2018-05-08 - GRANDSOFT EK SENDS QUANTLOADER WHICH RETRIEVES URSNIF
ASSOCIATED FILES:
- Zip archive of the infection traffic: 2018-05-08-Grandsoft-EK-sends-QuantLoader-which-retrieves-Ursnif.pcap.zip 6.99 MB (6,987,455 bytes)
- 2018-05-08-Grandsoft-EK-sends-QuantLoader-which-retrieves-Ursnif.pcap 7.73 MB (7,725,979 bytes)
- 2018-05-08-Grandsoft-EK-landing-page.txt (530 bytes)
- 2018-05-08-Grandsoft-EK-payload-QuantLoader.exe (264,832 bytes)
- 2018-05-08-Grandsoft-EK-second-page.txt (22,067 bytes)
- 2018-05-08-Grandsoft-EK.hta-file.txt (5,069 bytes)
- 2018-05-08-Ursnif-caused-by-QuantLoader-infection.exe (431,250 bytes)
NOTES:
- I was informed of a malvertising chain that led to Grandsoft EK, and the final URL of that chain is included in today's pcap.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- whitepages.bid
- bggtbm.saliva.gbi-dminstructormbw.xyz
- lagginfo.com
- hxxp://viscircuskoning.nl/v2/images/header/5.exe
- hxxp://dcsautomation.net/wp-content/themes/rocco/images/xx1.jpg
- hxxp://brotherstradingbd.com/wp-content/themes/storefront/assets/images/customizer/controls/xx1.jpg
TRAFFIC
Shown above: Infection traffic filtered in Wireshark.
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 18.191.46.4 port 80 - whitepages.bid - malvertizing URL that led to Grandsoft EK
- 185.17.122.212 port 80 - bggtbm.saliva.gbi-dminstructormbw.xyz - Grandsoft EK
- 37.1.218.135 port 80 - lagginfo.com - Quantloader callback traffic
- 185.182.56.84 port 80 - viscircuskoning.nl - GET /v2/images/header/5.exe (returned Ursnif binary)
- 65.254.248.135 port 80 - dcsautomation.net - GET /wp-content/themes/rocco/images/xx1.jpg (Ursnif-style post-infection URL)
- 74.91.27.230 port 80 - brotherstradingbd.com - GET /wp-content/themes/storefront/assets/images/customizer/controls/xx1.jpg (Ursnif-style post-infection URL)
- Various IP addresses over various TCP ports - Tor traffic
Shown above: Some alerts from Sguil in Security Onion using Suricata with the EmergingThreats Pro (ETPRO) ruleset.
FILE HASHES
GRANDSOFT EK PAYLOAD - QUANTLOADER (VERSION 1.75):
- SHA256 hash: 9ed95f9e2600aafbd73366f4d862dd8a9cda89b5262ad7c1c89d9331b57ac0fb
File size: 264,832 bytes
File location: C:\Users\[username]\AppData\Roaming\70685129\csrss.exe
URSNIF (OR AN URSNIF VARIANT) RETRIEVED BY QUANTLOADER:
- SHA256 hash: 300b1cf25e20f54451081534b86a850e4bedf236cd0f0ec8785af3359de5c0c0
File size: 431,250 bytes
File location: C:\Users\[username]\AppData\Roaming\Microsoft\Dmdlaext\api-kend.exe
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the infection traffic: 2018-05-08-Grandsoft-EK-sends-QuantLoader-which-retrieves-Ursnif.pcap.zip 6.99 MB (6,987,455 bytes)
- Zip archive of the malware & artifacts: 2018-05-08-Grandsoft-EK-malware-and-artifacts.zip 428 kB (428,634 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.