
- cmd /U /C "type %s1 > %s & del %s1"
- net view >
- nslookup 127.0.0.1 >
- echo -------- >
- nslookup myip.opendns.com resolver1.opendns.com
- Main
- Blocked
- user_pref("network.http.spdy.enabled", false);
- prefs.js
- %s=%s&
- /images/
- .avi
- HTTPMail
- SMTP
- POP3
- IMAP
- none
- WABOpen
- Software\Microsoft\Windows Mail
- Software\Microsoft\Windows Live Mail
- Store Root
- Salt
- account{*}.oeaccount
- Server
- User_Name
- Password2
- Port
- Secure_Connection
- type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
- NSS_Init
- hostname
- type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
- NSS_Shutdown
- mail
- MessageAccount
- PK11_FreeSlot
- Account_Name
- PK11_Authenticate
- SMTP_Email_Address
- encryptedUsername
- %S_%S
- encryptedPassword
- Email
- EmailAddressCollection/EmailAddress[%u]/Address
- Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
- &uptime=%u
- Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
- Client32
- Client64
- Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
- %systemroot%\syswow64\cmd.exe
- Account Name
- /C pause dll
- .gif
- IMAP Server
- IMAP Port
- IMAP User
- IMAP Password
- IMAP Use SSL
- .jpeg
- POP3 User
- POP3 Server
- POP3 Port
- POP3 Password
- POP3 Use SSL
- .bmp
- .avi
- SMTP User
- SMTP Server
- SMTP Port
- SMTP Password
- SMTP Use SSL
- ICGetInfo
- A8000A
- ICSendMessage
- 1.0
- nss3.dll
- PK11_GetInternalKeySlot
- PK11SDR_Decrypt
- %systemroot%\system32\c_1252.nls
- %PROGRAMFILES%\Mozilla Thunderbird
- %USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default
- \logins.json
- %S %S, %S, %S
- %c%02X
- SOFTWARE\Microsoft\Windows NT\CurrentVersion
- InstallDate
- \\.\%s
- rundll32
- msvfw32
- ICOpen
- ICClose
- ICInfo
- rundll32 "%s",%S
- DllRegisterServer
- IsWow64Process
- Wow64EnableWow64FsRedirection
- D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
- %userprofile%\AppData\Local\Google\Chrome\User Data\Default\cache
- %userprofile%\AppData\Local\Mozilla\Firefox\Profiles
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement