2019-07-29 - URSNIF INFECTION WITH PUSHDO

ASSOCIATED FILES:

• 2019-07-29-DHL-themed-Ursnif-malspam-examples.zip   194 kB (194,114 bytes)
• 2019-07-29-Ursnif-infection-with-Pushdo.pcap.zip   6.5 MB (6,519,413 bytes)
• 2019-07-29-Ursnif-and-Pushdo-malware-and-artifacts.zip   2.5 MB (2,478,867 bytes)
• 2019-07-29-Ursnif-with-Pushdo-IOCs.txt.zip   1 kB (1,040 bytes)

NOTES:

• First saw info about the malspam from this tweet.
• Zip archives are password-protected with the standard password.  If you don't know it, see the "about" page of this website.

 

Shown above:  Infection traffic filtered in Wireshark.

 

Shown above:  Fiddler shows info on the HTTPS traffic generated by the spreadsheet macro.

 

Shown above:  Filtering for spambot traffic in the pcap.

 

Shown above:  One of the emails sent out from my newly-infected host (part 1 of 2).

 

Shown above:  One of the emails sent out from my newly-infected host (part 2 of 2).

 

Click here to return to the main page.