2018-05-08 - GRANDSOFT EK SENDS QUANTLOADER WHICH RETRIEVES URSNIF

ASSOCIATED FILES:

  • 2018-05-08-Grandsoft-EK-sends-QuantLoader-which-retrieves-Ursnif.pcap   7.73 MB (7,725,979 bytes)
  • Zip archive of the malware & artifacts:  2018-05-08-Grandsoft-EK-malware-and-artifacts.zip   428 kB (428,634 bytes)
    • 2018-05-08-Grandsoft-EK-landing-page.txt   (530 bytes)
    • 2018-05-08-Grandsoft-EK-payload-QuantLoader.exe   (264,832 bytes)
    • 2018-05-08-Grandsoft-EK-second-page.txt   (22,067 bytes)
    • 2018-05-08-Grandsoft-EK.hta-file.txt   (5,069 bytes)
    • 2018-05-08-Ursnif-caused-by-QuantLoader-infection.exe   (431,250 bytes)

     

    NOTES:

     

    WEB TRAFFIC BLOCK LIST

    Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

     

    TRAFFIC


    Shown above:  Infection traffic filtered in Wireshark.

     

    TRAFFIC FROM AN INFECTED WINDOWS HOST:

     


    Shown above:  Some alerts from Sguil in Security Onion using Suricata with the EmergingThreats Pro (ETPRO) ruleset.

     

    FILE HASHES

    GRANDSOFT EK PAYLOAD - QUANTLOADER (VERSION 1.75):

    URSNIF (OR AN URSNIF VARIANT) RETRIEVED BY QUANTLOADER:

     

    FINAL NOTES

    Once again, here are the associated files:

    Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.