WinNT/Ursnif (alias ISFB/Gozi)

Forum for analysis and discussion about malware.
User avatar
teddybear
Posts: 16
Joined: Tue Sep 24, 2013 11:06 am

Re: WinNT/Ursnif

Post by teddybear » Thu Jun 18, 2015 1:14 pm

Two recent samples:
https://www.virustotal.com/file/a13d50f ... /analysis/
https://www.virustotal.com/file/523cbdf ... /analysis/

Code: Select all

a13d50fbde76bfc3f3d7725df6d214863fc4aacd85362728c09871b2d0e80ae2
523cbdfb1657bcbc34830f9cf41c2e91e72222a3d78ff00e489f3216628fd6ce

ikolor
Posts: 326
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu Oct 08, 2015 2:33 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 326
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Fri Jan 15, 2016 1:38 pm

You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: WinNT/Ursnif

Post by rkhunter » Mon Apr 18, 2016 10:22 am


ikolor
Posts: 326
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu Jul 07, 2016 1:45 pm

next malware .

Please about comment what it is.!!!
You do not have the required permissions to view the files attached to this post.

nullptr
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Re: Malware collection

Post by nullptr » Thu Jul 07, 2016 2:14 pm

ikolor wrote: Please about comment what it is.!!!
The one named "sprawa 07072016 t_fdp.rar" is Win32/Ursnif.HP according to MS. Unpacked attached.
The other one is Ransom Shade aka Troldesh. Also attached.
You do not have the required permissions to view the files attached to this post.
Last edited by nullptr on Thu Jul 07, 2016 2:42 pm, edited 1 time in total.

User avatar
xors
Posts: 163
Joined: Mon May 23, 2016 2:01 am

Re: Malware collection

Post by xors » Thu Jul 07, 2016 2:41 pm

The first file looks like a common keylogger-stealer. Will look at it more later. Unpacked in the attachment.

https://www.hybrid-analysis.com/sample/ ... mentId=100 (the unpacked)
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

nullptr
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Re: Malware collection

Post by nullptr » Fri Jul 08, 2016 3:52 am

Ransom Shade/Troldesh listed above targets the following extensions:

Code: Select all

wb2|cdr|srw|p7b|odm|mdf|p7c|3fr|der|odb|arw|rwl|cer|xlk|pdd|rw2|crt|dx|r3d|pem|bay|ptx|pfx|indd|nrw|p12|bd|backup|torrent|kwm|pwm|safe|xl|xls|xlsx|xlsm|xlsb
|xltm|xlt|xlam|xla|mdb|rtf|txt|xml|csv|pdf|prn|dif|slk|ods|xltx|xlm|odc|xlw|uxdc|pm|udl|dsn|iqy|dqy|rqy|oqy|cub|bak|xsn|xsf|xtp|xtp2|accdb|adb|adp|mda|accda|
mde|accde|accdw|accdt|accdc|mdw|dbf|tab|asc|frm|opt|myd|myi|db|onetoc2|one|onepkg|vcs|ics|pst|oft|msg|pptx|ppt|pptm|pps|ppsm|pot|potx|potm|odp|thmx|wpd|
wps|ppa|ppam|wmf|emf|pub|ps|xps|vsd|vdx|vss|vsx|vst|vtx|vsw|vdw|emz|dwg|dxf|docx|doc|docm|dotx|dot|dotm|djvu|chm|htm|html|mht|mhtml|shtml|shtm|asp|
aspx|dwt|stm|cs|css|psd|pdd|3ds|max|crw|nef|raf|orf|mrw|dcr|mos|pef|srf|dng|x3f|cr2|erf|sr2|kdc|mfw|mef|cin|sdpx|dpx|fido|dae|dcm|dc3|dic|eps|kmz|iff|tdi|
exr|pcx|pdp|pxr|sct|u3d|obj|ai3|ai4|ai5|ai6|ai7|ai8|ai|epsp|epsf|hdr|rgbe|xyze|flm|pbm|pgm|ppm|pnm|pfm|pam|pct|pict|psb|fxg|swf|hta|htc|ssi|as|asr|xsl|xsd|dtd|
xslt|rss|rdf|lbi|asa|ascx|asmx|config|cfm|cfml|cfc|tld|phtml|jsp|wml|tpl|lasso|jsf|vb|vbs|vtm|vtml|edml|raw|jpg|jpeg|jpe|bmp|png|tif|tiff|dib|gif|svg|svgz|rle|tga|
vda|icb|wbm|wbmp|jpf|jpx|jp2|j2k|j2c|jpc|avi|mkv|mov|mp4|wmv|3gp|mpg|mpeg|m4v|divx|mpv|m1v|dat|anim|m4a|qt|3g2|f4v|mkidx|mka|avs|vdr|flv|bin|mp3|wav|
asx|pls|zip|7z|rar|tar|gz|bz2|wim|xz|c|h|hpp|cpp|php|php3|php4|php5|py|pl|sln|js|json|inc|sql|java|class|ini|asm|clx|tbb|tbi|tbk|pst|dbx|cbf|crypted|tib|eml|fld|vbm|
vbk|vib|vhd|mtr|vault|1cd|dt|cf|cfu|mxl|epf|vrp|grs|geo|elf|lgf|lgp|log|st|pff|mft|efd|md|dmp|fdb|lst|fbk
Encrypted files have the extension .da_vinci_code or .magic_software_syndicate

sysopfb
Posts: 97
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Malware collection

Post by sysopfb » Sat Jul 09, 2016 1:01 am

xors wrote:The first file looks like a common keylogger-stealer. Will look at it more later. Unpacked in the attachment.

https://www.hybrid-analysis.com/sample/ ... mentId=100 (the unpacked)

That's a gozi/isfb variant

The URL can be turned into the structure you would expect by reversing how the bot transforms it, first it prepends a random %s=%s& to the URI encrypts the URI using Serpent in CBC mode. The string is then base64 encoded, next the bot turns all '/' chars into _2F and all '+' chars into _2B and then adds in random '/' characters affixs a static .bmp in this case and removes the base64 padding at the end. The Serpent key in this case is 77694321POIRYTRI

If we take your URI and strip off the .bmp
07cQjh78k/h9_2F7Bko9MXaAhDpedg/nuZyGeOKKI2LsDNQQF_/2BchxOxhOXrqgnPAATLfeB/9jQkF4RR3sJVr/7rWAOT48/5anqeUiMzjqdcswwKNtn9ps/cKWpK_2FRF/saO8k83UR6VeLIC6o/QJsgGGfOax/iDJZi

Revert the conversions we get:
07cQjh78kh9/7Bko9MXaAhDpedgnuZyGeOKKI2LsDNQQF+chxOxhOXrqgnPAATLfeB9jQkF4RR3sJVr7rWAOT485anqeUiMzjqdcswwKNtn9pscKWpK/RFsaO8k83UR6VeLIC6oQJsgGGfOaxiDJZi==

Base64 decoding and then serpent decryption using the aforementioned key gives us:
ufihdhdto=ptpb&soft=1&version=214721&user=00283f5318307646a07fd209ec95398a&server=12&id=1009&crc=3b284a

If you APLib decompress the dll out of the .mem file you uploaded to hybrid analysis and then decode the strings you should see most of the relevant strings you would expect including 'ISFB'

ikolor
Posts: 326
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sat Jul 09, 2016 6:13 pm

You do not have the required permissions to view the files attached to this post.

Post Reply