2020-03-03 - GERMAN MALSPAM PUSHES URSNIF (GOZI/ISFB)
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2020-03-03-example-of-German-malspam-pushing-Ursnif.eml.zip 120 kB (119,508 bytes)
- 2020-03-03-example-of-German-malspam-pushing-Ursnif.eml (157,836 bytes)
- 2020-03-03-Ursnif-infection-IOCs.txt.zip 1.3 kB (1,394 bytes)
- 2020-03-03-Ursnif-infection-IOCs.txt (3,205 bytes)
- 2020-03-03-Ursnif-infection-traffic.pcap.zip 736 kB (736,073 bytes)
- 2020-03-03-Ursnif-infection-traffic.pcap (1,252,121 bytes)
- 2020-03-03-malware-and-artifacts-from-Ursnif-infection.zip 909 kB (909,031 bytes)
- Connections/Pbk/rasphone.pbk.txt (2,678 bytes)
- Connections/Pbk/_hiddenPbk/rasphone.pbk.txt (0 bytes)
- Connections/Cm/actYAI.cmp.txt (40 bytes)
- DieAnfrage.zip (114,487 bytes)
- a9xyi.dll (1,073,152 bytes)
- aTdcXq.sct.txt (614 bytes)
- aWIfs.lnk.bin (488 bytes)
- aZwhHn.inf.txt (276 bytes)
- info_03_03.doc (125,374 bytes)
IMAGES
Shown above: Screenshot from an example of the malspam.
Shown above: Extracting the Word doc from the password-protected zip archive.
Shown above: Screenshot of the extracted Word doc.
Shown above: Traffic from the infection filtered in Wireshark.
Click here to return to the main page.