2019-08-21 - GOZI/ISFB (URSNIF) INFECTION WITH TRICKBOT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-08-21-indicators-from-Ursnif-infection-with-Trickbot.txt.zip   2.1 kB (2,128 bytes)

• 2019-08-21-indicators-from-Ursnif-infection-with-Trickbot.txt   (5,344 bytes)

• 2019-08-21-two-recent-examples-of-Urnsif-malspam.zip   112.9 kB (112,937 bytes)

• 2019-08-15-example-of-Ursnif-malspam.eml   (105,442 bytes)
• 2019-08-21-example-of-Ursnif-malspam.eml   (62,352 bytes)

• 2019-08-21-Ursnif-infection-with-Trickbot.pcap.zip   17.4 MB (17,374,290 bytes)

• 2019-08-21-Ursnif-infection-with-Trickbot.pcap   (19,512,754 bytes)

• 2019-08-21-malware-and-artifacts-from-Ursnif-and-Trickbot.zip   17.7 MB (17,703,421 bytes)

• 2019-08-21-JS-after-enabling-Word-macro.txt   (1,962 bytes)
• 2019-08-21-Trickbot-EXE-retrieved-by-Ursnif-infected-host-1-of-2.exe   (1,177,088 bytes)
• 2019-08-21-Trickbot-EXE-retrieved-by-Ursnif-infected-host-2-of-2.exe   (1,113,088 bytes)
• 2019-08-21-Windows-registry-updates-caused-by-Ursnif.txt   (10,568,896 bytes)
• 2019-08-21-Word-doc-with-macro-for-Urnsif.doc   (79,360 bytes)
• 2019-08-21-initial-Ursnif-binary-after-enabling-Word-macro.exe   (265,728 bytes)
• 2019-08-21-samerton.png-from-185.183.98.232.exe   (779,776 bytes)
• 2019-08-21-scheduled-task-to-keep-Trickbot-persistent.txt   (3,574 bytes)
• 2019-08-21-tablone.png-from-185.183.98.232.exe   (780,800 bytes)
• speedLan/1013304.exe   (1,177,088 bytes)
• speedLan/938098.exe   (1,113,088 bytes)
• speedLan/dbmain.map   (779,776 bytes)
• speedLan/settings.ini   (27,696 bytes)
• speedLan/data/importDll64   (8,952,080 bytes)
• speedLan/data/injectDll64   (467,392 bytes)
• speedLan/data/injectDll64_configs/dinj   (141,504 bytes)
• speedLan/data/injectDll64_configs/dpost   (928 bytes)
• speedLan/data/injectDll64_configs/sinj   (176 bytes)
• speedLan/data/mailsearcher64   (28,336 bytes)
• speedLan/data/mailsearcher64_configs/mailconf   (240 bytes)
• speedLan/data/networkDll64   (22,704 bytes)
• speedLan/data/networkDll64_configs/dpost   (928 bytes)
• speedLan/data/psfin64   (22,192 bytes)
• speedLan/data/psfin64_configs/dpost   (928 bytes)
• speedLan/data/pwgrab64   (1,304,928 bytes)
• speedLan/data/pwgrab64_configs/dpost   (928 bytes)
• speedLan/data/shareDll64   (13,024 bytes)
• speedLan/data/systeminfo64   (21,168 bytes)
• speedLan/data/tabDll64   (841,568 bytes)
• speedLan/data/tabDll64_configs/dpost   (928 bytes)
• speedLan/data/wormDll64   (56,608 bytes)

 

IMAGES

Shown above:  Flow chart for recent Ursnif activity.

 

Shown above:  Screen shot from one of the emails.

 

Shown above:  The extracted Word document.

 

Shown above:  Traffic from the infection filtered in Wireshark (1 of 2).

 

Shown above:  Traffic from the infection filtered in Wireshark (2 of 2).

 

Click here to return to the main page.