Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Create Ousaban Banking Trojan.md #393

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create Ousaban Banking Trojan.md #393

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions Exploits/Ousaban Banking Trojan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
Ousaban Banking Trojan

Hunt for URLs and malicious hashes

Query

//Hunt for URLs

DeviceNetworkEvents
| where (RemoteUrl contains "https://docs.google.com/document/d/1o9MlOhxIJq9tMOuUHJiw2eprQ-BGCA_ERnbF54dZ25w/edit"
or RemoteUrl contains "https://docs.google.com/document/d/1d1903AvDBYgOo0Pt9xBBnpCHwSerOpIi4l1b6M4mbT4/edit"
or RemoteUrl contains "https://docs.google.com/document/d/1VKxF3yKbwQZive-ZPCA4dAU1zOnZutJxY2XZA0YHa3M/edit"
or RemoteUrl contains "https://docs.google.com/document/d/1UiuqrzI_rrtsJQHqeSkp0sexhwU_VSje8AwS-U6KBPk/edit"
or RemoteUrl contains "https://docs.google.com/document/d/1UbfOcHm-T9GCPiitqDRh5TNwZRNJ8_miEpLW-2ypU-I/edit"
or RemoteUrl contains "https://docs.google.com/document/d/1JLuJKoxcd0vRqut8UeBjFJXzMDQ9OiY2ItoVIRq6Gw8/edit"
or RemoteUrl contains "https://docs.google.com/document/d/1EOwVDlYPV3gE7PSnLZvuTgUQXvOSN9alyN5aMw7bGeI/edit"
or RemoteUrl contains "https://docs.google.com/document/d/1DDDmJzBVcNWhuj8JMRUVb7JlrVZ5kYBugR_INSS96No/edit"
or RemoteUrl contains "https://docs.google.com/document/d/19bXTaiFdY5iUqUWXl92Js7i9RoZSLJqcECgpp_4Kda4/edit"
or RemoteUrl contains "https://docs.google.com/document/d/18sc6rZjk529iYF2iBTsmuNXvqDqTBSH45DhSZpuLv_U/edit"
or RemoteUrl contains "https://docs.google.com/document/d/13A6EBLMOOdvSL3u6IfyrPWbYREXNRVdDTiKzC6ZQx7U/edit"
or RemoteUrl contains "https://docs.google.com/document/d/1nQqifeYFsCcI7m-L1Y1oErkp50c-y670nfk7NTKOztg/edit");

// Hunt for malicious hashes

let SHA1Hash= dynamic(["3e8a0b6400f2d02b6b8cd917c279ea1388494182",
"6946bfb8a519fed8ec8c30d9a56619f4e2525bea",
"9a6a4bf3b6e974e367982e5395702aff8684d500",
"c52bc5b0bdfc7d4c60df60e88835e3145f7fb34f",
"d04acfaf74861ddc3b12e75658863da65c03013f",
"e5dd2355e85b90d2d648b96c90676604a5c3ae48"]);
let SHA256Hash= dynamic(["c2f8b96311e7668715b151e3acec9580f40dc630791ce5e1e15838df25092a87"]);
let MD5Hash = dynamic(["72862f94261909002e8639d6496a7cee"]);
DeviceFileEvents
| where SHA1 in(SHA1Hash) or SHA256 in(SHA256Hash) or MD5 in(MD5Hash)


Category

This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
Technique, tactic, or state Covered? (v=yes) Notes
Initial access V
Execution
Persistence
Privilege escalation
Defense evasion
Credential Access
Discovery V
Lateral movement
Collection
Command and control
Exfiltration
Impact
Vulnerability
Exploit V
Misconfiguration
Malware, component
Ransomware
Contributor info

Contributor: Shivam Malaviya GitHub alias: Shivammalaviya Organization: OS Contact info: [email protected]