{"id":3010,"date":"2021-08-02T16:20:16","date_gmt":"2021-08-02T16:20:16","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3010"},"modified":"2023-09-16T11:07:55","modified_gmt":"2023-09-16T11:07:55","slug":"ursnif-02-08-2021","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/uncategorized-it\/ursnif-02-08-2021\/","title":{"rendered":"Ursnif 02-08-2021"},"content":{"rendered":"\n<p>Negli ultimi gironi \u00e8 stata rilevata una nuova campagna di <em>Malspam <\/em>contenente il malware <em>Ursnif <\/em>che ha colpito l&#8217;Italia.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/pbs.twimg.com\/media\/E7SjppbWQAQopsy?format=png&amp;name=900x900\" alt=\"Immagine\"\/><figcaption>Da:  <a href=\"https:\/\/twitter.com\/jh__1995\/status\/1419940991725936640\/photo\/1\" class=\"ek-link\">JAMESWT su Twitter: &#8220;@jh__1995 @malwrhunterteam Mentioned<\/a><\/figcaption><\/figure>\n\n\n\n<p>Il file Zip contiene un file JS che \u00e8 il <em>D<\/em>ropper e si collega agli indirizzi:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674nid9fbf67b530c494389056fbaf4129f4b&amp;docExtn=zip <\/li><li> http:\/\/josymixmyhome[.]com.br\/site\/direct.php <\/li><li> &nbsp;https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674ni1c6312a91d7149af89b6475ece38b9b3&amp;docExtn=png <\/li><\/ul>\n\n\n\n<p>Per scaricare un nuovo sample di <strong>Ursnif<\/strong>. Tale Sample viene poi estratto e salvato come <strong>direction.dll<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/08\/image-4.png\" alt=\"\" class=\"wp-image-3029\" loading=\"lazy\" \/><figcaption>Comando per scaricare il sample di Ursnif<\/figcaption><\/figure>\n\n\n\n<p>Dalle analisi effettuate, su <strong>direction.dll<\/strong>, risulta che il sample adotta un meccanismo di <em>Defense Evasion<\/em>. Infatti, effettua il controllo sul tipo di ambiente in cui viene eseguito, in modo tale da rilevare l&#8217;esecuzione all&#8217;interno di una Sandbox e modificare il suo comportamento, rendendo cos\u00ec l&#8217;analisi maggiormente complessa.<br>In oltre, \u00e8 emerso che il malware accetta parametri di input, per cui il suo comportamento varia in base agli argomenti passati tramite il comando di esecuzione del sample.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>ATT&amp;CK Tactic<\/strong><\/td><td><strong>ATT&amp;CK Technique&nbsp;<\/strong><\/td><\/tr><tr><td>DEFENSE EVASION<\/td><td>Virtualization\/Sandbox Evasion::System Checks T1497.001<\/td><\/tr><tr><td>EXECUTION<\/td><td>Command and Scripting Interpreter:: T1059<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Durante l&#8217;esecuzione il sample contatta i server di Comando e Controllo ai domini:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>alliances[.]bar <\/li><li>allianceline[.]bar <\/li><li>alliancer[.]bar <\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/08\/image-3.png\" alt=\"\" class=\"wp-image-3013\" loading=\"lazy\" \/><figcaption>Connessioni con i server C2 durante l&#8217;esecuzione<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Analisi Statica<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">File JS<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p><mark><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#e91e63\" class=\"tadv-background-color\">Dropper<\/span><\/span><\/mark><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Dettagli<\/h5>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>md5<\/strong><\/td><td>A8E17B6252ED7E3C9BDA4F55B2E3CAC9<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>E70B1DC096FDCE51C240D02BE32DEA3C6D3CE2E6<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>C36C266157D4E7B7B2DBC36D96BDE0086E31647B541B14DB70D9FE1E36BAE779<\/td><\/tr><tr><td><strong>file-size<\/strong><\/td><td>53939 (bytes)<\/td><\/tr><tr><td><strong>entropy<\/strong><\/td><td>4.434<\/td><\/tr><tr><td><strong>Virustotal<\/strong><\/td><td>score:26\/64<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">direction.dll<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p><mark><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#e91e63\" class=\"tadv-background-color\">Ursnif<\/span><\/span><\/mark><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Dettagli<\/h5>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>md5<\/strong><\/td><td>499200F6A8E223C057C6E16701740721<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>EF46F9C62B94715B750173074C51100285FF6FE9<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>D7E64F8E65CE586CE2F0A857810B2A23F85140BF5E52E5A824F09787FB2BF45E<\/td><\/tr><tr><td><strong>file-size<\/strong><\/td><td>258504 (bytes)<\/td><\/tr><tr><td><strong>entropy<\/strong><\/td><td>6.406<\/td><\/tr><tr><td><strong>imphash<\/strong><\/td><td>D34313CE3555DEC95480BCAE2D5DEA6B<\/td><\/tr><tr><td><strong>cpu<\/strong><\/td><td>32-bit<\/td><\/tr><tr><td><strong>Virustotal<\/strong><\/td><td>score:46\/64<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">IOC<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Dropper <\/strong><ul><li><strong>MD5<\/strong>:  A8E17B6252ED7E3C9BDA4F55B2E3CAC9 <\/li><li><strong>SHA1<\/strong>:  E70B1DC096FDCE51C240D02BE32DEA3C6D3CE2E6 <\/li><li><strong>SHA256<\/strong>: C36C266157D4E7B7B2DBC36D96BDE0086E31647B541B14DB70D9FE1E36BAE779 <\/li><\/ul><\/li><li><strong>Ursnif<\/strong><ul><li><strong>MD5<\/strong>: 499200F6A8E223C057C6E16701740721 <\/li><li><strong>SHA1<\/strong>:  EF46F9C62B94715B750173074C51100285FF6FE9 <\/li><li><strong>SHA256<\/strong>: D7E64F8E65CE586CE2F0A857810B2A23F85140BF5E52E5A824F09787FB2BF45E <\/li><\/ul><\/li><li>Domini per download del sample di <strong>Ursnif<\/strong>:<ul><li>  https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674nid9fbf67b530c494389056fbaf4129f4b&amp;docExtn=zip <\/li><li> http:\/\/josymixmyhome[.]com.br\/site\/direct.php <\/li><li> &nbsp;https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674ni1c6312a91d7149af89b6475ece38b9b3&amp;docExtn=png  <\/li><\/ul><\/li><li>Domini server <strong>C2<\/strong>:<ul><li>alliances[.]bar <\/li><li>allianceline[.]bar <\/li><li>alliancer[.]bar  <\/li><\/ul><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Negli ultimi gironi \u00e8 stata rilevata una nuova campagna di Malspam contenente il malware Ursnif che ha colpito l&#8217;Italia. Il file Zip contiene un file JS che \u00e8 il Dropper e si collega agli indirizzi: https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674nid9fbf67b530c494389056fbaf4129f4b&amp;docExtn=zip http:\/\/josymixmyhome[.]com.br\/site\/direct.php &nbsp;https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674ni1c6312a91d7149af89b6475ece38b9b3&amp;docExtn=png Per scaricare un nuovo sample di Ursnif. Tale Sample viene poi estratto e salvato come direction.dll. Dalle [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3031,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[954],"tags":[],"class_list":["post-3010","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3010"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3010\/revisions"}],"predecessor-version":[{"id":4493,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3010\/revisions\/4493"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}