2020-03-03 - GERMAN MALSPAM PUSHES URSNIF (GOZI/ISFB)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2020-03-03-example-of-German-malspam-pushing-Ursnif.eml.zip   120 kB (119,508 bytes)

• 2020-03-03-example-of-German-malspam-pushing-Ursnif.eml   (157,836 bytes)

• 2020-03-03-Ursnif-infection-IOCs.txt.zip   1.3 kB (1,394 bytes)

• 2020-03-03-Ursnif-infection-IOCs.txt   (3,205 bytes)

• 2020-03-03-Ursnif-infection-traffic.pcap.zip   736 kB (736,073 bytes)

• 2020-03-03-Ursnif-infection-traffic.pcap   (1,252,121 bytes)

• 2020-03-03-malware-and-artifacts-from-Ursnif-infection.zip   909 kB (909,031 bytes)

• Connections/Pbk/rasphone.pbk.txt   (2,678 bytes)
• Connections/Pbk/_hiddenPbk/rasphone.pbk.txt   (0 bytes)
• Connections/Cm/actYAI.cmp.txt   (40 bytes)
• DieAnfrage.zip   (114,487 bytes)
• a9xyi.dll   (1,073,152 bytes)
• aTdcXq.sct.txt   (614 bytes)
• aWIfs.lnk.bin   (488 bytes)
• aZwhHn.inf.txt   (276 bytes)
• info_03_03.doc   (125,374 bytes)

 

IMAGES

Shown above:  Screenshot from an example of the malspam.

 

Shown above:  Extracting the Word doc from the password-protected zip archive.

 

Shown above:  Screenshot of the extracted Word doc.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.