Necurs Botnet Delivering Gozi ISFB / Ursnif via .IQY Attachment - 2018-06-25

Malware Analysis
1

~Date/time:
2018-06-25T19:35:54

“sender” from:
“info@magtrip[.]ru”
“info@w-base[.]ru”

Sender IP: 185.244.42.93
ASN: N/A
ISP: N/A

Last hop: 185.244.42.93

Shodan.io / Censys.io for lasthop(s):
https://www.shodan.io/185.244.42.93
https://www.censys.io/ipv4/185.244.42.93

Headers received:
from magtrip[.]ru (unknown [185[.]244[.]42[.]93]) by ; Mon, 25 Jun 2018 19:35:54 +0000 (UTC)

Helo:
magtrip[.]ru

Headers x-mailer:
none

Subject line(s):
Re: Invoice 25.06.2018

Message Body:
“Invoice attached”

Attachments:
Name: invoice 25_06_2018.iqy
MD5: 3e5b3bfe7ddd732d0e3714516c265c61
SHA1: 0cc3ed8905564373e88210b065906240edf0debb
SHA256: 55f49cae3f11edd992770121d1b46d4d46c8f8298d013fb5af10bbfa0f1a2789
SHA512: 4bb9e2bbde3dd5af10da4a7f7e1aade433deace1248fdd4d6136a38bdbcee9b744a004ef30b9983fae3ea924d1c5fdf8a62ba844e3bcf9f9144665219ca3f7e2
File type: ASCII text, with CRLF line terminators
File size: 67

Note: interac[.]velahotel[.]it was observed in the Interac Themed Credential Phishing Campaign Targeting Canadians - 2018-06-14 run a week ago.

hxxp://office[.]velahotel[.]store/ex/1[.]dat
104.28.16.217

Name: 1.dat
MD5: 899e1d4cb0fd3d0e892b7606ef8b8f7c
SHA1: 6beb2a055c92f8cd4df34ea564deec4b9e256f2f
SHA256: 070d203c81e6399d9e9fc355ee47c394c38ba1ae88cfa81e0d3359a234094edb
ASCII text, with no line terminatorsASCII
File size: 179

https://urlhaus.abuse.ch/url/23586/
https://urlhaus.abuse.ch/url/23587/

Gozi ISFB / Ursnif Dropper
hxxp://office[.]velahotel[.]store/ex/1000_crypt.exe
104.28.16.217

Name: 1000_crypt.exe
MD5: 33909f67bbef85a9c7a95b43c5bbb34a
SHA1: 85ae3d094b0e682b580312c507308231151389ee
SHA256: a4b1654ca4e4d74584e62acbb9a7cee2aa9d85681c3db5739e3f80cc343a14c1
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File size: 593300

https://urlhaus.abuse.ch/url/23585/

Ursnif, Gozi ISFB
hxxp://klempokv[.]cz/test/open.bin
Name: open.bin
MD5: 5ec9125d56cc7b1571c0389eb041ea6b
SHA1: e63bb0bc1f775e2f2aaba6c11e8819841199e8b0
SHA256: f8f816ebde4b99c57f7307b7b802dbb6c5bcead1b69a37e0e38e0135815d451f
File Type: data
File size: 2320000

Payload correlates to these other payloads:

hxxp://klempokv.cz/test/open.bin
hxxp://climastyle.it/Cofra/Mini/gt/Nhssudf.bin
hxxp://altwheels.com/video/pass.bin
hxxp://bumsi-edv.de/test/mail.ats
hxxp://moevents.digistorm.net/docs/lol.bts
hxxp://teliccorporation.com/images/wow1.zip
hxxp://tech-arte.com/wpp-app/a.bin
hxxp://ultimate-onlineshop.com/bilder/potsff.bin
hxxp://nepiotello.it/images/0001.rar
hxxp://kinderkrippe-papageno.at/plugins/tmp/746959.rar
hxxp://ketogenix.de/wp-admin/w.png
hxxp://www.dalmo.cz/files/AZ.bin
hxxp://dalmo.cz/files/AZ.bin
hxxp://danfarm.sk/modules/TB.dmg
hxxp://puccettiracing.it/loggers/991.zip
hxxp://house2.gg12.net/license/key/putty.dmg
hxxp://enerjik.biz/images/small.bin
hxxp://infocus.pro/alexa/wwrr.pif
hxxp://msfiscallyfit.com/investing/2w2w2.pt
hxxp://rockartist.de/32maps.zip
hxxp://infocus.pro/alex/wwrr.pif
hxxp://pitindia.in/job/rt.zip
hxxp://devils.netsons.org/wp-includes/pomo/1.pif
hxxp://www.worldwidelighting.net/info/art.zip
hxxp://worldwidelighting.net/info/art.zip
hxxp://wiadomo.com/logs/mumo.rar
hxxp://testniche.com/master/aio.bin
hxxp://www.wps-italia.it/xmlrpc/3223.tif
hxxp://wps-italia.it/xmlrpc/3223.tif
hxxp://csvbari.com/plugins/5t.zip

20180625, 217.73.238.20, AS31034, Aruba S.p.A., hxxp://climastyle.it/Cofra/Mini/gt/Nhssudf.bin, Italy
20180625, 184.154.73.108, AS32475, SingleHop, Inc., hxxp://altwheels.com/video/pass.bin, United States
20180625, 185.175.85.9, AS44984, Fortion Networks, s.r.o., hxxp://klempokv.cz/test/open.bin, Czechia
20180625, 81.169.145.74, AS6724, Strato AG, hxxp://bumsi-edv.de/test/mail.ats, Germany
20180625, 162.215.248.71, AS46606, Unified Layer, hxxp://moevents.digistorm.net/docs/lol.bts, United States
20180625, 69.49.96.15, AS14116, InternetNamesForBusiness[.]com, hxxp://teliccorporation.com/images/wow1.zip, United States
20180625, 208.43.214.67, AS36351, SoftLayer Technologies Inc., hxxp://tech-arte.com/wpp-app/a.bin, United States
20180625, 134.119.167.62, ASNone, None, hxxp://ultimate-onlineshop.com/bilder/potsff.bin, Germany
20180625, 93.188.112.38, AS47178, Connessioni Metropolitane S.r.l., hxxp://nepiotello.it/images/0001.rar, Italy
20180625, 136.243.69.87, AS24940, Hetzner Online GmbH, hxxp://kinderkrippe-papageno.at/plugins/tmp/746959.rar, Germany
20180625, 46.101.229.79, AS14061, Digital Ocean, Inc., hxxp://ketogenix.de/wp-admin/w.png, Germany
20180625, 93.185.104.14, AS43541, VSHosting s.r.o., hxxp://www[.]dalmo.cz/files/AZ.bin, Czechia
20180625, 93.185.104.14, AS43541, VSHosting s.r.o., hxxp://dalmo.cz/files/AZ.bin, Czechia
20180625, 85.248.29.38, AS5578, BENESTRA, s.r.o., hxxp://danfarm.sk/modules/TB.dmg, Slovakia
20180625, 37.9.230.81, AS12637, SEEWEB s.r.l., hxxp://puccettiracing.it/loggers/991.zip, Italy
20180625, 64.40.144.28, AS395532, Web Site Source, hxxp://house2.gg12.net/license/key/putty.dmg, Germany
20180625, 85.95.248.103, AS49467, Inetmar internet Hizmetleri San. Tic. Ltd. Sti, hxxp://enerjik.biz/images/small.bin, Turkey
20180625, 216.250.120.101, AS8560, 1&1 Internet SE, hxxp://infocus.pro/alexa/wwrr.pif, United States
20180625, 50.28.19.107, AS32244, Liquid Web, L.L.C, hxxp://msfiscallyfit.com/investing/2w2w2.pt, United States
20180625, 81.169.145.105, AS6724, Strato AG, hxxp://rockartist.de/32maps.zip, Germany
20180625, 216.250.120.101, AS8560, 1&1 Internet SE, hxxp://infocus.pro/alex/wwrr.pif, United States
20180625, 162.222.227.230, AS394695, PDR, hxxp://pitindia.in/job/rt.zip, United States
20180625, 46.252.157.14, AS60087, Supernova S.r.l., hxxp://devils.netsons.org/wp-includes/pomo/1.pif, Italy
20180625, 184.172.164.129, AS36351, SoftLayer Technologies Inc., hxxp://www.worldwidelighting.net/info/art.zip, United States
20180625, 184.172.164.129, AS36351, SoftLayer Technologies Inc., hxxp://worldwidelighting.net/info/art.zip, United States
20180625, 208.88.4.113, AS36218, Cirrus Tech Ltd., hxxp://wiadomo.com/logs/mumo.rar, Canada
20180625, 50.28.19.107, AS32244, Liquid Web, L.L.C, hxxp://testniche.com/master/aio.bin, United States
20180625, 62.149.140.104, AS31034, Aruba S.p.A., hxxp://www.wps-italia.it/xmlrpc/3223.tif, Italy
20180625, 62.149.140.104, AS31034, Aruba S.p.A., hxxp://wps-italia.it/xmlrpc/3223.tif, Italy
20180625, 195.110.124.188, AS39729, Register.it SpA, hxxp://csvbari.com/plugins/5t.zip, Italy