Ursnif

13
Global rank
37
Month rank
37
Week rank
50042
IOCs

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Trojan
Type
Unknown
Origin
1 January, 2014
First seen
31 May, 2023
Last seen
Also known as
Gozi
Dreambot
ISFB

How to analyze Ursnif with ANY.RUN

Trojan
Type
Unknown
Origin
1 January, 2014
First seen
31 May, 2023
Last seen

IOCs

IP addresses
2.23.209.130
51.124.78.146
13.107.42.16
20.73.194.208
20.112.52.29
35.205.61.67
23.202.231.167
13.248.148.254
76.223.26.96
198.54.117.216
173.239.8.164
198.54.117.212
23.37.226.82
222.236.49.123
95.158.162.200
187.245.185.123
204.11.56.48
45.79.19.196
74.220.199.6
103.224.182.242
Hashes
3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858
566e6d7356d5629120b70c5dfa535c8fd257b6ac435a335127040abf398f1ef1
891723821a201ba3e5449e05309637ec69639e4ab61ea04cf6a36a379665b773
ed79b8b5c926cd8e39171c45ecdf306893b224e4f4b9b8982f5e5febfa3708c6
1982f2086a0e502def7c45750f4c499b342e88d12842258b800fc47b30b6c2e5
5ad3c5f835c617685d862367dbc0aa09c7bdaf77ccfffb1e664c3a20f0a48d7f
a5373371baba299242bb7bcdceb621a5ec950ab01cfeed4884576c3738403583
7bc9d1453bb84033fd82500f10db64cbf221c4286ed3eba7928249dae6d67675
64ff78d022f57742496317e81efd6d1c8188301c3582cc4ba98e5055f446aead
ff28135145371eca75b3ff3f2667a8e93474095eb32ee289e332a0b3fcd54de8
5479746c9f658c99865ea1d0fb605c769f7a8e0b1ef64ae74aa08f66e88063eb
232c8d4a53620fa6d5c296eebc014ea0cee78e54f9ac5707eefa08cf2bc29891
5f769d26197fc6e8d915edca7045e02eab396fe0fee1b9514d8e6be47f97c16a
998dba41a18c68ff4cb5d43a8b62d687aa5474a135f4f4b9490b390de50c1f17
b0cab4f4b83692e0fd80bacf97520c1bcc232c5f38363a7a7f599d3e2b9848cd
4e729cef6aff46e86d25a2d588dfaceb3ab8e36798b21ea097eb7c2eeb734e7c
1990440ded9e49d62a3f3379939d09470e1b178200286fe7b45a2e1e8d2e9508
4f77bf747a377f0c2dd497e410ca4960cf432e9632c06bc4e2c37e254926d739
aa759e34b7fe90b79d5c65a85cb32e9ae7e51dfce472da5e80a41b797868c708
55488ce01710e4cd927b52f4a91c82dc6eba2325da70cb745599bbc864adae30
Domains
njxyro.ddns.net
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
e35058.api15.akamaiedge.net
www.displayoptoffers.com
autologon.microsoftazuread-sso.com
frederikkempe.com
majul.com
acdcdn.com
data-px.services
id.a-mx.com
web.ssp.yahoo.com
yts.com
postback.trafficmotor.com
g.ezodn.com
ezodn.com
ww1.gmai.com
device-safety.com
pisism.com
xtroglobal.com
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 307
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5382
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3236
comments 3

What is Ursnif malware?

Ursnif, also known as Gozi, is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

The trojan was registered for the first time in 2014 when the Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif trojan

Ursnif Trojan is a dangerous malware that can collect the system activity of the victims, record keystrokes, and keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user to enable macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded, and the malicious payload is downloaded.

According to the analysis, some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. Hackers implement this precaution technique in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video is available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail. YOu can also investigate other malware like Hawkeye or Raccoon.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to keep the macros turned off and not turn them on if prompted by a Microsoft Office file downloaded from an untrustworthy source, such as an email from the unknown sender. In addition, following good techniques of staying safe online such as not downloading files from suspicious emails, is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro. Ursnif uses the browser's COM object to connect to its C2 server and receive additional data.

Based on the analysis, Ursnif trojan uses exploits to start legitimate software like Outlook, which in turn launches cmd.exe only to spawn a PowerShell script. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, the PowerShell script downloads and executes the final payload, which is Ursnif itself. Lastly, the loader starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and will inject itself instead. this technique appears to be a useful pointer for detection. After that, Ursnif will hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. The loader uses the browsers' COM object to communicate to its C2 server. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage. Then Ursnif sends collected data to a C2 server via the IE COM object.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the technique of the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites. If you decrypt the URL in the script, you may get the data sent to the C2 server.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload, and usually, it runs multiple iexplorer.exe processes. The loader creates a COM object that is a hidden API function. Knowing this information, take a look at the process tree after a while during execution, and determine either sample is Ursnif or not. Check the script to find out if a suspicious URL corresponds to malware activity.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Based on the source code of another malware that is already almost a decade old, Ursnif is a prime example of the fact that “old” does not mean ineffective when it comes to trojans.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, the loader takes active actions to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy