← Back to Pulse Feed
PULSE DETAIL
Ursnif is a data stealer and a downloader with a lot of abilities to steal data from installed browsers and other applications (such as Microsoft Outlook).
In addition to stealing data, Ursnif also has the ability to download additional malicious components from the attacker’s Command & Control (C&C) servers and load them dynamically into memory. In this version of Ursnif I have also encountered an internal peer-to-peer communication which could possibly add the ability for the sample to communicate with other Ursnif peers over the same network. We will discuss the peer-to-peer part in a future blog post.
Indicators of Compromise (18)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | maxsemihiddenmsosymbol.club | — | 2016-09-02 | |
| domain | consseriflistyleleft.club | — | 2016-09-02 | |
| domain | cllockedlevelnbsple.club | — | 2016-09-02 | |
| domain | numfalseandyspan.ru | — | 2016-09-02 | |
| domain | thiscrevmscllevelfak.club | — | 2016-09-02 | |
| domain | levelignorethenind.ru | — | 2016-09-02 | |
| domain | intoaddedprio.ru | — | 2016-09-02 | |
| domain | nbspserliststthelist.xyz | — | 2016-09-02 | |
| domain | symbolcontacttype.ru | — | 2016-09-02 | |
| domain | respondslemsonmsonum.club | — | 2016-09-02 | |
| domain | mtabaddresslocked.xyz | — | 2016-09-02 | |
| domain | aresymbolparamspan.ru | — | 2016-09-02 | |
| domain | indentlspthatmcan.ru | — | 2016-09-02 | |
| domain | senddatalistenpython.xyz | — | 2016-09-02 | |
| domain | stylesendnblisprestval.xyz | — | 2016-09-02 | |
| FileHash-MD5 | 9b38f10fd425b37115c81ad07598d930 | — | 2016-09-02 | |
| FileHash-MD5 | b60c97d22f0ae301e916d61f79162b78 | — | 2016-09-02 | |
| FileHash-MD5 | f50bd1585f601d41244c7e525b8bd96a | — | 2016-09-02 |
References (1)