2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2017-07-24" ,
"extends_uuid" : "" ,
"info" : "OSINT - Ursnif variant found using mouse movement for decryption and evasion" ,
"publish_timestamp" : "1503930240" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1503930235" ,
"uuid" : "59a3bc82-f214-4bef-ab11-461b950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#284800" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "malware_classification:malware-category=\"Trojan\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0b8c00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"Snifula\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59a3bc9a-a1c4-440f-bc9e-4e22950d210f" ,
"value" : "https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-movement-decryption-and-evasion" ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "59a3bcdb-123c-4401-b037-4e83950d210f" ,
"value" : "In January 2016 Forcepoint Security Labs reported an email campaign delivering the Ursnif banking Trojan which used the \u00e2\u20ac\u02dcRange\u00e2\u20ac\u2122 feature within its initial HTTP requests to avoid detection.\r\n\r\nIn July 2017 we discovered a malicious email sample delivering a new variant of Ursnif, attached within an encrypted Word document with the plaintext password within the email body. As recorded in several other Ursnif campaigns reported since April 2017, this Word document contains several obfuscated VBS files which load malicious DLLs through WMI.\r\n\r\nHowever, these samples appear to exhibit new features including anti-sandboxing features that use a combination of mouse position and file timestamps to decode their internal data and the ability to steal data from the Thunderbird application." ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "Download locations" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "59a3bd70-2700-48b3-8033-4ec3950d210f" ,
"value" : "http://46.17.40.22/hyey.pnj"
} ,
{
"category" : "Network activity" ,
"comment" : "Download locations" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "59a3bd70-3474-4b05-9452-4952950d210f" ,
"value" : "46.17.40.142/45.txt"
} ,
{
"category" : "Network activity" ,
"comment" : "Download locations" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "59a3bd70-7950-4d02-a65b-4e5e950d210f" ,
"value" : "http://inshaengineeringindustries.com/head.pkl"
} ,
{
"category" : "Network activity" ,
"comment" : "Download locations" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "59a3bd70-cd70-4925-b57e-41d5950d210f" ,
"value" : "http://ardshinbank.at/key/x32.bin"
} ,
{
"category" : "Network activity" ,
"comment" : "Download locations" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "59a3bd70-00ec-42c0-86ac-4011950d210f" ,
"value" : "http://ardshinbank.at/key/x64.bin"
} ,
{
"category" : "Payload delivery" ,
"comment" : "C2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "59a3bd81-7c78-4ca1-bbb7-4915950d210f" ,
"value" : "aaxvkah7dudzoloq.onion"
} ,
{
"category" : "Network activity" ,
"comment" : "C2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59a3bd82-c9b4-45f4-b13d-4b36950d210f" ,
"value" : "0x7293c971.ru"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59a3bda9-6a18-4c11-9c24-4ac7950d210f" ,
"value" : "82615b4bb03ba00f141bb4d4b57bf8a73e76ebe9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59a3bda9-6a60-4cc4-968e-4e8c950d210f" ,
"value" : "bdcb4b96a281da3e09e29071dc9661ce39d442f1"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59a3bda9-535c-4b5d-8f27-4fe9950d210f" ,
"value" : "73fdde182759e644a3d7296537a048a6980e8526"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59a3bda9-4174-4074-91a6-4543950d210f" ,
"value" : "60e221bd9e234ab6786def88a1f0e11460678fb4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59a3bda9-96b4-4b8e-be4a-4c12950d210f" ,
"value" : "ce7e48d8ee6e113429dba75a8528568fda4b0067"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "Name: Random String" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930230" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "59a3bdc5-47e4-4f75-abdc-4c80950d210f" ,
"value" : "HKEY_USERS\\S-1-5-21-746137067-1417001333-1606980848-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
} ,
{
"category" : "Payload delivery" ,
"comment" : "- Xchecked via VT: 73fdde182759e644a3d7296537a048a6980e8526" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930231" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59a42777-65c8-4b43-ab3c-4a9502de0b81" ,
"value" : "48dbf539d756d61a1eae7f6c87d4ccb6beae1b14e0273c87e53402e040b02f91"
} ,
{
"category" : "Payload delivery" ,
"comment" : "- Xchecked via VT: 73fdde182759e644a3d7296537a048a6980e8526" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930231" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59a42777-feec-472d-a9d2-456d02de0b81" ,
"value" : "db53017980dcb70ee9f6bdee3603da42"
} ,
{
"category" : "External analysis" ,
"comment" : "- Xchecked via VT: 73fdde182759e644a3d7296537a048a6980e8526" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930231" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59a42777-ef2c-4b28-9362-408602de0b81" ,
"value" : "https://www.virustotal.com/file/48dbf539d756d61a1eae7f6c87d4ccb6beae1b14e0273c87e53402e040b02f91/analysis/1503556363/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "- Xchecked via VT: bdcb4b96a281da3e09e29071dc9661ce39d442f1" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930231" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59a42777-7bc8-4563-bde9-439202de0b81" ,
"value" : "1e2efef5ae950993d8393f17ffd7752a0b3aefec77e97bebb2940fdb323e22ce"
} ,
{
"category" : "Payload delivery" ,
"comment" : "- Xchecked via VT: bdcb4b96a281da3e09e29071dc9661ce39d442f1" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930231" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59a42777-6ad4-4edb-849c-45a002de0b81" ,
"value" : "e6db3165321e8cbbc19f04b8493135da"
} ,
{
"category" : "External analysis" ,
"comment" : "- Xchecked via VT: bdcb4b96a281da3e09e29071dc9661ce39d442f1" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1503930231" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59a42777-bef0-4674-82fd-4ffc02de0b81" ,
"value" : "https://www.virustotal.com/file/1e2efef5ae950993d8393f17ffd7752a0b3aefec77e97bebb2940fdb323e22ce/analysis/1502176481/"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}