2020-12-03 - TA551 (SHATHAK) WORD DOCS WITH ITALIAN TEMPLATE SEND URSNIF WITH PUSHDO
ASSOCIATED FILES
- 2020-12-03-IOCs-for-TA551-activity.txt.zip 5.8 kB (5,839 bytes)
- 2020-12-03-TA551-Italian-malspam-5-examples.zip 755 kB (754,907 bytes)
- 2020-12-03-TA551-Italian-Word-docs-32-examples.zip 3.6 MB (3,603,140 bytes)
- 2020-12-03-TA551-installer-DLL-for-Ursnif-14-examples.zip 3.0 MB (2,966,961 bytes)
- 2020-12-03-TA551-sends-Ursnif-with-pushdo.pcap.zip 7.8 MB (7,823,141 bytes)
- 2020-12-03-TA551-artifacts-from-infected-host.zip 3.4 MB (3,358,882 bytes)
NOTES:
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
IMAGES
Shown above: One of the items of malspam from TA551 on 2020-12-03.
Shown above: Screenshot from the extracted Word doc.
Shown above: HTTP request for the installer DLL for Ursnif.
Shown above: Notifications that popped up during the infection.
Shown above: Traffic from an infection filtered in Wireshark (request for followup Pushdo malware marked with arrow).
Shown above: Some some of the Pushdo traffic (also includes the HTTP POST requests from previous image.
Shown above: HTTP request that resulted in another follow-up malware EXE on my infected host.
Shown above: Registry updates caused by Ursnif.
Shown above: Follow-up malware on an infected host.
Shown above: Example of registry updates caused by Pushdo.
Shown above: Registry updates that keep Ursnif and Pushdo persistent after a reboot.
Click here to return to the main page.