WinNT/Ursnif (alias ISFB/Gozi)

Forum for analysis and discussion about malware.

WinNT/Ursnif (alias ISFB/Gozi)

Postby markusg » Fri Nov 19, 2010 4:53 pm

hi,
perhaps somebody can share some gozi dropper, thx
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: searching gozi dropper

Postby xqrzd » Fri Nov 19, 2010 5:01 pm

Here are a few I have, I've never tested them. Some of them are old, you can sort by date modified attribute to get the newer ones.
Edit: update.zip is from Jan 2010.
You do not have the required permissions to view the files attached to this post.
xqrzd
 
Posts: 52
Joined: Tue Mar 23, 2010 3:29 pm
Location: US
Reputation point: 5

TrojanSpy:Win32/Ursnif

Postby shaheen » Mon Jun 13, 2011 1:02 pm

I need a sample of Gozi trojan, preferably latest variant.

Thanks
shaheen
 
Posts: 35
Joined: Wed Jun 09, 2010 11:08 pm
Reputation point: 4

Re: Malware Requests

Postby Meriadoc » Mon Jun 13, 2011 2:44 pm

shaheen wrote:I need a sample of Gozi trojan, preferably latest variant.

Thanks
You do not have the required permissions to view the files attached to this post.
Who controls the past controls the future
Who controls the present controls the past
User avatar
Meriadoc
 
Posts: 195
Joined: Sat Mar 13, 2010 7:36 pm
Location: Cymru
Reputation point: 87

WinNT/Ursnif

Postby rkhunter » Sat Mar 24, 2012 6:51 am

Trojan - stealer of user personal data. Spreads via BH EK.
Droppers in attach.
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Ursnif - New Blackhole spreading malware

Postby EP_X0FF » Sat Mar 31, 2012 3:09 pm

Ursnif dropper (contains client parts for x86 and x64), payload dll and decrypted payload dll in attach. Uses splicing for self-injection.

Set hooks:

CreateProcessAsUserA
CreateProcessAsUserW
CreateProcessA
CreateProcessW
CryptGetUserKey


Malicious IP identified

208.115.205.41 (BH EK host)
95.143.198.47 (C&C)

Autoruns through

HKLM\System\CurrentControlSet\Session Manager\AppCertDlls

Payload drops to systemroot\system32 directory

Sensitive strings dump

GDI32.dll SHELL32.dll CreateProcessAsUserA CreateProcessAsUserW ADVAPI32.DLL CreateProcessA CreateProcessW KERNEL32.DLL CryptGetUserKey .pfx p a s s w o r d Exported %u certs to file %s
No certs found in "%S".
Certs thread started.
My AddressBook AuthRoot CertificateAuthority Disallowed Root TrustedPeople TrustedPublisher Certs ended with status %u
financepfrro.com.tw masmitnd.com.tw wednesltr.com.tw 208.115.205.41 95.143.198.47 s1 k1 k2 Version Data FILE /ping http://%s%s user_id=%.4u&version_id=%lu&socks=%lu&build=%lu&crc=%.8x Config from: %s
Config load status: %u
Config updated.
Config update failed.
cert /uda cook sys PR_Close PR_Write PR_Read NSPR4.DLL nspr4.dll %x
Content-Length: %u
Content-Type text/html javascript json Content-Length : chunked Transfer-Encoding ocsp Accept-Encoding: If-Modified-Since: If-None-Match: gz=1 * \ \ \ ? \ Local\ Makezip ended with status %u
%s%0.8X%0.8X.tmp File "%s" added to send list.
Add HANDLE To Send %0.8X
\*.* Host User-Agent HttpQueryInfoW HttpQueryInfoA InternetConnectW InternetConnectA LoadLibraryExW InternetQueryDataAvailable HttpSendRequestW HttpSendRequestA InternetReadFileExW InternetReadFileExA InternetReadFile WININET.DLL WININET.dll Software\Microsoft\Windows\CurrentVersion\Internet Settings User Agent gzip identity Accept-Encoding: identity
A c c e p t - E n c o d i n g : i d e n t i t y Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2500 http:// https:// i m a g e / g i f screen %.4u %user_id% %u %version_id% NEWGRAB grabs SCREENSHOT PROCESS HIDDEN http %%param_%s%% URL: %s
user=%s&pass=%s auth /ufs POST URL: %s
form GetNativeSystemInfo OS: Microsoft Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows Server 2003 R2, Windows Storage Server 2003 Windows Home Server Windows XP Professional x64 Edition Windows Server 2003, Windows XP Home Edition Professional Windows 2000 Datacenter Server Advanced Server Server (build: %d) 64-bit 32-bit Unknown
ARCH: x64 (AMD or Intel) Intel Itanium-based x86 32bit
USER: Admin User URL: %s
KEY: %s html %02u:%02u:%02u [PipesProcessCommand] SocksStart. Data: %s
[PipesProcessCommand] SocksStart. Data: NULL
[PipesProcessCommand] SocksStart Status = %u
[PipesProcessCommand] SocksStop. /fp %lu iexplore.exe firefox.exe chrome.exe opera.exe safari.exe explorer.exe ExitProcess --------------------------%04x%04x%04x Content-Type: multipart/form-data; boundary=%s Content-Disposition: form-data; name="upload_file"; filename="%s" Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" Content-Type: application/octet-stream --%s
%s %s & --%s = Content-Disposition: form-data; name="%s"
%s --%s-- FullURL "%s%s"
file ProcessQueue: Flag %u, Size %u
user_id=%.4u&version_id=%lu&%s=1 noname Sending %u bytes of file "%s" of type "%s" to URL: %s
Send file status: 0x%0.8X
Sending %u bytes of type "%s" to URL: %s
Send %s status: 0x%0.8X
ProcessQueue: Status %0.8X
GET Content-Type: application/x-www-form-urlencoded SOFTWARE\AppDataLow\ \Vars \\.\pipe\ \Microsoft\ S:(ML;;NW;;;LW) D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA) \\.\%s %lu.exe Software\Microsoft\Windows\CurrentVersion\Run \ \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ c o o k i e s . s q l i t e c o o k i e s . s q l i t e - j o u r n a l \ M a c r o m e d i a \ F l a s h P l a y e r \ * . s o l * . t x t \ s o l s \ c o o k i e . i e \ c o o k i e . f f Cookies thread started.
Cookies ended with status %u
Received %s
EXE DL_EXE DL_EXE_ST CLEAR_COOK VER REBOOT KILL GET_CERTS GET_COOKIES SOCKS_START SOCKS_STOP GET_LOG log /ucommd ZwWow64ReadVirtualMemory64 ntdll.dll .dll IsWow64Process ZwWow64QueryInformationProcess64 LoadLibraryA Wow64ApcRoutine wow64 FreeLibrary open kernelbase ntdll kernel32 {%08x-%04x-%04x-%04x-%08x%04x}
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

TrojanSpy:Win32/Ursnif

Postby dumb110 » Fri Jun 08, 2012 12:58 pm

dumb110
 
Posts: 105
Joined: Tue Jun 05, 2012 1:29 pm
Reputation point: 5

Re: Malware Requests, part 2

Postby tachion » Mon Jun 11, 2012 8:40 pm

dumb110 wrote:https://www.virustotal.com/file/2a8d08b52bad72da37b15e56a0f8bfb41bee1188c15808e7e5a0a2b0a5ccec35/analysis/

sample please :lol:



please :)
You do not have the required permissions to view the files attached to this post.
User avatar
tachion
 
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am
Reputation point: 14

Re: Ursnif - New Blackhole spreading malware

Postby 360Tencent » Sat Jul 14, 2012 11:25 am

360Tencent
 
Posts: 116
Joined: Thu Dec 15, 2011 12:47 pm
Reputation point: 52

Re: Ursnif - New Blackhole spreading malware

Postby rkhunter » Sat Jul 14, 2012 2:22 pm

Another Ursnif dropper with x32/x64 payload.

SHA1: 7bf57ccfde72a77d568e135c35ec7f41b68a0470
MD5: 79696dbcecbbaa9eda18e05805635fa5


Decrypted dropper with x32/x64 dlls in attach.

Dll registered via HKLM\System\CurrentControlSet\Session Manager\AppCertDlls

epic detection
dropper 16 / 42 https://www.virustotal.com/file/4f48554 ... /analysis/
decrypted 12 / 42 https://www.virustotal.com/file/3e4c5c9 ... /analysis/
x32 dll 5/42 https://www.virustotal.com/file/4df4099 ... 342278900/
x64 dll 1 / 42 https://www.virustotal.com/file/3f2bfd2 ... 342278955/
You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Next

Return to Malware

Who is online

Users browsing this forum: Ludvig and 10 guests