The DFIR Report
@TheDFIRReport
Real Intrusions by Real Attackers, the Truth Behind the Intrusion.
Detections: https://t.co/MtC3iGd1km | Services: https://t.co/XW613EKt2w |
03-04-2020 01:33:43
961 Tweets
40,3K Followers
0 Following
Ongoing #Ursnif campaign loads DLL that claims to be txt file into memory. Follow on activity from both #tvrat and #cobaltstrike
C2 8.208.90.2, 47.241.106.208, various domains usually starting with f1[.]pipen[.]at
IOC's in MISP (@[email protected]) Priv.
#DFIR
thedfirreport.com/2020/04/24/urs…
![Ongoing #Ursnif campaign loads DLL that claims to be txt file into memory. Follow on activity from both #tvrat and #cobaltstrike C2 8.208.90.2, 47.241.106.208, various domains usually starting with f1[.]pipen[.]at IOC's in @MISPProject Priv. #DFIR thedfirreport.com/2020/04/24/urs…](https://pbs.twimg.com/media/EWXtVYtWoAAFkBG.png "The DFIR Report (@TheDFIRReport) on Twitter photo 2020-04-24 13:02:04 Ongoing #Ursnif campaign loads DLL that claims to be txt file into memory. Follow on activity from both #tvrat and #cobaltstrike C2 8.208.90.2, 47.241.106.208, various domains usually starting with f1[.]pipen[.]at IOC's in @MISPProject Priv. #DFIR thedfirreport.com/2020/04/24/urs…")