The DFIR Report (@TheDFIRReport )

The DFIR Report

Bio real intrusions by real attackers, the truth behind the intrusion
Tweets 23
Followers 587
Following 18
Account created 03-04-2020 01:33:43
ID 1245886895458078722

Twitter Web App : Ongoing #Ursnif campaign loads DLL that claims to be txt file into memory. Follow on activity from both #tvrat and #cobaltstrike

C2 8.208.90.2, 47.241.106.208, various domains usually starting with f1[.]pipen[.]at

IOCs in MISP Priv.

#DFIR

thedfirreport.com/2020/04/24/urs…