BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
12
Global rank
68 infographic chevron month
Month rank
47 infographic chevron week
Week rank
1156
IOCs

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Trojan
Type
Unknown
Origin
1 January, 2014
First seen
22 May, 2024
Last seen
Also known as
Gozi
Dreambot
ISFB

How to analyze Ursnif with ANY.RUN

Type
Unknown
Origin
1 January, 2014
First seen
22 May, 2024
Last seen

IOCs

Hashes
663e6f25b541228c0555c984846e342bf801cad542414ddd222bb947dea49d56
e673eed04bf609e9fe34d7129db5f8df5faf941cc741c9fbcda12df828dcaeb0
9945192364ed4ae21420e21e8969e5b39abc0f2b2a6102192d2476641d145761
fd768ed8c1917b1a8ea4ac7d43a2a684e4611b6d32f135be361ea8d490ecba74
a650279899a57cbf1e21d1e481bb02e10715df746f987999a67253ae8390c4d5
030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48
2cfa8c1fefe0533df33bfc2b5293ba37e963d69844103c67a27dafddf2c6a22c
6bc999ed83c2561894fe5ea54386af959a9a5602fcb828af68109ffbcda4ee7c
132aa270790f56a7524cab968927ed5e1d91b9a26d4badcb24e450e7decc5f81
4f255fc2af76aebd0bf62b97fce5025093a89cd845dd3ad4a0976969a1d451e1
3b3db3a59b862e75c3f121011ad115f0beaa34bf437b12152194ccb7489891e2
905e4ed51fee8b390dc8740f2ce97c79748c654510c42bb6aec9b19e57e21434
ae65f67f93319e94ed56c13018b984bdb7ae83a32ea72e595ceb531835da67bf
471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
1d43ad78cb6f05039f09537621e6dc82d89b694343ee3fefcea4689d9fd13497
891723821a201ba3e5449e05309637ec69639e4ab61ea04cf6a36a379665b773
877a84596c599d15329d1ad02562434ec54425af14c516f2c5f1a410149ce93d
562b6f9799bf19a42aa840a2f7178cc11bce20110ade85cf354a57dd0b569824
7e5ce212746335439c29ba6ab255fa50a8d223d22fe38db0386a58342b107390
ec8d76c780ba25900f36f6acc6b73e049031a8b2ffd4a1645f9fc3643ac266b5
URLs
http://netsecurez.com/pictures/SW7mGHKzKpS6r/XWxr0XMe/Ru3a9LcgC1v0U56sv7MhOK7/LinmCgH7pB/XQ3AQIjQLPr4da1L_/2FRw5ycq80om/LgTMPMNp7uH/A3Iv_2BVsGtRlY/4amqCv8OYKr5oL3wUT99X/XOSk9g1lk_2FZSfo/CX1OwPe0u07fzjT/2z0xINH4xG0axorIT9/YgiqzGgxn/e0t3nlbIY8f84bo9ePZ8/URTS2SKhEZTCyiPm3sD/eNbgGWiBNRs77Ua_2FzvBp/6lldhoUX_2BBz/TalFLECH/QzcQ5eWvlbZ1_2BBC/55zi.tog
http://netsecurez.com/pictures/jQlZkrwlitp_2F/Vi1weEpZhBG2f7KiCzB4G/m6H2At8L2ZRe6QfL/R5B_2Br2azZ5_2B/9D5bwJgcfxhhyDBgZS/4ry7rygMQ/G6OtBgxPGsJu0MO9CRjj/093lL5XYxgnm2YMZWnp/i44oyy3_2FnpqDD68XpLdf/Ri77vsgmv2iho/OPmAxCu_/2BVKiPzOqjOwD6jLwrIHso2/tZOGCSaMhS/nFxq5lsuQm1htOeYG/D2kr8kktM_2B/SF_2F_2B6xY/K_2FM23lSZ_2B2/JT913fI7DShnVgg5JBgBY/IuiojVpyYIW/zxR2.tog
http://netsecurez.com/pictures/_2FWtFJO9gLxK9VG/HgOh_2FMhLEwgOc/xuV4cNgKXIrWoe9jmF/m_2B_2BzJ/dE8eWq9LD_2F6azeEP_2/BF2r2m_2BBPW8Jv_2Bt/6UQ8ljUb0_2F5_2BM_2BbT/DDn4iYVtL_2Ft/PE8ZT_2B/xZk6ne_2FwlRR_2FSVmuABO/hXPXPa1_2F/07Hl5Q1TDo5jc75lK/ke44K_2F5zO4/lvEmcCnQD2T/AxZZQd1C5JMFKE/BM5IVw528F9iNmU7T7igS/PFox5j7sXTXhWXga/wWhv2Cujp_2FIxS/_2FBnRtDFaPzVW4KNn/QIC16znHhI_2BoaKLC/Hi7.tog
http://netsecurez.com/jerry/gTCGieVSnPc9/cI6L263d7vk/IQVgGOokPC_2Bs/X4XQ4Zy_2BfTG6jMo9q9R/igcjLpKAtAujxJ0T/7oxeVyvTenEvgsC/H8DHI_2FZCCUq2h6yj/nhmfdyjHU/2y1kbKTHm1ISKYmYtxtq/vKnZMzbdcYTfNJTEXtk/c8by_2B0Bls2xHZAaJwCNN/feVJkyKV3465y/JUpnDFPt/j1tHvbYFsX4MKN4N8h9zHux/GOJFpx3Nbs/RrAz9DIRm0385_2BK/vCioYq5c0jyg/Ym4J7xUUB73/LkN2fU_2BIeye5/fGm_2FuQ1JqSRdjYaP9LM/cpEndmg.bob
http://netsecurez.com/jerry/G86ZiMIDh/U5uT_2F2Dqref5EoGrLW/wd8cNDEsJ2uD_2Fvc46/brXgGfkB9oGbp3YA1ypLQr/FmEwG30W0ZCP_/2FjR6ziM/Sivx6fSleBdUZcPPh7U0p_2/FIvpHRaCku/IPj2AKcTh6LXYHNyy/dmPwWWcALfS4/5XnzvEjustX/WTPU2H5g5VixHc/iCCY9lLGCqmQdun0Hcwy1/s4gH_2F9fN2JvXZq/gq55UA18igHLKXN/HmuldF_2B_2Fa4o_2F/8PV0HhukP/VsItmxjt5gv5iXIAd9wz/MOE5Ih0ojW3AQRzbO4q/GxzMqbO6ZUuiV_2/B67N66.bob
http://netsecurez.com/jerry/FPbUlk8yz4S7EbWjRA/75Iy90u0t/YFefIdzSnDn0mUm8ucIi/kQId1qDtgwrckBwxWEb/fi7RmoFLdAMO7vwWiYPgEB/4kGsIajcVxumf/GmCUzOYN/QYM9kQyCSuIc8RzxbuGHMoC/5qtCggrkw0/HZVK0Nfv_2Fq0ZJPJ/P5b8Nl0wq5dM/j6nPT0UV74i/_2Bu_2F_2BA5gr/Gyosl69ypUnsc7Yg_2Fuy/LZJCge_2FfkMQZM5/lomA6Szoqfj0m_2/BAlxx7GHEZUlt6avH3/_2F8effy7/3VsWgy2j14AZEp30sSPw/TgVKkA8bi81Nja37EdE/n.bob
http://netsecurez.com/pictures/dHc_2Frog65xUvT6n8k/fgawYBcGypARQlQyqyyMVF/c9G32V59JMDsl/rXKIDM95/EZuws7Nt9xRsVJBmeWB2KT6/xkA35DB3Fr/qjV1c7_2Fo3ebLx3G/x785uqYE355G/OA3afPQGY67/q98tAEK94RBkiX/A27roqv1e9FzGkGPY_2BL/Q_2Fn1yhoB9_2BBM/S5RFzIAjVbFtJPA/WjM4g_2Bm8sRaHEXEW/6NWgjEJML/b79F2ecSk58vcFosCi1r/NSh2B72z6T48vJPl97e/ruDHDNTURr/o8hoVMt2u/NJbu.tog
http://netsecurez.com/pictures/MTI6LdwV/9GIFscmRM5kIcPVRUMZidk6/IjElCJyfXk/_2FomlRRD3IAiQFAV/2luvh0qT5I5r/yH9dfBXjvn4/x_2BXHs_2ByiwM/8skRISo_2BKZlw9GFlYwl/iUGYLNlB11dQkrxq/uAd1AXkNRDh6I61/1TcU0QltJydxzFDxL4/WIItOG6IR/K53dn2VwkNiVZQ_2Bnbd/O8mFUCpTPaNFz_2FqFB/SF_2FC2j_2FxV9iYbTG7cK/xe5hTJkhDf0dt/4ZP_2BIg/Ui0ehzd2aMAgNyIS0Cb_2Bh/GfG2Pu74U2Ba/bv0gIa0.tog
http://netsecurez.com/pictures/1cmzVfLM/30vVFT7xjvIvMmfOfedUbN5/Hs0Wg85hIz/_2Bk1VJ8iAkxU_2BN/MHXMiER4EttJ/PsqNsjz7Cvk/hEiIP6jCtbrILC/g9sSM7La85Lv_2BLoj55X/aDae6xtqdrXyG4ee/NNosFlQvb591dhc/eaVdlJJIEoQOeJf5Og/8LIXEJiMh/Fdn2_2BC2cLgrTuey8c6/r6cJQ67pnUpQz49IVSK/QsJ4Va4ga1i_2FuKJy8pO1/_2BPyLrj9Ld4g/ooe23SiJ/vvA_2FYXtlPeYUgFC2RSAXn/_2FhvYR_2F1baC/5ZK.tog
http://netsecurez.com/pictures/CeScrYbm1HBNfK_2FAItqV2/rmggwbIOjq/4XDqeBE_2FIG7C_2F/bjfQ0yogGOQq/bfgAhM_2Bc9/c1ZxnoVDr5t4Bm/NG68AIEUC64dKdaG1ZnGH/wsUoVGq86DCNxCUZ/zyiiQQP_2Bn5Dnl/N3xJfU29DDGIfECpJk/CpnE0hDoG/PmoE9LmBcs4M5HLYPhzR/041cJsDOrMQOwgVBHmA/7QufrYX4I_2FRgFsVr8kMJ/JHH9PNG4fD0Np/RbL1kg6p/GFjftDwJPQytMizbWUnenXq/afojbM6FrB_2FZ5/cVI9DV.tog
http://netsecurez.com/pictures/_2BBFo4d/bdJQX1lKExsSo0nbXvPaULr/I_2BanErOF/ygo59WlUNxHdGqDh_/2F64Qwvght5d/SS00BdXMyEm/K5toqsk45ApLC5/SAAMniFo4WyufKuGY90RK/ejXK2xEJHOpaRqtb/HnB4HCnkmrPgtxH/UHt2Lhhwr31phLkeZJ/pUjFrI4AY/A0z2SGENnkPWcQ14a_2F/Z_2Fui2C6qylJqxdtB8/Kkj7VjYJI9AlACQPsftGF8/pvqnwd2VNx5cO/kqgIROY0/cZ8QEVOdyI8f_2BQBcBO8oI/uICa7_2Bnpp/_2B3.tog
http://netsecurez.com/pictures/MWbzYmbw5/t_2BNrSlbKsK0tlk65aA/tozLM6hWHYEzUSayZw_/2BGlC0JtClgUWJGMlccHSO/iiIYjcSVSmqE7/VzFe61W4/Zms5j8X_2B6GRYN7c85zjky/8x2nT0oldm/46cp2v_2BFqDTwsUG/aGwN58ALuLdC/YvJ3OVcnTF9/FhKvedhJ16VtBK/I7D19YWbXERn2UGiObMq9/x5hT61SkO7EX9de6/tO3wGcf4FkHEmvO/SOYW4g8_2FAPkPfLN1/waFcDg8lqahoyYs/TmN.map
http://netsecurez.com/jerry/YjwXBiTJPIFFKRXf3_/2BFZp_2BQ/zpQljsn_2FTBBW029dCL/uR5EmY7ploTB2ZGvNay/HFnGWxDScNKyBe1NWmhlpv/UnUmlcujjeMcD/bTeTNy72/gMAFk8as1A1TmEySzs_2FFB/N2ft2c0imJ/_2BeHGJNmvntam_2B/_2BhgOshvXNt/ybDsOF7IIsc/MLw9kLSqrV7qhC/mhA0Ve5VtrDjaAqPtjCpE/_2Fr3MToqye6io9z/Gwe5OemA1aJS_2B/tOglGOuv_2Bd5cP6I4/8n9CMu5Pc/sEbNJUJ6u3hijsJ9/wgvcPkv.bob
http://netsecurez.com/jerry/KE46J_2Fs_2FQrcL/9NVRMqLopgqfgEb/jVThFrmaDQXwcGcisS/QEaW1RTZP/kMRtyAShuGJ_2FCXJXxe/FIUYVRw1Ao9qsFjPvAb/_2BHapFUvA6un66OhrcqVp/hAFLSpb_2BGX9/NsEI58yC/hsAD2QSYBysSYUGNYSTpsvb/btzjqESnqq/4yUISLmMXqR8bfFRG/km_2BJ8sP8pt/F379UkHX62O/3iD_2Bes_2BGr3/0Xv_2FaGC_2FAvAA1i459/JFQOJQT6JBfNBOSJ/uMugZD0oe0OzhP_/2B6EDcE80/b8oMEqsv64L_2/F.bob
http://netsecurez.com/jerry/JIrz9x3SS1CbgRRSCVEh/mT6A_2FlgnyTuawuHxN/9Xkre79Zy9QdbF1q4leS79/OkKqOivux6CT5/euzRnDWE/DnJn5cItjFZHEiZLKouWdjx/qomvWyJDkT/1R4xjeTgTXSAC9OqJ/ml4qEUEtpM_2/BOjiDb9oUhy/PJntkFTq19Nm1Y/2Dj3k8VF19HNZw0T3QR56/D6_2F1sejZfyBh_2/BGDl9sDdtRJ8_2F/wuphwhrHrLit5PDzuV/6zDj_2BXP/4sVo94p3vZipYSWPr3xX/u7FKDeFuSFDem/Mzpmz5O1/T.bob
http://netsecurez.com/pictures/Edf0c0P_2FVOUnYso_2Fu/eKff_2BAEV5miwkk/AeTTsefIcJs2sLv/wmxvYXpLbkjg003e7t/G1DUeCncK/FpafGt_2BlmII0CeFHPy/5YxNhxYffr6vV_2Bk3l/0blmKX7BSDE_2F043ZpWpu/56PIfUezTfBNT/k7b9bf4x/nK2AloN1_2Bnz3ZT7sTDH9S/w_2Bvpdfoc/2FSN1NCR0_2B3hjET/I8U3GrEicSKv/llxysdpZz4t/CHpxW_2BOf9vtW/1lklBfqFp3bVMVwzbDQy6/0pgltlnrdtXvZxqm/0b1nak_2B/IxEmah.tog
http://netsecurez.com/pictures/M5tcpzZbLm/1hnFRxW6cRPjPnjj_/2BK6VtmUYg21/jhjMI1Xfh7E/qUJ_2BnqWNjJgM/WbnrCT2fBAQjZu75cN2A8/1Kdny3USTDzl4OR4/hXNaY4qAoktDv2i/mnMx873iH6ymfpCh9b/SQ_2BVDKi/1QzHCwIX9iAEaSa_2FqI/eJ_2FviZ0s0VGuAMPGK/lZ9jp64EZS6C1_2FnF1MSC/kHG4R7iHvthhD/_2FkHTeA/uS2yAw4ZjIaaEoZ7et_2B94/kfs65QPvij/mENFahMB30csHYyrL/BVPQ_2FGGoy/EMsTs10Bq/F.tog
http://netsecurez.com/pictures/cW2UVxqR61tadkuwjef/gJmrUmKxMoqhcaArtsPFEJ/CvZZAzHLAiHrW/78milOom/DrtMl1X0lHdfQh8cPUNYFyz/aLcfA7i_2B/93Pl8tMG4LrHwhqqy/ViZXoN6SNeIN/4o_2F7im1nI/Yu3HQeFGwgssJN/DLZOs2fzeZkLjFvw5SaAl/vimsWNwuHRPal9ke/8LxkIDW6l0PNXx5/PWrRrGpoVKlBXT4Sb_/2Bd6nPr2o/2kSAYAHALF6O2nwhEyLl/cCYi8_2BuGzPf7WJ3Qz/FK2nJho3JXAcrhki/Lx0.tog
http://netsecurez.com/jerry/jEjlmXLaCr6tb_2B_2/BLuHkahq9/SYEcjEhQhN5fGuYudfm_/2BvTWjbB3QgSsLweUrm/crx4bhyzGAYhJ9QshTkwDa/XpTIqGTVVnoIX/M_2B1pfD/rDfYuGsLx715UDk9MYWyzYA/1fRyspw7Oy/Q3pWH_2FKR2_2B_2B/wRGJM7ymxziZ/KzHxC3eANw5/0S_2F8Gk0pCXRO/686tD5idUa5rgYwMVB_2B/muNtX4uwO8_2FY60/N_2FBSmhbXQW0OT/hgI725ckZudSIZDP1M/6VVuZpFGS/F9lDPsrAbgXGEuaa0Fd1/KaZegwj4LBVSRTZvRwE/NO5Qell.bob
http://netsecurez.com/jerry/S7S_2FuOXvXi7DPdttcm/04HUt0Dpkj8BSMGMwNx/KtEh4umAnTOSAjzL6qOwB1/lKMkOAoOAFLqO/KA5_2BMt/cPs_2F5NJdDs361WAl5AcSN/logrYw2tQc/sAlPB0rDcDzrWySLY/GmuB6OOftVSJ/3_2BZcZy7ik/n_2BZeFTcQYgMf/XCb3luRR2GbY4NBieWtU9/bNXmz4ba7AxYLH15/NgDeTlHmTFMhoWx/xDVL_2BhLfSa1PDKPK/NF28vnLNh/mu34_2BrtuIkoVeKdDLT/P3mLD8A65bXtE6zq2S_/2FpU97TUcNOcqwZOpjoDPB/TeeNOu.bob
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 51
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 723
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 570
comments 0

What is Ursnif malware?

Ursnif, also known as Gozi, is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. Some security solutions can detect it as Win32 Ursnif, Trojan Ursnif or Win32 spy.

As for the Gozi malware basics, the trojan was developed based on the fairly old Gozi-ISFB trojan, after its code got leaked in 2014. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif trojan and Gozi malware explanation

Ursnif Trojan is a dangerous malware that can collect the system activity of the victims, record keystrokes, and keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user to enable macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded, and the malicious payload is downloaded.

According to the analysis, in some versions, the Gozi malware operates via a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. Hackers implement this precaution technique in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video is available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail. YOu can also investigate other malware like Hawkeye or Raccoon.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to keep the macros turned off and not turn them on if prompted by a Microsoft Office file downloaded from an untrustworthy source, such as an email from the unknown sender. In addition, following good techniques of staying safe online such as not downloading files from suspicious emails, is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro. Ursnif uses the browser's COM object to connect to its C2 server and receive additional data.

Based on the analysis, Ursnif trojan uses exploits to start legitimate software like Outlook, which in turn launches cmd.exe only to spawn a PowerShell script. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, the PowerShell script downloads and executes the final payload, which is Ursnif itself. Lastly, the loader starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and will inject itself instead. this technique appears to be a useful pointer for detection. After that, Ursnif will hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. The loader uses the browsers' COM object to communicate to its C2 server. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage. Then Ursnif sends collected data to a C2 server via the IE COM object.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the technique of the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites. If you decrypt the URL in the script, you may get the data sent to the C2 server.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload, and usually, it runs multiple iexplorer.exe processes. The loader creates a COM object that is a hidden API function. Knowing this information, take a look at the process tree after a while during execution, and determine either sample is Ursnif or not. Check the script to find out if a suspicious URL corresponds to malware activity.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Based on the source code of another malware that is already almost a decade old, Ursnif is a prime example of the fact that “old” does not mean ineffective when it comes to trojans.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, the loader takes active actions to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy