found by @avman1995 @Artilllerie says Seems to be #Ursnif https://twitter.com/avman1995/status/984312860766560256 https://www.reverse.it/sample/4bc0433608ad7e5eb1d8efd93e12f25a26446ebeed68da7cb4301c7e9395f143?environmentId=100 ---------- ---------- files dropped ---------- C:\Users\xxx\AppData\Roaming\Microsoft\Audibres\comr2022.exe ----------- interesting network traffic ----------- 1.) GET /tor/server/fp/8b029434401afdc8b9793a49005e2bc3af76c02c HTTP/1.0 Host: 178.17.170.149 Response: HTTP/1.0 200 OK Date: Thu, 12 Apr 2018 21:28:11 GMT Content-Type: text/plain X-Your-Address-Is: xxx Content-Encoding: identity Expires: Sat, 14 Apr 2018 21:28:11 GMT router anongoth 46.248.164.24 443 0 0 identity-ed25519 2.) TCP 192.168.113.242:51007 46.248.164.24:443 ESTABLISHED 3556 [Explorer.EXE] ---------- interesting in memory strings of injected Explorer.EXE ---------- 0x51bf8ad (54): newsreader.site/images/1.png file://c:\test\test32.dll 0x51bf8e4 (52): newsreader.site/images/2.png file://c:\test\tor64.dl 0x51bf968 (12): curlmyip.net 0x51bf97f (23): iod5tem372udbzu2.onion 0x51bf9af (23): iod5tem372udbzu2.onion 0x51bf9f0 (16): s4Sc9mDb35Ayj8oO 0x51bfd00 (180): GET /tor/server/fp/8b029434401afdc8b9793a49005e2bc3af76c02c HTTP/1.0 Host: 178.17.170.149 0x51bfde0 (26): 46.248.164.24 0x51bf851 (21): kn.forgekitchen.co.uk 0x51bf867 (29): constitution.org/usdeclar.txt 0x51bf896 (22): iod5tem372udbzu2.onion 0x582cd52 (12): Tor 0.3.2.10 0x582cd6a (12): Tor 0.3.1.10 0x582cd82 (12): Tor 0.2.9.10 0x58b94a2 (110): Unnamed K2AMIToiw/f/wvw6j4q9xeD3BY4 +XS2INkfJlGbdg57oC+02EY2jmE 2018-04-12 12:44:13 185.216.33.126 24974 27964 0x58b9522 (110): jabbahutadre K2ZEanT/RanZw5P90ezZdFkOUgQ Vzuv+PVAsV6xxy9qH6tSUXDjfyc 2018-04-12 06:19:27 172.104.137.234 443 0 0x58b97a2 (113): fuckzuck2020 K5Z0k63JtSVOjCvl9oW00ei0CIU tFh5Owlv68v7fvapntB62pOnlNQ 2018-04-12 04:13:24 108.211.142.83 9001 9030 0x58b98a2 (115): ididnteditheconfig K69D8u8gQQvGOOWEWQ6jdRhZwCs 4dcQzJag93EEC4gctkR1i014t9U 2018-04-12 19:10:54 78.51.135.250 9001 0 0x58b9aa2 (112): xenoidRelay K/z0wi1HO4bnMotlRrIYB5VYzL0 15px8eSM83d8mYdxze9Qt4qz4qw 2018-04-12 10:26:24 87.133.137.133 9001 9090 0x58b9ba2 (115): EncryptedPotato LACLhCpONJaXOLLFdu728ZWr97c zKUZ2wz75HhJFCZh0MZGb1uMhoY 2018-04-12 07:50:07 212.47.234.10 9001 9030 0x58b9fa2 (110): rittervgexit LHUsGACJ3cibw//MsX+s/ur9eao b8qxscA36/ZSw/pJdjGIIrYZG04 2018-04-12 15:12:51 185.165.168.77 443 80 0x58ba122 (112): LePoneyQuiTousse LJsPeXQh4Z6WWC0c2q0RuraZv/0 8VrQPoup30Q2DIshj1gj8YzhN0M 2018-04-12 09:56:11 212.129.34.13 110 0 0x58ba2a2 (111): AgentOrange LNascnZxolxIBeyPrN49Nygofig l1dKnWzY74GPhwuyGnHC5U9euiU 2018-04-12 12:30:59 138.68.15.191 9447 9090 0x58ba3a2 (116): ididntedittheconfig LNrC2BcgSJxWGOjdhsE3b+5Rjxk fct7ZB2fNYbcl8Di0csFJiH3y6Q 2018-04-12 16:43:05 74.103.247.168 443 0 0x58ba622 (112): w000000h00000 LPBybHFwuXW6c3G/kxzgpvNpmFA xOg8aV027ru4qJIIvCNgvnP2gMA 2018-04-12 13:52:33 178.17.170.81 443 9030 0x58ba722 (115): BrotherhoodOfSteel LQPxqngtYRG1Jg1X87PgohyMhtc /yUqBnqgN1igmeDKVL/HpJOUqXc 2018-04-12 06:56:07 45.76.80.207 445 800 0x58ba822 (113): InglebardRelay LQYdZVO7CmIAQsUF/1dyWF2ovtw 6zw4oUrVcDBEsXUZ9qmLc9UwqGU 2018-04-12 14:35:03 5.135.176.38 9001 9030 0x58bac22 (113): HelpFreeSpeech82878 LXTX76zHXc2zvukiGwvrImdU+W4 seB2pcrQyF7Waqp3H1AimcN5eI4 2018-04-12 13:15:21 47.33.6.69 443 80 0x58bae22 (110): SteveUrkel Lb//Y5yPtpaEgSNUh8uth7gY8KM HTSk66lB75o+fcYFYJEF7NnhAss 2018-04-12 13:34:08 83.202.235.41 9021 9022 0x58bc2a2 (116): TeamSnowdenA0uRe0r Ly067Cxo303yslBjz9+WCz8wCp8 Tg3xVBJEep3VE1qz2qUtIQErXnk 2018-04-12 17:53:07 109.230.236.89 9002 0 0x58bc3a2 (111): banesTOR2 LzHOPhJjgy45GE4hLBHOJ0u5vM8 SWFYEjvtB8pVKZsPfXJFEtQG5T8 2018-04-12 05:29:02 178.238.224.132 9001 9030 0x58d5422 (102): dao H2q9CG9AuJCjPJPMRgbuaLMclVY 6IMDWix6oMtvGfPQQa8oWA09SQw 2018-04-12 16:19:00 199.184.246.250 443 80 0x58d549a (103): Netwars H42ygtRVY2/u6ESChacAewVpmlg 41ZFBGHysPlT5x/dTghP9TR7P6Q 2018-04-12 17:14:05 5.230.145.65 9035 0 0x58d5512 (104): 6cf29a H5WC9j+8eJ3071veBzkkZ4kCxj0 hWBWt+ivhPGy5cXufCWrkQdPRDo 2018-04-12 19:28:47 185.21.216.183 9443 0 0x58d558a (106): Bombadil H58eLC/6dWst4FKL8SF7VnAZqP4 QiyBhq/2S8ET5Sv5UlnYnmuCfDg 2018-04-12 03:45:49 180.181.117.164 443 0 0x58d5602 (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d567a (107): Torpille H6RrXuaRtK1qjv7925DAMNm7ueI TlxIwUigjbiOyuwXOy4Zi7bMon8 2018-04-12 03:32:25 37.187.16.43 9001 9030 0x58d56f2 (108): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1-2 HSIntro=3-4 HSRend=1-2 Link=1-4 LinkAuth=1,3 Microdesc=1-2 Relay=1-2 0x58d576a (105): cimmeria H7rnI/gYaEfjDqHAPMo9QIHU4vk rBlA1UsAUftSwOPNg/luZCxKHnI 2018-04-12 05:03:38 91.219.239.92 443 80 0x58d57e2 (105): serana H+cdD4j7iV95zgeuIil4WxILH7A 7A/8aUMtmlOocFsiv6oW/Y/TFV4 2018-04-12 04:52:59 104.225.219.232 9001 0 0x58d585a (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d58d2 (104): watchme H+yGDlmUnmDREvomZJzw4yaT+08 6eY5NMyvzyUGuobfh0QpU+C93+Q 2018-04-12 17:03:18 62.210.71.205 443 80 0x58d594a (109): F3Netze IBew3yV6nWUB8IS2166q9oUuncE r1cogZWjhVk3Su6VTUo3wOp8o5s 2018-04-12 04:24:05 185.220.100.255 9100 9101 0x58d59c2 (105): Unnamed ICK8s3RT3BaObLe02tEZrAcvLe4 +7Ky7IRDV4CgkaiKF3Zd7wjzb58 2018-04-12 12:54:13 185.80.222.158 80 443 0x58d5a3a (107): picaron ICehuvDZ+9fitXNHidceqekMG4E r4qX9ptvUyBToQvZ1MLq2+LS94g 2018-04-12 17:51:09 190.210.98.90 9001 9030 0x58d5ab2 (103): Bernard IDYYZiU72xoHHX6tN0ThhwT85vE nIJemt7oC3VEwpxNmURSuxCed9Q 2018-04-12 20:00:02 77.48.73.246 6666 0 0x58d5b2a (104): thedoctor IDhtmjK+y+YCN14BX8cBF5VWU/E m/4gxnNsqmN/9lBaEdzmDQ69K7w 2018-04-12 12:28:03 192.44.30.40 443 0 0x58d5ba2 (104): Singman IDiX0O7qM+MDNxiIRSUOe3OGs6U VGz9gmXbbK0j8+PjeZGIQ2fOf6M 2018-04-12 14:01:51 82.229.26.235 9001 0 0x58d5c1a (107): scaletor IEYsul2kwtljVn0X0LcklxgRSmg 1XELFooHIGhbOebIhxYvbs+hxpE 2018-04-12 18:51:53 212.47.229.2 9001 9030 0x58d5c92 (107): HaveHeart IE39KixqDcH6Dqy0lSGOC2YXBP0 TJ5cm/M13f68v5wuct7XudWWAxI 2018-04-12 10:24:32 77.247.181.164 443 80 0x58d5d0a (102): bruins IGfIGQo0UpNhzqdPwsksfbzLB08 eE3gn4hg6UOP2TFRCeFoyZzbeLo 2018-04-12 09:16:55 85.25.44.141 443 80 0x58d5d82 (103): Unnamed IHEIHjiIIXinP0TpYTbN404wx/s 6Lx3Xpv9x/ar+Gnf6g7zgLSbi9o 2018-04-12 12:24:47 188.63.82.18 9001 0 0x58d5dfa (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d5e72 (104): biggie IHY1n8O+tqtNDybFQZcSowzehdA 4B4duNBD78HbtntbN9yBschbYKU 2018-04-12 06:11:45 104.223.45.150 443 80 0x58d5eea (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d5f62 (105): silverio IH9LLD26YHL9PTf1v9onc7kxcBQ W/KQNwdISZqcQhuNMJYNfT5gAls 2018-04-12 16:13:42 210.3.102.152 443 80 0x58d5fda (104): Unnamed IIP7taZ9sV+KvwyDGVlO6fvmXa8 AhILR2+RjPeiLl6CUfXN/TRNod4 2018-04-12 05:59:23 172.86.144.15 443 80 0x58d6052 (107): Unnamed IIf0VsKQQa5L43xtEdhiZ+c0yKE 515Q7DinoPXiimiCqlPcwiaTIjI 2018-04-12 18:10:21 89.34.237.176 9001 9030 0x58d60ca (102): freja IJa8/ruVoRNPOfz4zrB2/0GitIs 8FjDghwFb7WYxIc91rVylYgoYyI 2018-04-12 19:07:46 194.88.143.66 443 80 0x58d6142 (107): Tortue IMDJDXCT0h9QGK1PfrtjIYNGBvM K68OLjoH0QmXHWaZPe/xl9J/woE 2018-04-12 10:03:14 145.132.191.48 9001 9030 0x58d61ba (106): Freeb23 IMJMAeLgg8nCKesxjQT880uH5Qc LhtfmW4qpkTHAdfcdBtBIIMKskY 2018-04-12 20:07:33 45.76.92.117 9001 9030 0x58d6232 (106): marunga INKhhqQS6kM9m60v29e0izayCzQ jhdd+IQKeLa6WeU7V1XOVuB5DbI 2018-04-12 18:38:10 125.212.217.197 443 80 0x58d62aa (108): Unnamed IOtvfGH7lDb0ejQUoXtlCJnqMtk AHXCFIACFtatamZIy0a+mJBNIWQ 2018-04-12 21:21:07 95.183.48.227 5504 15540 0x58d6322 (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d639a (103): Trabant IPIFgfOHUFfLeve2H3/ab6CGrHE s5NelV2tfL2GdgKnBdA9apdKErA 2018-04-12 10:44:03 46.101.141.15 81 22 0x58d6412 (104): vultor IQ5+2tRK/R4INxtGuQf/86hQygM fBszOjjsto1pz80MyxyPWPPZ9Bk 2018-04-12 18:03:44 209.250.230.160 443 0 0x58d648a (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d6502 (107): Lavaronn IR8DPPmSzBQZxXvleRVvw0UzvVE ustCpd5y2hQQC6QmFo9XVmveQik 2018-04-12 10:56:21 80.7.198.170 9001 9030 0x58d657a (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d65f2 (106): tamanegi ITEPSAZqTKresr/TJPCzj44USNY kwQOgJHJhOXVIAUqhrW4H5sYbAc 2018-04-12 03:26:37 212.89.225.242 443 80 0x58d666a (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d66e2 (109): cannabis IUGUqVEIJwJCJNxdzQHhOSBE6AM fN7A08lLFRnwNRuNOZx5oJY30xw 2018-04-12 19:25:16 94.110.225.157 9001 9030 0x58d675a (106): TheSpy IUMimk+KD+n+485hO8nUBKFiIAk y7BzaThRJcO80x0T43Kv5c0c2lo 2018-04-12 16:29:49 85.240.255.230 443 9002 0x58d67d2 (105): plinganser IVTbWCMaATM/dhYObcQ4vbpmrWI hjCLhA+x552po4nlsMTFxy9wAKA 2018-04-12 13:17:54 77.190.44.65 443 0 0x58d684a (107): finder IVwcDjnjUKUHZ9cQurPzVjUY8V4 p98m92WfrvNKJ2G3hGvL7YrT1QI 2018-04-12 07:17:10 82.221.131.59 1408 13084 0x58d68c2 (105): Unnamed IbVQcsAPRSKFdlX7sPPiXXWlNXs AQtqYjQbDPE77Faff2ZMQ7D5uDM 2018-04-12 07:01:48 109.107.35.154 443 80 0x58d693a (106): jbrelay0 IbYBuA2t4pmKDTUDE24CIutQrx8 9K76gy1Q2wjhxGlsm9MImm2n+HU 2018-04-12 12:13:05 84.135.101.107 443 80 0x58d69b2 (106): Bumblebee IdUxk0lK20IFckLOJ2lTqQVDvjE c+W6dpjuQws8C6zexD42yQAJARg 2018-04-12 15:18:21 188.68.35.203 443 80 0x58d6a2a (106): turingrelay IfAr4hwaFz3No3YkG55GjDucF0g rN5gEK8MwA6ZnterSwKJD9EywR8 2018-04-12 04:13:06 137.74.40.77 444 0 0x58d6aa2 (107): walltor IhUC/WcX/iVdDnq1d+w/Tb70BTU 6s1cD4RUp2OUW5GeghcaZ8++i3M 2018-04-12 15:11:53 79.172.204.36 4480 4481 0x58d6b1a (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d6b92 (103): Liberty IhbC1RSvCN4d4QIKlAq3W0HZVX0 d9xk3jRn8I9dBEf/MxINlO6L8sE 2018-04-12 06:53:50 78.243.193.6 9001 0 0x58d6c0a (107): amsnl Ihd6BAXSjVql0MNbXF81Jlvm1iQ u+kQwO1eEplzL5UHuO5drp/vCiA 2018-04-12 18:45:17 195.123.217.153 9001 9030 0x58d6c82 (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d6cfa (108): Unnamed IhwqP7rtvo6R4T02e/9kmoWE89w X7b4eN4MKakKfru0Ods6WcmS8GM 2018-04-12 11:01:20 46.249.59.212 20646 1246 0x58d6d72 (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d6dea (107): locksat IiEKv6N7DLUmxz1Cutzgl9a5lMQ dN4GeMkKO+uJuXYOvAtr5zMtR88 2018-04-12 04:38:12 62.210.93.142 6916 9030 0x58d6e62 (109): Unnamed IijCuM9IebiMVzK3xCYx1DjBSsk Wah6TKamAslhX2oLmtJJwoqT4Ss 2018-04-12 12:09:41 89.238.178.218 15988 9501 0x58d6eda (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d6f52 (102): nebula IjXjFt+Oc3CBo2WhOG82A1WSpr0 vTGbx1WveqigVmId81rqxCW2MF0 2018-04-12 02:53:23 79.137.69.49 443 80 0x58d6fca (104): kbtr5al IjqV3E0JNzvBjWH1bzsY2v9fuiU Pl66/ih17nG0InOKob73xP1RLmI 2018-04-12 19:26:43 31.171.155.29 443 80 0x58d7042 (109): Unnamed IlEH/oWwIM8NY0bWcD3KwMGXWzo 7Sl8xRfr7nz30nK17GDR2upVY+M 2018-04-12 14:22:52 136.243.78.67 16844 14517 0x58d70ba (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d7132 (109): Unnamed ImVtC4Up0nixUFwcU8KnqChJoIU +CLGAx5AY+AH3G4NywSsZp8j3kw 2018-04-12 12:43:00 185.123.102.59 7518 22804 0x58d71aa (102): Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2 0x58d7222 (107): dz0tea1 ImqbJisuMh0NrQUqasfbxhXmg8Y 0HvKbU8FzUKndeJnNgLheCHtoMQ 2018-04-12 06:50:11 104.236.46.162 443 9030 0x58d729a (105): Preece01 InqUCsOvAC8XmC2X5GesSB05HFg wdi4E/mnrPaKj6dSsOjOS9fMERA 2018-04-12 10:24:32 79.137.70.137 443 80 0x58d7312 (109): Unnamed IpO1dxuZgZM4zDR430sRwdPip3s EHrectFNcYnGs+yewOyarbWKrMY 2018-04-12 06:44:58 154.16.149.146 2645 25316 ---------- interesting api calls of original exe ---------- KERNELBASE.dll CreateFileA ( "\\.\mailslot\msl0", GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL ) KERNELBASE.dll CreateFileW ( "C:\Users\Win732\AppData\Roaming\Microsoft\Audibres\comr2022.exe", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ) ---------- interesting in memory strings of original exe ---------- 0x1fe82c8 (66): attrib -r -s -h %%1 :%u del %%1 if exist %%1 goto %u del %%0 0x1fe830b (86): :%u if not exist %%1 goto %u cmd /C "%%1 %%2" if errorlevel 1 goto %u :%u del %%0 0x1fe8362 (31): %02u-%02u-%02u %02u:%02u:%02u 0x1fe85a0 (84): /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0x1fe85f8 (70): /C "copy "%s" "%s" /y && "%s" "%s"" 0x41c8f18 (126): C:\Users\xxx\AppData\Roaming\Microsoft\Audibres\comr2022.exe
Thursday, April 12, 2018
ursnif sample
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment