A forum for reverse engineering, OS internals and malware analysis 

WinNT/Ursnif (alias ISFB/Gozi)

Forum for analysis and discussion about malware.

Re: Ursnif - New Blackhole spreading malware

 #19591  by Xylitol
 Mon Jun 10, 2013 8:12 am
193 Ursnif directly from the BestAV affiliate
Packed: https://www.virustotal.com/en/file/1502 ... 370852251/
Unpck: https://www.virustotal.com/en/file/916c ... 370852109/
Code: Select all
@echo off
color 17
cls
set target=test.bestavsoft2.com/soft/download/soft3/?affid=
set droppath=BestAVsoft3
set start=1
set affiday=00
set end=8888
set step=1
if not exist %droppath% (
mkdir %droppath% )
FOR /L %%G IN (%start%, %step%, %end%) DO wget -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -S -t 100 -P / "%target%%%G%affiday%" -O "%droppath%/%%G"
FOR %%i IN (%droppath%\*) do if %%~zi LEQ 2 DEL %%i
echo Done.
pause
Attachments
infected
(5.66 MiB) Downloaded 87 times
infected
(9 MiB) Downloaded 81 times
infected
(9 MiB) Downloaded 85 times
infected
(9 MiB) Downloaded 81 times
infected
(9 MiB) Downloaded 87 times

Re: Pandemiya

 #23137  by EP_X0FF
 Tue Jun 17, 2014 12:37 pm
It is typical old like hell Ursnif like mentioned above.

RSA or didn't know actual malware families (which mean they are incompetent) or they are reinventing the wheel for self PR.

edit: heck their payload even has the same name

Re: WinNT/Ursnif

 #23159  by Cody Johnston
 Thu Jun 19, 2014 10:35 pm
Here is a recent one from today:

UlcuFsoh.dat:

MD5 34a1fabdbffffa768ec522dd4dc31a78
https://www.virustotal.com/en/file/2341 ... 403216921/

explorer.exe_0x78b0000-0x6c000.bin (injected into explorer.exe)

MD5 8eaae09f60db58ea8fbfc66026c2b786
https://www.virustotal.com/en/file/a5d8 ... 403217053/

Low detection on both
Attachments
Password: infected
(280.58 KiB) Downloaded 81 times

Re: WinNT/Ursnif

 #23162  by EP_X0FF
 Fri Jun 20, 2014 5:31 am
Your dump is partial (as it read from a single virtual memory region) and not fixed thats why it is not detected on VT - file structure is invalid and code inside is simple mess.

Here these payloads extracted from crypted and packed with aplib malware dll in your archive.

32
https://www.virustotal.com/en/file/ba82 ... 403242117/

64
https://www.virustotal.com/en/file/d22d ... 403242120/
Attachments
pass: infected
(197.02 KiB) Downloaded 83 times

Re: WinNT/Ursnif

 #25826  by R136a1
 Fri May 08, 2015 3:49 pm
Sample from December 2014 which uses Carberp method + Windows Easy Transfer (migwiz.exe) for UAC bypass. Probably one of the first malware that uses this specific method.

Internal version number of this variant:
"ISFB_0604: ISFB client DLL version 2.12, build 430, group 1000"

Sample uploaded for historical purposes.
Attachments
PW: infected
(199.89 KiB) Downloaded 67 times
 Return to “Malware”