Ursnif: Long Live the Steganography! - Yoroi
Tags
| cmtmf-attack-pattern: | Process Injection |
| country: | Italy |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Software - T1592.002 Steganography - T1001.002 Steganography - T1406.001 Steganography - T1027.003 Powershell - T1086 Process Injection - T1055 |
Common Information
| Type | Value |
|---|---|
| UUID | dae880d9-4e19-4ad5-a68a-5012fa65fdae |
| Fingerprint | a00f5932297f8f0f |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 7, 2019, 11:17 a.m. |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | Ursnif: Long Live the Steganography! |
| Title | Ursnif: Long Live the Steganography! - Yoroi |
| Detected Hints/Tags/Attributes | 48/4/29 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | application.international |
|
| Details | Domain | 1 | fillialopago.info |
|
| Details | Domain | 1 | felipllet.info |
|
| Details | Domain | 4 | images2.imgbox.com |
|
| Details | Domain | 4 | postimg.cc |
|
| Details | Domain | 1 | pereloplatka.host |
|
| Details | Domain | 1 | roiboutique.ru |
|
| Details | Domain | 1 | uusisnfbfaa.xyz |
|
| Details | Domain | 1 | nolavalt.icu |
|
| Details | Domain | 1 | sendertips.ru |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 1 | %temp%\twain001.exe |
|
| Details | File | 31 | c:\windows\system32\wbem\wmic.exe |
|
| Details | File | 1 | rbzwpazi_o.png |
|
| Details | File | 1 | mario.png |
|
| Details | File | 1 | lumen.exe |
|
| Details | File | 1 | propositionreputation.exe |
|
| Details | sha256 | 1 | 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f |
|
| Details | sha256 | 1 | f30454bcc7f1bc1f328b9b546f5906887fd0278c40d90ab75b8631ef18ed3b7f |
|
| Details | sha256 | 1 | 93dd4d7baf1e89d024c59dbffce1c4cbc85774a1b7bcc8914452dc8aa8a79a78 |
|
| Details | IPv4 | 1 | 185.158.248.142 |
|
| Details | IPv4 | 1 | 185.158.248.143 |
|
| Details | Url | 1 | http://fillialopago.info |
|
| Details | Url | 1 | https://images2.imgbox.com/55/c4/rbzwpazi_o.png |
|
| Details | Url | 1 | https://i.postimg.cc/ph6qvfvf/mario.png?dl=1 |
|
| Details | Url | 1 | https://fillialopago.info |
|
| Details | Url | 1 | http://felipllet.info |
|
| Details | Windows Registry Key | 3 | HKCU\Software\AppDataLow\Software\Microsoft |
|
| Details | Yara rule | 1 | import "pe"
rule Ursnif_201902 {
meta:
description = "Yara rule for Ursnif loader - January version"
author = "Yoroi - ZLab"
last_updated = "2019-02-06"
tlp = "white"
category = "informational"
strings:
$a1 = "PADDINGXX"
$a2 = { 66 66 66 66 66 66 66 }
condition:
all of ($a*) and pe.number_of_sections == 4 and (pe.version_info["OriginalFilename"] contains "Lumen.exe" or pe.version_info["OriginalFilename"] contains "PropositionReputation.exe")
} |