2019-08-21 - URSNIF INFECTION WITH TRICKBOT

ASSOCIATED FILES:

  • 2019-08-21-indicators-from-Ursnif-infection-with-Trickbot.txt   (5,344 bytes)
  • 2019-08-15-example-of-Ursnif-malspam.eml   (105,442 bytes)
  • 2019-08-21-example-of-Ursnif-malspam.eml   (62,352 bytes)
  • 2019-08-21-Ursnif-infection-with-Trickbot.pcap   (19,512,754 bytes)
  • 2019-08-21-JS-after-enabling-Word-macro.txt   (1,962 bytes)
  • 2019-08-21-Trickbot-EXE-retrieved-by-Ursnif-infected-host-1-of-2.exe   (1,177,088 bytes)
  • 2019-08-21-Trickbot-EXE-retrieved-by-Ursnif-infected-host-2-of-2.exe   (1,113,088 bytes)
  • 2019-08-21-Windows-registry-updates-caused-by-Ursnif.txt   (10,568,896 bytes)
  • 2019-08-21-Word-doc-with-macro-for-Urnsif.doc   (79,360 bytes)
  • 2019-08-21-initial-Ursnif-binary-after-enabling-Word-macro.exe   (265,728 bytes)
  • 2019-08-21-samerton.png-from-185.183.98.232.exe   (779,776 bytes)
  • 2019-08-21-scheduled-task-to-keep-Trickbot-persistent.txt   (3,574 bytes)
  • 2019-08-21-tablone.png-from-185.183.98.232.exe   (780,800 bytes)
  • speedLan/1013304.exe   (1,177,088 bytes)
  • speedLan/938098.exe   (1,113,088 bytes)
  • speedLan/dbmain.map   (779,776 bytes)
  • speedLan/settings.ini   (27,696 bytes)
  • speedLan/data/importDll64   (8,952,080 bytes)
  • speedLan/data/injectDll64   (467,392 bytes)
  • speedLan/data/injectDll64_configs/dinj   (141,504 bytes)
  • speedLan/data/injectDll64_configs/dpost   (928 bytes)
  • speedLan/data/injectDll64_configs/sinj   (176 bytes)
  • speedLan/data/mailsearcher64   (28,336 bytes)
  • speedLan/data/mailsearcher64_configs/mailconf   (240 bytes)
  • speedLan/data/networkDll64   (22,704 bytes)
  • speedLan/data/networkDll64_configs/dpost   (928 bytes)
  • speedLan/data/psfin64   (22,192 bytes)
  • speedLan/data/psfin64_configs/dpost   (928 bytes)
  • speedLan/data/pwgrab64   (1,304,928 bytes)
  • speedLan/data/pwgrab64_configs/dpost   (928 bytes)
  • speedLan/data/shareDll64   (13,024 bytes)
  • speedLan/data/systeminfo64   (21,168 bytes)
  • speedLan/data/tabDll64   (841,568 bytes)
  • speedLan/data/tabDll64_configs/dpost   (928 bytes)
  • speedLan/data/wormDll64   (56,608 bytes)

NOTES:

 

IMAGES


Shown above:  Flow chart for recent Ursnif activity.

 


Shown above:  Screen shot from one of the emails.

 


Shown above:  The extracted Word document.

 


Shown above:  Traffic from the infection filtered in Wireshark (1 of 2).

 


Shown above:  Traffic from the infection filtered in Wireshark (2 of 2).

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.