ursnif – The DFIR Report

Thursday, July 09, 2020

cobaltstrike tvrat ursnif

Ursnif via LOLbins

April 24, 2020

Ursnif is a variant of the Gozi malware family has recently been responsible for a growing campaign targeting various entities across North America and Europe. The campaign looks to have … Read More

Snatch Ransomware

Another RDP brute force ransomware strikes again, this time, Snatch Team! Snatch Team was able to go from brute forcing a Domain Administrator (DA) account via RDP, to running a … Read More

The Little Ransomware That Couldn’t (Dharma)

Ransomware continues unabated in the year of continually mounting pressure. But for every big game actor out there compromising Fortune listed companies there are the little guys that maybe just … Read More

Lockbit Ransomware, Why You No Spread?

RDP brute forcing continues to be a favorite entry point for ransomware actors. In this past month we saw activity from the Lockbit ransomware family. Initial Access: RDP login from … Read More

AdFind Recon

A threat actor logged into the RDP honeypot from 217[.]182[.]242[.]13 (OVH) with a hostname of WORK9F3B. Within 20 seconds they opened a command prompt and issued the following commands They … Read More

Tricky Pyxie

Trickbot has been seen often as a payload dropped by other malware like Emotet, and has been seen dropping many payloads, most notably ransomware. But while Emotet sleeps it may … Read More