2020-03-03 - GERMAN MALSPAM PUSHES URSNIF (GOZI/ISFB)

NOTICE:

ASSOCIATED FILES:

  • 2020-03-03-example-of-German-malspam-pushing-Ursnif.eml   (157,836 bytes)
  • 2020-03-03-Ursnif-infection-IOCs.txt   (3,205 bytes)
  • 2020-03-03-Ursnif-infection-traffic.pcap   (1,252,121 bytes)
  • Connections/Pbk/rasphone.pbk.txt   (2,678 bytes)
  • Connections/Pbk/_hiddenPbk/rasphone.pbk.txt   (0 bytes)
  • Connections/Cm/actYAI.cmp.txt   (40 bytes)
  • DieAnfrage.zip   (114,487 bytes)
  • a9xyi.dll   (1,073,152 bytes)
  • aTdcXq.sct.txt   (614 bytes)
  • aWIfs.lnk.bin   (488 bytes)
  • aZwhHn.inf.txt   (276 bytes)
  • info_03_03.doc   (125,374 bytes)

 

IMAGES


Shown above:  Screenshot from an example of the malspam.

 


Shown above:  Extracting the Word doc from the password-protected zip archive.

 


Shown above:  Screenshot of the extracted Word doc.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.