Pulse Detail — Threat Intelligence

PULSE NAME

Fake Cisco Webex Google Ads Push Malware

WHITE cryptocti 2023-09-15 Modified: 2024-08-30

IOCs

HIGH VOLUME

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1566 T1204

MALWARE FAMILIES

Ursnif

Indicators of Compromise (71)

All FileHash-SHA256 URL domain FileHash-SHA1 YARA hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654	—	2023-09-15
FileHash-SHA256	7a1245584c0a12186aa7228c75a319ca7f57e7b0db55c1bd9b8d7f9b397bfac8	—	2023-09-15
URL	http://fugas.site/debug/Installer90.2.msi	—	2023-09-15
domain	fugas.site	—	2023-09-15
domain	monoo3at.com	—	2023-09-15
domain	updatecorporatenetworks.ru	—	2023-09-15
domain	webexadvertisingoffer.com	—	2023-09-15
domain	enteratealmaximo.com	—	2023-09-15
URL	http://monoo3at.com	—	2023-09-15
URL	https://monoo3at.com	—	2023-09-15
URL	http://updatecorporatenetworks.ru	—	2023-09-15
URL	https://updatecorporatenetworks.ru	—	2023-09-15
URL	http://webexadvertisingoffer.com/download.php	—	2023-09-15
URL	https://webexadvertisingoffer.com/download.php/	—	2023-09-15
domain	artshirt.online	—	2023-09-15
domain	breath-take.online	—	2023-09-15
domain	breathtake.online	—	2023-09-15
domain	dmitriyzolotovskiy.online	—	2023-09-15
domain	funny-fake.ru	—	2023-09-15
domain	geomet.pro	—	2023-09-15
domain	greenstreet-estate.online	—	2023-09-15
domain	islandbeat.party	—	2023-09-15
domain	kovaleva.expert	—	2023-09-15
domain	kuzovavto77.online	—	2023-09-15
domain	lis-sknis.online	—	2023-09-15
domain	mokokocoffeeroasters.online	—	2023-09-15
domain	mokokoroasters.online	—	2023-09-15
domain	pushsignal.ru	—	2023-09-15
domain	sibirskievolki.online	—	2023-09-15
domain	sorted-shop.online	—	2023-09-15
domain	studia1309mail.online	—	2023-09-15
domain	svans.online	—	2023-09-15
domain	take-a-breath.online	—	2023-09-15
domain	tgsprem.online	—	2023-09-15
domain	tinkoff-account.ru	—	2023-09-15
domain	vet-doma.online	—	2023-09-15
domain	xn--80adkamp6ajldr.xn--p1ai	—	2023-09-15
domain	zapominaka.pro	—	2023-09-15
URL	http://funny-fake.ru/	—	2023-09-15
URL	http://sorted-shop.online/	—	2023-09-15
URL	http://tinkoff-account.ru	—	2023-09-15
URL	http://tinkoff-account.ru/	—	2023-09-15
URL	http://webexadvertisingoffer.com	—	2023-09-15
URL	http://webexadvertisingoffer.com/	—	2023-09-15
URL	http://www.pushsignal.ru/	—	2023-09-15
URL	http://www.xn--80adkamp6ajldr.xn--p1ai/	—	2023-09-15
URL	http://xn--80adkamp6ajldr.xn--p1ai/	—	2023-09-15
URL	https://sorted-shop.online/	—	2023-09-15
URL	https://tinkoff-account.ru	—	2023-09-15
URL	https://webexadvertisingoffer.com	—	2023-09-15
URL	https://www.pushsignal.ru/	—	2023-09-15
URL	https://www.xn--80adkamp6ajldr.xn--p1ai/	—	2023-09-15
URL	https://xn--80adkamp6ajldr.xn--p1ai/	—	2023-09-15
URL	http://www.funny-fake.ru/	—	2023-09-15
URL	https://www.funny-fake.ru/	—	2023-09-15
URL	https://malwareandstuff.com/deobfuscating-danabots-api-hashing/	—	2023-09-15
URL	https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/	—	2023-09-15
URL	https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware	—	2023-09-15
FileHash-SHA1	42d0574f4405bd7d2b154d321d345acb18834a41	—	2023-09-15
URL	https://blog.lexfo.fr/danabot-malware.html	—	2023-09-15
URL	https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1	—	2023-09-15
URL	https://security-soup.net/decoding-a-danabot-downloader/	—	2023-09-15
YARA	2b5e75489f05c011f91ebe547dc8010888d7c8cc	Detects win.danabot.	2023-09-15
domain	malverse.it	—	2023-09-15
domain	malwareandstuff.com	—	2023-09-15
domain	marcoramilli.com	—	2023-09-15
domain	security-soup.net	—	2023-09-15
hostname	blog.lexfo.fr	—	2023-09-15
hostname	www.cronup.com	—	2023-09-15
URL	https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle	—	2023-09-15
hostname	insight-jp.nttsecurity.com	—	2023-09-15

References (1)

↗ September 15th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3249 - Fake Cisco Webex Google Ads Push Malware.pdf