Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
28
Global rank
143 infographic chevron month
Month rank
110 infographic chevron week
Week rank
0
IOCs

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Trojan
Type
Unknown
Origin
1 January, 2014
First seen
23 September, 2025
Last seen
Also known as
Gozi
Dreambot
ISFB

How to analyze Ursnif with ANY.RUN

Type
Unknown
Origin
1 January, 2014
First seen
23 September, 2025
Last seen

IOCs

IP addresses
31.41.44.63
146.70.35.138
146.70.35.142
62.173.140.103
46.8.19.239
185.77.96.40
46.8.19.116
31.41.44.48
62.173.139.11
62.173.138.251
Hashes
9443392b8df3ceaf30ffd2e7fa0b720bee506114e6311404944fd602f39966a9
0c21cc2b9bf1e49a8b2eada21a695170c89a52fe209b13c6b136cb189fd62abb
998dba41a18c68ff4cb5d43a8b62d687aa5474a135f4f4b9490b390de50c1f17
3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858
7bf589d375dc028d394fd947bb7a16149ff8ef939c4168d650c54df9a90c16aa
996c90de57b5975afa030065bfd34fd93fc70a96dc3ec0c16fcf500eae2a91d6
fa04f7f08277b74677628a224a096d4b9fe4cafb7eff9f9d92e2ad776085959d
dd8f17c3780f8408aaf205d3e5056cf132774fc8a2b1541dd8633f5fbdc084d4
566e6d7356d5629120b70c5dfa535c8fd257b6ac435a335127040abf398f1ef1
7a6ec49cb79aeed7cbe86d9c4454d000f6243cef40dd9f3e2e5b8663434d6252
24cdbf7a48cec89af865d7218234edd773ee1029b3987cc8f1ad67aa834bcacc
663e6f25b541228c0555c984846e342bf801cad542414ddd222bb947dea49d56
f9aa16739f6abd1b313690e24c15b5d958e5cda35fd8bccfad3b7c7eb5ebc74e
f5a5e7d86c3131b3f0a479fa55f35f8fa7c0ea7615b244752f96071156982071
aea2761f739d9b933c88da55c132e9bf26ccc03016570703a2f8e328fd89e712
79fe408370d95b795d425d59672f2f969e26ea7cf357bc5736446fc1a61b0e34
6fbc10987557b19e1b63d43d9c878c4fdb103f07abf67b5a7f95dcd9d1f17af4
7c35ac9b94a6e3cbcadf70b8c6d42c0a8385bb6b58953db4adec28e8eee8d120
1982f2086a0e502def7c45750f4c499b342e88d12842258b800fc47b30b6c2e5
ac8e4de709ee3a0c116e1306bd66aed9866279218303a8e2d26342467b9a3cc0
Domains
google.com
config.edge.skype.com
cochrimato.com
146.70.35.138
146.70.35.142
alogencian.com
wxan.com
checklist.skype.com
URLs
http://df1.kamalak.at/wpx/ExVsXIqizFME_2BbDoE/0vVYaqG7MLdAYmy2NznBwO/GMNPy0S_2Bjg1/TbpDZbj7/YbaCTARv3x6qJq33i8j72ZU/Fg0bi6svzd/gQSjLjchcNY9W9TX6/eAHw9GmUKs_2/Fu6PvYUTktI/Tdft15nWYNScPM/fn5Hp6jrJVRCJ7IfLVx8T/SInFcsi_2Btqoqi5/waCLbMuu_2FXQ4K/jvQxm3HIkT2Yx505z0/4QZciQBOY/iFVKsrX0yEnd1PROohid/_2FaJMyoMlFzqa8j_0A/_0DXfwWW_2BGKzlxdNcwW0/LTN_2B0_2Bz/1E
http://df1.kamalak.at/wpx/tIvAvzXhUJiq3L/T7LJS1IMtSNBoQxidxOPp/Phgszgz9noWyOU1u/rUvpIwBM_2BWNnK/eKsR_2B6hDxHNHpUc2/wUePRbTeo/254sGaLE_2BxdHenJy2n/2W86FgNa55kXPN_2FpB/V_2BdT4X7EGPaPAe5QFrKv/uiZxz1hxGLDRa/giR7iife/UhZ9QZvBjdkuY0HWNzEBLdt/Kif_2B5Xmx/07Z9Ut_2Flpxv1y_2/BlnrKmABHMBR/5cyH_2BJKEi/_2B7G1aQ_2FCli/GRDOubUnfhOA_0A_0DEA3/1OABq5unQUsOpPPs/knEX7XE
http://df1.kamalak.at/wpx/S0ol9g_2FKiIKccBdqcx4TI/LeOwMgBj5_/2BFNQ88MIsCGehL6Y/zx_2FjsILr_2/BPUaygGKH4s/h3UCdlOHN7rG_2/B5d915QQL5tQZ4MyXoNtf/8XHV9GFKlZ_2BNdu/C5U9RqEEZkZX0X9/apTtdcVadDV3J60QPQ/tP0msaBK1/vEOdIXXJk5uOLnJLjdxE/a8COwKLP9oxY8I_2F2O/tG7mQJJ1ywB8sFHbMGRQ1k/nugtFuLKm1R_2/FCncQfih/3qvYIV3iSNplIiV7XHTv_0A/_0D5trgve2/O2RGiLVS/JQkXecEk9P/0
http://df1.kamalak.at/wpx/bdBwcdmm1daHV/iTg_2Fdz/Hpwrou_2B0PGwmNBBq5Us_2/BaFIhsv9Ge/0tGaUrG7AItQoefsZ/97ZRzJyakF5x/Gk_2FvggD7T/FtV0OjJk5dAXyl/EaFGN0oTqRgOw0YFUMoQH/vWkVEa_2BpUlLpLY/lHPo2MEfllZIng8/bSeuAqMcBeslSwVDCo/GYsk7_2Fq/w19Y9jU_2BHIhn0s4lkB/Z_2BlcYRfF5fhnl4f8Y/wtdsVjspAXIEz9uZ2tJsrO/F4py37Agge5nN/m1k5F1G_/0A_0DwcAW9JQ6hQNLE2PHUk/SwCMpK5c
http://df1.kamalak.at/wpx/2y8_2BrmkofkxYASPSJJcqF/CsYhoud4_2/Fpg1Xnw2YjXLwJt7A/Aez8npe7TKq1/gM48aNkNcUR/vI1nNu6qLrIuaQ/NX_2Fn5rkSyRLhRFRKvMU/axIgiztlrShlHWtw/bFm6iut_2FJtU8n/gem676C1_2FwX0_2FB/OAgSMXbBU/riTdd0f8eq29Vb19cLKm/raJrMY88LDH_2BvkVbr/oHcYwjGnbzxR5hzjMDy_2F/mvr6ys_2FVPII/l8s0J0JL/0wmFuG8_2FjidaBuROKIj_2/F5g_0A_0DJ/AofiYypzcsAW9Jwrz/iwFGqFPm
http://df1.kamalak.at/wpx/JiuYNxRImO6iZi30v7JFlDd/S1lFqfztMy/BlXrUpbG4bMN71sd2/GkVquipo_2BU/s_2Bd_2BrNk/pPg_2Brr9PHu71/1kt5N_2FUHj2MljSaDGSg/b1dX_2BahTE2YjYM/AjZRwooEkCaqXMh/aPdHfwPufGhGDrmdwB/cbw3kd7fv/kY5OmjixWue2Ajqh7Y8J/H7l8RTlivS_2F3Iy5kE/Xy7bkACQOSC_2ByCcoLynx/ojKNTktMDehF1/exNa5CI7/J4ffGco9wjpNktNzNSEl_0A/_0DYzo94mc/uuvoW4mksfL5/SQ2TK72
http://df1.kamalak.at/wpx/vQnQy6pAPmtZKZxDa/LoOO_2Bk5pZS/CLm07R_2Bcc/0XApXfxsEMVAex/5aXEsrTzYVk_2BrupapOQ/hAbgxt_2FG58w6Kv/sGElaD0NNoqgoSa/7fDeE3LfyKGMaFFqQq/dfyyQ1C9a/7Bpe7aoYdVwrrkoJ1HCd/tczmGZV56EL3Y4B5I2H/Yo2EGJdvtvF0PhuBVJ42cp/Mae2rx_2FzYG9/14tVqjZ7/lmCSnWe5qPHh3sOcf8O3sVy/vTO2PYT63R/hf2fG0sHWnrBuk_0A/_0DVq8lBdwvA/zjQ78H6pN/mTjYHrDo
http://df1.kamalak.at/wpx/3lo44C_2F/0CIC6s6tKNYG1EACM8du/3B5UN68Y9R6i_2FCaCG/2vISHfCthxnFg8cn8cmrnp/rDHru04Gkr7e9/Pjcocsl_/2FXh81rSsBXLLA0j3cpBH71/nbyXT0t1Bx/91h6w3CYD2YWBz7r9/FiE8Q2NBOaDi/tHAfrt2aYro/7BMyZaF0AIWuOo/vI5mWxpKC_2F00gHLmoyy/apUOvtu41NFe96gB/l_2B8Wd98TA0JUe/xOSI8eU_2BIDN8Rdo7/1p_2B_2Bg/cV724dc8TQ_2B_0A_0DA/ikKe3SYOI9I8Tjgz8CE/8q5t8q
http://df1.kamalak.at/favicon.ico
http://94.247.42.61/front/0gs6Cm6ppwPKo2GjG1V3nw/FjA7Vtu9t9CMy/o7cNIudt/5A3b98PQKj2ZHyvix3fBhq5/yQTC2ixptZ/ra8qnFEt5H5Mq_2Bk/pW41mk6zrtaQ/aNaWhr35fsl/mE8H9ebBAxjqvN/J9UQPNAHvHXOsuzQgjFtu/emaNyg7n_2FIO9bu/nkBdbixO_2Bd2cJ/xhvafSdLcGXFuQw1Q_/2BQZnj_2F/7HyFvL8gXX7bhpPe6XYR/l_2BMCIvCrs7ObvTcUA/dzb_2F674sGydjMsbCay7Y/DSaM5h0XmSenu/_2BgwKA0/vsYhBP4VUyRiWuKdhI9eGRY/_2B.bak
http://94.247.42.61/front/fwD5BSu9N4V5DZqXc/Oj2B88q93_2B/S3zeklDjff7/sJSF4yFHy5rl2e/8NAHNJG_2BtLEJPIfLsrQ/P6Dxg_2F0dqJeh5J/XByOfuSSavUGvn9/_2BLzhbkHh3t7hxTZq/NIrEMyPut/AIiyPK9r0aZ4cJ2yH1Dv/Qncq_2F_2BJX_2B2mOt/w61cQHVrYFEJH5zfq4Ncsu/yQnbiC3zdgHYt/57pXAivh/Cjb4leBbt_2BdnFNeHUfcG_/2B68rCDK4n/AZ_2FRJtZGtVANZhd/H9KgxQexlb4a/pmGtAvWJsv0/2ZeD4GVKCmDATn/6LpYefcX1C/PzCWax6.bak
http://94.247.42.61/front/cqx0jWVInzeFJFBZIih/2MB0WbfmtVK45kw14TkZ4s/ae_2Bbm1kvprr/tFXNFDCe/pJai1_2FHgK5kl9_2FRMt54/1bttFa1jik/mz6t4KJCByGt9b_2F/7Q_2BqAza0eR/QCEQ_2Bnkn2/p_2Fb_2FNPMIDt/Ex_2F8VhQH7Ofwl8fYDeD/3RFjskpKpjSqY76f/u7KTcq5B6aWvETd/_2BpzgS48R4xBLmwUp/3k0_2BkqX/Gg0Dp7ckxY_2Fn9ewyri/Hxx7JvIp07Dc7tdnxYW/QIF9aI_2F408oKEZlKtckW/QXzA_2FunWe58/gW6bgyFU/rECrEJyvbh94/7AOJf.bak
http://185.212.47.65/zerotohero/_2F1v91H/1CiXZtSBm_2BTOBhAg5LgF6/HYFFcy1g_2/BzxDW9Up7_2B6UAIP/IyUme_2F7a3L/E0qwi35lI4J/1h74Z007_2BHIC/887cG_2BQ2ZILBP1uP3cw/J1tDlkzG5Q11m0LL/gSB9HLRD9DNfN7M/VV8BZy_2F7QjbMzwcV/Gw1bST5Gf/QhLuT3IhBfmdnAs9YOCq/8SxoMFIvVglswGW2FwD/ZgVEUltZVjIEkl5rhNUZJk/UKUd1s5NB3kqt/0hC_2F_2/BKvxjedwQ6cyvBQEjmr1a50/H4PaR1b2lI/_2FdRyJ_2BkdNlsFe/t_2BgJO36OezkC3f/k3_2F.asi
http://185.212.47.65/zerotohero/dYUf14PRXtbm2qPkk/tg9XAfzEOfjF/m6OiXP049Qi/az1RDCNXnulV1J/cIvvdi_2FyLyUChfP7lxR/okxMzI1bic4bOX_2/FlTuGrV0CNWVS8o/nhjrAw84yV87UpvZX2/zsoDEkHzS/bqCeLKBXcRrc1Nhxkz5e/yFv8FN0RZYlP6pXyBm8/wFnItEqBXEbPxz067H2unp/ifz9y65j7Rf9_/2FJNByM4/M8_2BczsbrXj986ilJQoBom/jPmFDhlEJ8/jMKY_2FtZzjTvAQtb/Ok5HmveqL2EX/NwJOWPgGSHa/etKgAfhVWnbId458X/tWrn.asi
http://185.212.47.65/zerotohero/1nDoSQlU/ININwiiEl2rK0rya9h5t2sS/yJBuzKTDN2/yqOFCRI4bb1SR9Pyz/mcqx0YFBAD6n/5hi1ihicffa/5gOA4FdVsfA85F/ZFp5yANC8RD49d4_2BWIX/Rd6Vu2xWKTOUItJK/v_2Bd6vLBwy8neX/UuvHcApb_2B3OIbqkH/WYlmXdQrf/PqpZ0DkK7cT7vJ5kc1gG/PTxKzQwLrUtsgeHxPvS/ML92_2FEpjKAoZi68hik_2/BHOGGC0zi8Cme/vpdJpQpa/dG7x1_2Ft_2F_2FEPk_2BfG/pNv5x0wqdwL3Kn/ubq.asi
http://185.212.47.65/zerotohero/Twuv4UbQJd_/2FaZBH8qm7Vzkg/2vh6FLLJtdoCPXXAYpbOr/EU725v9cSZ2JQYPB/cK9jAHVMbu0Rhtv/KchJWHpYbirJqOdbzP/CwMegL9gb/W5VIDABITtgC5EwJOUOB/J45ID69W_2FNBGXrIdC/_2FggIWR9KgxBaFAuESU4z/4rn0wi0Hw4C_2/FcwJYn7t/AHRZZEkIB6Fl1FQ3sbxdvZG/mx6zQMJkjB/zTXzVLKYAI1G0Z594/ZaaB8pQhfq4X/VUjymxn0BC_/2Ftzo4Ezz4hkMn/O9OaK8bijDPoEoxvbGUCn/OS_2BdbfPm/KpraypP.asi
http://185.212.47.65/zerotohero/zeTbtlwl4niUU3/D4bruLKXfyJeXa2Oh1hw_/2BOnRDgnjIbl33Om/jNfFkZL1Ni_2BoL/QX8fsleK3Qjzz_2BB1/rH_2FqCFe/Z8Tg06giUwv2Ngpip6o0/EMd2erU52Txncyg1aO7/2C4jEh3zcR6wDcZERq60ul/n2RlCVxZPXZ1J/s_2Bt0CZ/pak55JqbwBU7cRVWYtYdPNw/_2B7AJ3lLU/sCISWaE49AS22yLjM/qH1b19QKZQlg/tVo1MUQJMCq/ZfG0qGmHb2TEOl/aoJnDPsY3fcDAbZbKd_2F/VVxXcl5CCdx_2FJX/2_2BKfYcw/0iczmhf4/O.asi
http://185.212.47.65/zerotohero/kiCo5_2B04/RtNifr8ydybiZJNUL/Z2g88EYYUdp5/LbMSbqgePtY/rB7HSVgOx8akub/SM2lQztasVjDjhYYLBPuU/m9JJfzSojhH1aOFH/NzYzeSogQNJrmsq/Ay_2B_2BAeSdWdIQHz/UEjuye3oJ/VOla9Mub5L4dPVB2ZPOu/8V39IpJ_2BsOl_2BDaF/wmf3flE5IHkWnCshqEJRrz/cbkxhU1yUylgW/g4I2bOn8/nGRcMuk08I0YAseQrpSEm0S/wM35lFPVQE/VvO0F_2B0M6DhrLsk/dbYn10uKlXqE/qors2uWt5iM/bbnE8y1ZwHFW/I.asi
http://185.212.47.65/zerotohero/SsSk3bzNoC6/cu_2BxCeMh5GnC/v5nefsxPlyyPxTR65UnQ_/2FGsIEPLPuMsSZfp/WFlvOn0_2BB0cse/OXMHQpsCzG2e9mcQ0Z/FQSU6mOHF/6XqI_2FUjJFxBQ_2FNiC/EROCsbrZX_2FC_2BJeb/mKxv_2BeeJM_2BT8RHJPiI/xYpHcGTCi6C21/kMxEgQiE/v_2FO7nCKMMrd3oXtoZqVog/PkD7KrCYIh/JRIVDzbCD1ufn4e5H/q5_2B37pLWcK/iV9p_2FEsek/s1P6pEOIae6UHb/xnpzeGSfIZefl7WDac51i/f2t93qubudmJRsn6/6ji9902IjSY8/T.asi
http://185.212.47.65/zerotohero/sVWiKFz7/ZgU5mHNDdV4rlfFmTH1k8fo/c3wCfTwJLt/x2_2FX6ETh3DBgccI/RiQbZpA2lvCJ/K4yEBo6jYzS/CWEEuyy_2BuAR9/T_2FRoofsZV_2FqHeFuEU/SH9zT2qH3Cgh9als/B8i20HBzSQriUeN/a5Rh9iLx0Ha5KntA5A/3HgMkjWzr/Qj8kJM7nI5UXBSvpZr4X/tSsYldXIPSqUbj4OcqO/mwcfGDFkPXZNe4CqiTUCjO/Qnpxvmq6SOnUn/E1zDUN_2/BQgDZtV2JZKbP_2BZUSHyMM/43eJnfy_2B/zA7SzJ8iiz25v0up_/2BVilgB7/J.asi
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is Ursnif malware?

Ursnif, also known as Gozi, is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. Some security solutions can detect it as Win32 Ursnif, Trojan Ursnif or Win32 spy.

As for the Gozi malware basics, the trojan was developed based on the fairly old Gozi-ISFB trojan, after its code got leaked in 2014. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif trojan and Gozi malware explanation

Ursnif Trojan is a dangerous malware that can collect the system activity of the victims, record keystrokes, and keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user to enable macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded, and the malicious payload is downloaded.

According to the analysis, in some versions, the Gozi malware operates via a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. Hackers implement this precaution technique in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video is available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail. YOu can also investigate other malware like Hawkeye or Raccoon.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to keep the macros turned off and not turn them on if prompted by a Microsoft Office file downloaded from an untrustworthy source, such as an email from the unknown sender. In addition, following good techniques of staying safe online such as not downloading files from suspicious emails, is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro. Ursnif uses the browser's COM object to connect to its C2 server and receive additional data.

Based on the analysis, Ursnif trojan uses exploits to start legitimate software like Outlook, which in turn launches cmd.exe only to spawn a PowerShell script. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, the PowerShell script downloads and executes the final payload, which is Ursnif itself. Lastly, the loader starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and will inject itself instead. this technique appears to be a useful pointer for detection. After that, Ursnif will hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. The loader uses the browsers' COM object to communicate to its C2 server. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage. Then Ursnif sends collected data to a C2 server via the IE COM object.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the technique of the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites. If you decrypt the URL in the script, you may get the data sent to the C2 server.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload, and usually, it runs multiple iexplorer.exe processes. The loader creates a COM object that is a hidden API function. Knowing this information, take a look at the process tree after a while during execution, and determine either sample is Ursnif or not. Check the script to find out if a suspicious URL corresponds to malware activity.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Based on the source code of another malware that is already almost a decade old, Ursnif is a prime example of the fact that “old” does not mean ineffective when it comes to trojans.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, the loader takes active actions to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

HAVE A LOOK AT

Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More