2020-06-10 - URSNIF (GOZI/IFSB) INFECTION WITH URSNIF VARIANT
- 2020-06-10-Ursnif-with-Ursnif-IOCs.txt.zip 4.2 kB (4,225 bytes)
- 2020-06-10-Ursnif-with-Ursnif-IOCs.txt (7,519 bytes)
- 2020-06-10-Ursnif-with-Ursnif-infection-traffic.pcap.zip 4.8 MB (4,835,563 bytes)
- 2020-06-10-Ursnif-with-Ursnif-infection-traffic.pcap (5,419,771 bytes)
- 2020-06-10-Ursnif-with-Ursnif-malware-and-artifacts-from-infected-host.zip 5.9 MB (5,922,902 bytes)
- 2020-06-10-additional-registry-updates-after-followup-Ursnif.txt (5,615,006 bytes)
- 2020-06-10-initial-registry-updates-Ursnif.txt (5,614,256 bytes)
- 40958169.dat (258,048 bytes)
- 93296.exe (4,268,544 bytes)
- rule-06.20.doc (118,766 bytes)
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
Shown above: Malspam from this campaign spoofs legitimate email chains.
Shown above: Screenshot of a Word doc extracted from one of the password-protected zip archive first seen on 2020-06-10.
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Initial malware, a DLL for Ursnif (Gozi/IFSB).
Shown above: Follow-up malware, an EXE for an Ursnif variant.
Shown above: Registry updates caused by both Ursnif malwares.
Click here to return to the main page.