• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2019-1625 – Cisco SD-WAN Solution Privilege Escalation Vulnerability
June 20, 2019
Rewterz Threat Advisory – CVE-2019-1843 – Cisco RV110W Wireless-N VPN Firewall / RV215W Wireless-N VPN Router Denial of Service Vulnerability
June 20, 2019

Rewterz Threat Alert – Ursnif Malware IoCs

June 20, 2019

Severity

Medium

Analysis Summary

Ursnif is typically encountered when the user inadvertently opens a malicious file attachment that arrives via a spam email message.

Upon execution, Ursnif checks for the presence of any virtual or debugging environments; if found, it will show a fake alert message box with the text, “Error Initializing Client App!”. It also performs process hollowing on svchost.exe or explorer.exe and injects a dll file (client.dll) based on the system enviornment (whether it is 32- or 64-bit).

Afterwards, it tries to steal multiple pieces of information from the system and store them in a file. It then connects to a malicious command and control (C&C) server.

Impact

  • Credential theft
  • Exposure of sensitive information

Indicators of Compromise

IP(s) / Hostname(s)

  • 46[.]17[.]42[.]185
  • 94[.]103[.]85[.]86
  • 94[.]103[.]94[.]3
  • 94[.]103[.]94[.]145
  • 46[.]8[.]18[.]186
  • 212[.]109[.]197[.]19

URLs

  • hxxps[:]//drive.google[.]com/file/d/12F5NTHrUvJyCrHGwdxcB8VemGVbNHxk-/view?usp=sharing/
  • hxxp[:]//blogger.scentasticyoga[.]com
  • hxxp[:]//link.kunstsignal[.]net/images/
  • hxxp[:]//znedra34h[.]band/2poef1/j.php?l=flono[1-10].fgs
  • hxxp[:]//gkarianelenora[.]company/2poef1/j.php?l=flono[1-10].fgs
  • hxxps[:]//blogger.scentasticyoga[.]com/
  • hxxp[:]//blogger[.]scentasticyoga[.]com/sdfwegg?yrw=3
  • hxxp[:]//blogger.scentasticyoga[.]com/
  • hxxp[:]//blog.practicereiki[.]com/pagpoftrh54[.]php
  • znedra34h[.]band
  • gkarianelenora[.]company
  • meduardoyvicky[.]email
  • b6531yil[.]band
  • a22a2927qioh[.]city
  • dcordeliakyleigh[.]email
  • dfredamy[.]company
  • dubwyudiana[.]email
  • qualphonso[.]company
  • kureidww[.]company
  • ptysonqbg[.]band
  • soxhiicp32jalon[.]com
  • vjosiannehmaegan[.]city
  • vkq43imkay[.]com
  • http[:]//link[.]kunstsignal[.]net/images/k8_2B_2FGQqXX9R/6svLKioUDyBfFXYGFO/SVbbLdYby/JgiiNPZHRiiwNA0ThROp/4dvG9p04IYJ_2FpgfEl/ EicOJlEqs6UzxEywvM20cY/wqjKFb_2Bwb_2/FQWma8dA/zq8pUIu3yi1g0_2BlUBesTq/i0fA8P3FM0/vy7wv[.]avi

Filename

  • Atto_51648651519816651651651651651.vbs
  • eyTWUDW.exe

Malware Hash (MD5/SHA1/SH256)

  • a60864bfaaf6d8465a44d1cfceb38001d3de5466bef4c993e51d0f7a4e28776d
  • 343423080d891e9c05053b8e9854f63d7e9cb8ee79add7341511a0d274a42047
  • 26300dd94a2cb0b0472d94cceabb8586ba51ef850125fe8c81f88345274c5d2e
  • 743bc044bcee1580352f115942df9412628b0a9e34b7ee2f732a0582f51bfb38
  • 7adf1d2a41cac67bc0d6aa468c53c1f7390dfaf1d59e5bd175a875b1bbf991b4
  • 8cfd37f5d6b0eebaed6916291c62e0d29cfcdd20695a42a9932d3b46b14410ce
  • e333f7356bd0d2a5e97864bf588dd9c2474fa143036c13939219f9b6f547cc20
  • a60864bfaaf6d8465a44d1cfceb38001d3de5466bef4c993e51d0f7a4e28776d
  • 7296fc2aabca7a272cbabfd1a7d3902044b9defea81c1d2bf183aec3176e0183

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious of the emails of sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.