2019-09-26 - DATA DUMP: TWO URSNIF INFECTIONS
- 2019-09-26-1st-run-Ursnif-with-Predator-The-Thief-and-spambot-infection-traffic.pcap.zip 23.1 MB (23,097,162 bytes)
- 2019-09-26-2nd-run-Ursnif-with-Predator-The-Thief-and-Trickbot-infection-traffic.pcap.zip 14.8 MB (14,781,874 bytes)
- 2019-09-26-info-on-malware-and-artifacts-from-two-Ursnif-infections.txt.zip 2.2 kB (2,152 bytes)
- 2019-09-26-malware-and-artifacts-from-two-Ursnif-infections.zip 18.1 MB (18,099,844 bytes)
- Both infections had Trickbot gtag leo19 as the follow-up malware.
- But the Trickbot EXE crashed unless I ran it manually as an administrator.
- For the first infection I didn't do this, so there is no Trickbot traffic.
- The second infection has Trickbot traffic.
- The first infection has spambot traffic and some other traffic weirdness I've seen before with Ursnif.
- There are examples of Ursnif malspam in the spambot traffic from the first infection pcap.
- To extract a malspam example in Wireshark, use File --> Export Objects --> IMF
- Then select the first object from the list and save it as an .eml file.
- Zip archives are password-protected with the standard password. If you don't know it, see the "about" page of this website.
Click here to return to the main page.