Thursday, April 12, 2018

ursnif sample

found by @avman1995 
@Artilllerie says Seems to be #Ursnif
https://twitter.com/avman1995/status/984312860766560256
https://www.reverse.it/sample/4bc0433608ad7e5eb1d8efd93e12f25a26446ebeed68da7cb4301c7e9395f143?environmentId=100

----------

----------
files dropped
----------
C:\Users\xxx\AppData\Roaming\Microsoft\Audibres\comr2022.exe

-----------
interesting network traffic
-----------
1.) GET /tor/server/fp/8b029434401afdc8b9793a49005e2bc3af76c02c HTTP/1.0
Host: 178.17.170.149
Response: HTTP/1.0 200 OK
Date: Thu, 12 Apr 2018 21:28:11 GMT
Content-Type: text/plain
X-Your-Address-Is: xxx
Content-Encoding: identity
Expires: Sat, 14 Apr 2018 21:28:11 GMT

router anongoth 46.248.164.24 443 0 0
identity-ed25519
2.) 
  TCP    192.168.113.242:51007  46.248.164.24:443      ESTABLISHED     3556
 [Explorer.EXE]

----------
interesting in memory strings of injected Explorer.EXE
----------
0x51bf8ad (54): newsreader.site/images/1.png file://c:\test\test32.dll
0x51bf8e4 (52): newsreader.site/images/2.png file://c:\test\tor64.dl
0x51bf968 (12): curlmyip.net
0x51bf97f (23):  iod5tem372udbzu2.onion
0x51bf9af (23):  iod5tem372udbzu2.onion
0x51bf9f0 (16): s4Sc9mDb35Ayj8oO
0x51bfd00 (180): GET /tor/server/fp/8b029434401afdc8b9793a49005e2bc3af76c02c HTTP/1.0
Host: 178.17.170.149
0x51bfde0 (26): 46.248.164.24
0x51bf851 (21): kn.forgekitchen.co.uk
0x51bf867 (29): constitution.org/usdeclar.txt
0x51bf896 (22): iod5tem372udbzu2.onion
0x582cd52 (12): Tor 0.3.2.10
0x582cd6a (12): Tor 0.3.1.10
0x582cd82 (12): Tor 0.2.9.10
0x58b94a2 (110): Unnamed K2AMIToiw/f/wvw6j4q9xeD3BY4 +XS2INkfJlGbdg57oC+02EY2jmE 2018-04-12 12:44:13 185.216.33.126 24974 27964
0x58b9522 (110): jabbahutadre K2ZEanT/RanZw5P90ezZdFkOUgQ Vzuv+PVAsV6xxy9qH6tSUXDjfyc 2018-04-12 06:19:27 172.104.137.234 443 0
0x58b97a2 (113): fuckzuck2020 K5Z0k63JtSVOjCvl9oW00ei0CIU tFh5Owlv68v7fvapntB62pOnlNQ 2018-04-12 04:13:24 108.211.142.83 9001 9030
0x58b98a2 (115): ididnteditheconfig K69D8u8gQQvGOOWEWQ6jdRhZwCs 4dcQzJag93EEC4gctkR1i014t9U 2018-04-12 19:10:54 78.51.135.250 9001 0
0x58b9aa2 (112): xenoidRelay K/z0wi1HO4bnMotlRrIYB5VYzL0 15px8eSM83d8mYdxze9Qt4qz4qw 2018-04-12 10:26:24 87.133.137.133 9001 9090
0x58b9ba2 (115): EncryptedPotato LACLhCpONJaXOLLFdu728ZWr97c zKUZ2wz75HhJFCZh0MZGb1uMhoY 2018-04-12 07:50:07 212.47.234.10 9001 9030
0x58b9fa2 (110): rittervgexit LHUsGACJ3cibw//MsX+s/ur9eao b8qxscA36/ZSw/pJdjGIIrYZG04 2018-04-12 15:12:51 185.165.168.77 443 80
0x58ba122 (112): LePoneyQuiTousse LJsPeXQh4Z6WWC0c2q0RuraZv/0 8VrQPoup30Q2DIshj1gj8YzhN0M 2018-04-12 09:56:11 212.129.34.13 110 0
0x58ba2a2 (111): AgentOrange LNascnZxolxIBeyPrN49Nygofig l1dKnWzY74GPhwuyGnHC5U9euiU 2018-04-12 12:30:59 138.68.15.191 9447 9090
0x58ba3a2 (116): ididntedittheconfig LNrC2BcgSJxWGOjdhsE3b+5Rjxk fct7ZB2fNYbcl8Di0csFJiH3y6Q 2018-04-12 16:43:05 74.103.247.168 443 0
0x58ba622 (112): w000000h00000 LPBybHFwuXW6c3G/kxzgpvNpmFA xOg8aV027ru4qJIIvCNgvnP2gMA 2018-04-12 13:52:33 178.17.170.81 443 9030
0x58ba722 (115): BrotherhoodOfSteel LQPxqngtYRG1Jg1X87PgohyMhtc /yUqBnqgN1igmeDKVL/HpJOUqXc 2018-04-12 06:56:07 45.76.80.207 445 800
0x58ba822 (113): InglebardRelay LQYdZVO7CmIAQsUF/1dyWF2ovtw 6zw4oUrVcDBEsXUZ9qmLc9UwqGU 2018-04-12 14:35:03 5.135.176.38 9001 9030
0x58bac22 (113): HelpFreeSpeech82878 LXTX76zHXc2zvukiGwvrImdU+W4 seB2pcrQyF7Waqp3H1AimcN5eI4 2018-04-12 13:15:21 47.33.6.69 443 80
0x58bae22 (110): SteveUrkel Lb//Y5yPtpaEgSNUh8uth7gY8KM HTSk66lB75o+fcYFYJEF7NnhAss 2018-04-12 13:34:08 83.202.235.41 9021 9022
0x58bc2a2 (116): TeamSnowdenA0uRe0r Ly067Cxo303yslBjz9+WCz8wCp8 Tg3xVBJEep3VE1qz2qUtIQErXnk 2018-04-12 17:53:07 109.230.236.89 9002 0
0x58bc3a2 (111): banesTOR2 LzHOPhJjgy45GE4hLBHOJ0u5vM8 SWFYEjvtB8pVKZsPfXJFEtQG5T8 2018-04-12 05:29:02 178.238.224.132 9001 9030
0x58d5422 (102): dao H2q9CG9AuJCjPJPMRgbuaLMclVY 6IMDWix6oMtvGfPQQa8oWA09SQw 2018-04-12 16:19:00 199.184.246.250 443 80
0x58d549a (103): Netwars H42ygtRVY2/u6ESChacAewVpmlg 41ZFBGHysPlT5x/dTghP9TR7P6Q 2018-04-12 17:14:05 5.230.145.65 9035 0
0x58d5512 (104): 6cf29a H5WC9j+8eJ3071veBzkkZ4kCxj0 hWBWt+ivhPGy5cXufCWrkQdPRDo 2018-04-12 19:28:47 185.21.216.183 9443 0
0x58d558a (106): Bombadil H58eLC/6dWst4FKL8SF7VnAZqP4 QiyBhq/2S8ET5Sv5UlnYnmuCfDg 2018-04-12 03:45:49 180.181.117.164 443 0
0x58d5602 (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d567a (107): Torpille H6RrXuaRtK1qjv7925DAMNm7ueI TlxIwUigjbiOyuwXOy4Zi7bMon8 2018-04-12 03:32:25 37.187.16.43 9001 9030
0x58d56f2 (108):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1-2 HSIntro=3-4 HSRend=1-2 Link=1-4 LinkAuth=1,3 Microdesc=1-2 Relay=1-2
0x58d576a (105): cimmeria H7rnI/gYaEfjDqHAPMo9QIHU4vk rBlA1UsAUftSwOPNg/luZCxKHnI 2018-04-12 05:03:38 91.219.239.92 443 80
0x58d57e2 (105): serana H+cdD4j7iV95zgeuIil4WxILH7A 7A/8aUMtmlOocFsiv6oW/Y/TFV4 2018-04-12 04:52:59 104.225.219.232 9001 0
0x58d585a (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d58d2 (104): watchme H+yGDlmUnmDREvomZJzw4yaT+08 6eY5NMyvzyUGuobfh0QpU+C93+Q 2018-04-12 17:03:18 62.210.71.205 443 80
0x58d594a (109): F3Netze IBew3yV6nWUB8IS2166q9oUuncE r1cogZWjhVk3Su6VTUo3wOp8o5s 2018-04-12 04:24:05 185.220.100.255 9100 9101
0x58d59c2 (105): Unnamed ICK8s3RT3BaObLe02tEZrAcvLe4 +7Ky7IRDV4CgkaiKF3Zd7wjzb58 2018-04-12 12:54:13 185.80.222.158 80 443
0x58d5a3a (107): picaron ICehuvDZ+9fitXNHidceqekMG4E r4qX9ptvUyBToQvZ1MLq2+LS94g 2018-04-12 17:51:09 190.210.98.90 9001 9030
0x58d5ab2 (103): Bernard IDYYZiU72xoHHX6tN0ThhwT85vE nIJemt7oC3VEwpxNmURSuxCed9Q 2018-04-12 20:00:02 77.48.73.246 6666 0
0x58d5b2a (104): thedoctor IDhtmjK+y+YCN14BX8cBF5VWU/E m/4gxnNsqmN/9lBaEdzmDQ69K7w 2018-04-12 12:28:03 192.44.30.40 443 0
0x58d5ba2 (104): Singman IDiX0O7qM+MDNxiIRSUOe3OGs6U VGz9gmXbbK0j8+PjeZGIQ2fOf6M 2018-04-12 14:01:51 82.229.26.235 9001 0
0x58d5c1a (107): scaletor IEYsul2kwtljVn0X0LcklxgRSmg 1XELFooHIGhbOebIhxYvbs+hxpE 2018-04-12 18:51:53 212.47.229.2 9001 9030
0x58d5c92 (107): HaveHeart IE39KixqDcH6Dqy0lSGOC2YXBP0 TJ5cm/M13f68v5wuct7XudWWAxI 2018-04-12 10:24:32 77.247.181.164 443 80
0x58d5d0a (102): bruins IGfIGQo0UpNhzqdPwsksfbzLB08 eE3gn4hg6UOP2TFRCeFoyZzbeLo 2018-04-12 09:16:55 85.25.44.141 443 80
0x58d5d82 (103): Unnamed IHEIHjiIIXinP0TpYTbN404wx/s 6Lx3Xpv9x/ar+Gnf6g7zgLSbi9o 2018-04-12 12:24:47 188.63.82.18 9001 0
0x58d5dfa (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d5e72 (104): biggie IHY1n8O+tqtNDybFQZcSowzehdA 4B4duNBD78HbtntbN9yBschbYKU 2018-04-12 06:11:45 104.223.45.150 443 80
0x58d5eea (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d5f62 (105): silverio IH9LLD26YHL9PTf1v9onc7kxcBQ W/KQNwdISZqcQhuNMJYNfT5gAls 2018-04-12 16:13:42 210.3.102.152 443 80
0x58d5fda (104): Unnamed IIP7taZ9sV+KvwyDGVlO6fvmXa8 AhILR2+RjPeiLl6CUfXN/TRNod4 2018-04-12 05:59:23 172.86.144.15 443 80
0x58d6052 (107): Unnamed IIf0VsKQQa5L43xtEdhiZ+c0yKE 515Q7DinoPXiimiCqlPcwiaTIjI 2018-04-12 18:10:21 89.34.237.176 9001 9030
0x58d60ca (102): freja IJa8/ruVoRNPOfz4zrB2/0GitIs 8FjDghwFb7WYxIc91rVylYgoYyI 2018-04-12 19:07:46 194.88.143.66 443 80
0x58d6142 (107): Tortue IMDJDXCT0h9QGK1PfrtjIYNGBvM K68OLjoH0QmXHWaZPe/xl9J/woE 2018-04-12 10:03:14 145.132.191.48 9001 9030
0x58d61ba (106): Freeb23 IMJMAeLgg8nCKesxjQT880uH5Qc LhtfmW4qpkTHAdfcdBtBIIMKskY 2018-04-12 20:07:33 45.76.92.117 9001 9030
0x58d6232 (106): marunga INKhhqQS6kM9m60v29e0izayCzQ jhdd+IQKeLa6WeU7V1XOVuB5DbI 2018-04-12 18:38:10 125.212.217.197 443 80
0x58d62aa (108): Unnamed IOtvfGH7lDb0ejQUoXtlCJnqMtk AHXCFIACFtatamZIy0a+mJBNIWQ 2018-04-12 21:21:07 95.183.48.227 5504 15540
0x58d6322 (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d639a (103): Trabant IPIFgfOHUFfLeve2H3/ab6CGrHE s5NelV2tfL2GdgKnBdA9apdKErA 2018-04-12 10:44:03 46.101.141.15 81 22
0x58d6412 (104): vultor IQ5+2tRK/R4INxtGuQf/86hQygM fBszOjjsto1pz80MyxyPWPPZ9Bk 2018-04-12 18:03:44 209.250.230.160 443 0
0x58d648a (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d6502 (107): Lavaronn IR8DPPmSzBQZxXvleRVvw0UzvVE ustCpd5y2hQQC6QmFo9XVmveQik 2018-04-12 10:56:21 80.7.198.170 9001 9030
0x58d657a (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d65f2 (106): tamanegi ITEPSAZqTKresr/TJPCzj44USNY kwQOgJHJhOXVIAUqhrW4H5sYbAc 2018-04-12 03:26:37 212.89.225.242 443 80
0x58d666a (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d66e2 (109): cannabis IUGUqVEIJwJCJNxdzQHhOSBE6AM fN7A08lLFRnwNRuNOZx5oJY30xw 2018-04-12 19:25:16 94.110.225.157 9001 9030
0x58d675a (106): TheSpy IUMimk+KD+n+485hO8nUBKFiIAk y7BzaThRJcO80x0T43Kv5c0c2lo 2018-04-12 16:29:49 85.240.255.230 443 9002
0x58d67d2 (105): plinganser IVTbWCMaATM/dhYObcQ4vbpmrWI hjCLhA+x552po4nlsMTFxy9wAKA 2018-04-12 13:17:54 77.190.44.65 443 0
0x58d684a (107): finder IVwcDjnjUKUHZ9cQurPzVjUY8V4 p98m92WfrvNKJ2G3hGvL7YrT1QI 2018-04-12 07:17:10 82.221.131.59 1408 13084
0x58d68c2 (105): Unnamed IbVQcsAPRSKFdlX7sPPiXXWlNXs AQtqYjQbDPE77Faff2ZMQ7D5uDM 2018-04-12 07:01:48 109.107.35.154 443 80
0x58d693a (106): jbrelay0 IbYBuA2t4pmKDTUDE24CIutQrx8 9K76gy1Q2wjhxGlsm9MImm2n+HU 2018-04-12 12:13:05 84.135.101.107 443 80
0x58d69b2 (106): Bumblebee IdUxk0lK20IFckLOJ2lTqQVDvjE c+W6dpjuQws8C6zexD42yQAJARg 2018-04-12 15:18:21 188.68.35.203 443 80
0x58d6a2a (106): turingrelay IfAr4hwaFz3No3YkG55GjDucF0g rN5gEK8MwA6ZnterSwKJD9EywR8 2018-04-12 04:13:06 137.74.40.77 444 0
0x58d6aa2 (107): walltor IhUC/WcX/iVdDnq1d+w/Tb70BTU 6s1cD4RUp2OUW5GeghcaZ8++i3M 2018-04-12 15:11:53 79.172.204.36 4480 4481
0x58d6b1a (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d6b92 (103): Liberty IhbC1RSvCN4d4QIKlAq3W0HZVX0 d9xk3jRn8I9dBEf/MxINlO6L8sE 2018-04-12 06:53:50 78.243.193.6 9001 0
0x58d6c0a (107): amsnl Ihd6BAXSjVql0MNbXF81Jlvm1iQ u+kQwO1eEplzL5UHuO5drp/vCiA 2018-04-12 18:45:17 195.123.217.153 9001 9030
0x58d6c82 (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d6cfa (108): Unnamed IhwqP7rtvo6R4T02e/9kmoWE89w X7b4eN4MKakKfru0Ods6WcmS8GM 2018-04-12 11:01:20 46.249.59.212 20646 1246
0x58d6d72 (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d6dea (107): locksat IiEKv6N7DLUmxz1Cutzgl9a5lMQ dN4GeMkKO+uJuXYOvAtr5zMtR88 2018-04-12 04:38:12 62.210.93.142 6916 9030
0x58d6e62 (109): Unnamed IijCuM9IebiMVzK3xCYx1DjBSsk Wah6TKamAslhX2oLmtJJwoqT4Ss 2018-04-12 12:09:41 89.238.178.218 15988 9501
0x58d6eda (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d6f52 (102): nebula IjXjFt+Oc3CBo2WhOG82A1WSpr0 vTGbx1WveqigVmId81rqxCW2MF0 2018-04-12 02:53:23 79.137.69.49 443 80
0x58d6fca (104): kbtr5al IjqV3E0JNzvBjWH1bzsY2v9fuiU Pl66/ih17nG0InOKob73xP1RLmI 2018-04-12 19:26:43 31.171.155.29 443 80
0x58d7042 (109): Unnamed IlEH/oWwIM8NY0bWcD3KwMGXWzo 7Sl8xRfr7nz30nK17GDR2upVY+M 2018-04-12 14:22:52 136.243.78.67 16844 14517
0x58d70ba (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d7132 (109): Unnamed ImVtC4Up0nixUFwcU8KnqChJoIU +CLGAx5AY+AH3G4NywSsZp8j3kw 2018-04-12 12:43:00 185.123.102.59 7518 22804
0x58d71aa (102):  Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2
0x58d7222 (107): dz0tea1 ImqbJisuMh0NrQUqasfbxhXmg8Y 0HvKbU8FzUKndeJnNgLheCHtoMQ 2018-04-12 06:50:11 104.236.46.162 443 9030
0x58d729a (105): Preece01 InqUCsOvAC8XmC2X5GesSB05HFg wdi4E/mnrPaKj6dSsOjOS9fMERA 2018-04-12 10:24:32 79.137.70.137 443 80
0x58d7312 (109): Unnamed IpO1dxuZgZM4zDR430sRwdPip3s EHrectFNcYnGs+yewOyarbWKrMY 2018-04-12 06:44:58 154.16.149.146 2645 25316

----------
interesting api calls of original exe
----------
KERNELBASE.dll CreateFileA ( "\\.\mailslot\msl0", GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL )
KERNELBASE.dll CreateFileW ( "C:\Users\Win732\AppData\Roaming\Microsoft\Audibres\comr2022.exe", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ) 
  

----------
interesting in memory strings of original exe
----------
0x1fe82c8 (66): attrib -r -s -h %%1
:%u
del %%1
if exist %%1 goto %u
del %%0

0x1fe830b (86): :%u
if not exist %%1 goto %u
cmd /C "%%1 %%2"
if errorlevel 1 goto %u
:%u
del %%0
0x1fe8362 (31): %02u-%02u-%02u %02u:%02u:%02u
0x1fe85a0 (84): /C "copy "%s" "%s" /y && rundll32 "%s",%S"
0x1fe85f8 (70): /C "copy "%s" "%s" /y && "%s" "%s""
0x41c8f18 (126): C:\Users\xxx\AppData\Roaming\Microsoft\Audibres\comr2022.exe

No comments:

Post a Comment