2018-11-21 - URSNIF INFECTION WITH DRIDEX

ASSOCIATED FILES:

  • 2018-11-21-Ursnif-malspam-1027-UTC.eml   (110,312 bytes)
  • 2018-11-21-Ursnif-infection-with-Dridex.pcap   (3,386,778 bytes)
  • 2018-11-21-Dridex-retrieved-by-Ursnif-infected-host.exe   (253,952 bytes)
  • 2018-11-21-Ursnif-binary.exe   (506,880 bytes)
  • 2018-11-21-Windows-Registry-entries-for-Ursnif.txt   (10,390,302 bytes)
  • 2018-11-19-attached-Word-doc-with-macro-for-Ursnif-example-1-of-3.doc   (103,936 bytes)
  • 2018-11-19-attached-Word-doc-with-macro-for-Ursnif-example-2-of-3.doc   (103,424 bytes)
  • 2018-11-19-attached-Word-doc-with-macro-for-Ursnif-example-3-of-3.doc   (101,888 bytes)
  • 2018-11-20-attached-Word-doc-with-macro-for-Ursnif-example-1-of-3.doc   (92,672 bytes)
  • 2018-11-20-attached-Word-doc-with-macro-for-Ursnif-example-2-of-3.doc   (93,696 bytes)
  • 2018-11-20-attached-Word-doc-with-macro-for-Ursnif-example-3-of-3.doc   (172,032 bytes)
  • 2018-11-21-attached-Word-doc-with-marco-for-Ursnif.doc   (77,056 bytes)

NOTES:

 


Shown above:  Flow chart for recent Ursnif malspam infections I've seen.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URL:

 

EMAILS


Shown above:  Example of Ursnif malspam and attachment from 2018-11-21.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS GENRATED BY 7 WORD DOC MACROS FROM 2018-11-19 THRU 2018-11-21:

TRAFFIC FROM AN INFECTED WINDOWS HOST ON 2018-11-21:

 

MALWARE

WORD DOC ATTACHMENTS WITH MACRO FOR URSNIF ON MONDAY 2018-11-19:

 

WORD DOC ATTACHMENTS WITH MACRO FOR URSNIF ON TUESDAY 2018-11-20:

 

MALWARE FROM AN INFECTION GENERATED ON WEDNESDAY 2018-11-21:

 

IMAGES


Shown above:  Some registry entries on the infected Windows host caused by Ursnif.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.