2018-11-27 - URSNIF INFECTION WITH DRIDEX

ASSOCIATED FILES:

  • 2018-11-27-Ursnif-infection-traffic-with-Dridex.pcap   (1,211,674 bytes)
  • 2018-11-27-attached-Word-doc-with-macro-for-Ursnif.doc   (89,088 bytes)
  • 2018-11-27-Dridex-retrieved-by-Windows-host-infected-with-Ursnif.exe   (253,952 bytes)
  • 2018-11-27-Ursnif-malware-binary.exe   (261,120 bytes)
  • 2018-11-27-Windows-registry-entries-created-by-Ursnif-infection.txt   (10,420,558 bytes)

 


Shown above:  Flow chart for recent Ursnif malspam infections I've seen.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URL:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.