2018-05-08 - GRANDSOFT EK LEADS TO QUANTLOADER AND URSNIF

NOTICE:

ASSOCIATED FILES:

  • 2018-05-08-Grandsoft-EK-leads-to-QuantLoader-and-Ursnif.pcap   7.73 MB (7,725,979 bytes)
  • Zip archive of the malware & artifacts:  2018-05-08-Grandsoft-EK-malware-and-artifacts.zip   429.3 kB (429,208 bytes)
    • 2018-05-08-Grandsoft-EK-landing-page.txt   (530 bytes)
    • 2018-05-08-Grandsoft-EK-second-page.txt   (22,067 bytes)
    • 2018-05-08-Grandsoft-EK.hta-file.txt   (5,069 bytes)
    • 2018-05-08-QuantLoader.exe   (264,832 bytes)
    • 2018-05-08-Ursnif.exe   (431,250 bytes)

     

    NOTES:

     

    WEB TRAFFIC BLOCK LIST

    Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

     

    TRAFFIC


    Shown above:  Infection traffic filtered in Wireshark.

     

    TRAFFIC FROM AN INFECTED WINDOWS HOST:

     


    Shown above:  Some alerts from Sguil in Security Onion using Suricata with the EmergingThreats Pro (ETPRO) ruleset.

     

    FILE HASHES

    GRANDSOFT EK PAYLOAD - QUANTLOADER (VERSION 1.75):

    URSNIF (OR AN URSNIF VARIANT) RETRIEVED BY QUANTLOADER:

     

    Click here to return to the main page.