{
	"id": "47bfe019-daae-4914-8436-37b15b361f20",
	"created_at": "2026-04-06T00:07:52.801329Z",
	"updated_at": "2026-04-10T03:20:33.800179Z",
	"deleted_at": null,
	"sha1_hash": "2ded8cfb815b3077c7e61fb5aa24f2fec267e788",
	"title": "Reviewing the spam filters: Malspam pushing Gozi-ISFB",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2533325,
	"plain_text": "Reviewing the spam filters: Malspam pushing Gozi-ISFB\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 17:34:13 UTC\r\nIntroduction\r\nResearchers should review their spam filters to see what malware is getting caught.  Security professionals should\r\nbe aware of current practices used by criminals pushing malware, even if it has little chance of infecting anyone in\r\ntheir organizations.  Reviewing the spam filters keeps provides a clearer picture of our cyber-threat landscape.\r\nIn today's trip through the spam filters, I found two emails with malicious attachments.  These attachments are\r\nWord documents with malicious macros designed to infect a vulnerable Windows host with Gozi-ISFB.\r\nShown above:  Never a good sign when the document asks you to enable macros.\r\nUnfortunately, I cannot share the emails.  Both emails appear to contain legitimate correspondence.  They each\r\ninclude a chain of previous messages, and I could not easily redact the information like I normally do with other\r\nexamples of malicious spam.\r\nTherefore, this diary will focus on the attachments, follow-up malware, and network traffic.\r\nhttps://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nPage 1 of 8\n\nWhat is Gozi-ISFB?\r\nGozi-ISFB is a variant of Ursnif, and today's traffic looked like an example shared by @DynamicAnalysis in a\r\nblog post on malwarebreakdown.com.\r\nI generated two infections using each of the Word documents.  In today's activity, about 8 to 10 minutes after the\r\ninitial infection, the infected Windows host downloaded follow-up malware.  Here's what I saw:\r\n1st Word document --\u003e Gozi-ISFB --\u003e Nymaim Trojan\r\n2nd Word document --\u003e Gozi-ISFB --\u003e unknown malware\r\nThe first infection followed-up with the Nymaim Trojan, and I've documented Nymaim traffic back in November\r\nand December of 2017. \r\nShown above:  Traffic from the 1st infection filtered in Wireshark.\r\nSince I've covered Nymaim before, I'm far more insterested in the second infection where I couldn't identify the\r\nfollow-up malware.\r\nThe second infection\r\nThe second infection follows the same patterns as the first.  However, this time the follow-up malware is different.\r\n I saw encrypted traffic with no associated DNS requests or domains.  Two of the IP addresses had interesting\r\ncertificate data as shown in the images below.\r\nhttps://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nPage 2 of 8\n\nShown above:  Traffic from the 2nd infection filtered in Wireshark.\r\nShown above:  One example of certificate data from the encrypted post-infection traffic.\r\nhttps://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nPage 3 of 8\n\nShown above:  Another example of certificate data from the encrypted post-infection traffic.\r\nBased on the network traffic and post-infection artifacts, I could not identify the follow-up malware.  The follow-up malware is a malicious DLL named winmm.dll that's loaded by a legitimate Windows system file named\r\npresentationsettings.exe.  Both were found in a newly-created directory under the infected user's\r\nAppData\\Roaming folder.  See the indicators section below for details.\r\nIndicators\r\nArtifacts from the 1st infection:\r\nSHA256 hash: febb37762a92bedad337d0489ac482e356e2787533d65a757c3375fb147ff0a8\r\nFile size: 55,248 bytes\r\nFile name: Request.doc\r\nFile description: Word document with malicious macro\r\nSHA256 hash: 14284152d53c119ad04c986a2a115485ae480d8012603679bf28ec27e3869929\r\nFile size: 1,101,824 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\52a8081a.exe\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Adsnsdmo\\CRPPport.exe\r\nAssociated Registry key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name: adprvmgr\r\nValue type: REG_SZ\r\nValue data: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Adsnsdmo\\CRPPport.exe\r\nFile description: Gozi-ISFB (an Ursnif variant)\r\nSHA256 hash: d254e82bdbfd16aa9f0037e2c536c3b9dddd6ec559d26a5af005d3a1f8199d59\r\nFile size: 580,864 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\molarity-24\\molarity-12.exe\r\nhttps://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nPage 4 of 8\n\nAssociated Registry key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name: molarity-96\r\nValue type: REG_SZ\r\nValue data: C:\\Users\\[username]\\AppData\\Local\\molarity-24\\molarity-12.exe -s0\r\nFile description: Probable Nymaim Trojan\r\nSHA256 hash: f1c9544e8f1de92f60f13e29403fc459811b93a7a316d957cb30c1b4a61ba61d\r\nFile size: 656,896 bytes\r\nFile location: C:\\ProgramData\\wedge-46\\wedge-6.exe \r\nAssociated Registry key: HKCU\\Software\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon\r\nValue name: shell\r\nValue type: REG_SZ\r\nValue data: C:\\ProgramData\\wedge-46\\wedge-6.exe -46,explorer.exe\r\nFile description: Probable Nymaim Trojan\r\nSHA256 hash: 6e5faf4c3eb47a5218f173564fc1e5a8afc65a8126ff7f602e8dbfe98a2ba695\r\nFile size: 651,776 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\aliasing-40\\aliasing-2.exe\r\nFile description: Probable Nymaim Trojan\r\nArtifacts from the 2nd infection:\r\nSHA256 hash: 044e86936bfc30cd0c07186b6e270650f896f6a42e9b8015abc184d161880090\r\nFile size: 55,012 bytes\r\nFile name: NBS_Request.doc\r\nFile description: Word document with malicious macro\r\nSHA256 hash: f8bdb65d54ccab04a506e84f14bdbeef15f6266a7bd6e4e7dfde69de424dd10a\r\nFile size: 1,010,688 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\6d9be056.exe\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Bitsxapi\\efsuvoas.exe\r\nAssociated Registry key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name: dmusdBth\r\nValue type: REG_SZ\r\nValue data: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Bitsxapi\\efsuvoas.exe\r\nFile description: Gozi-ISFB (an Ursnif variant)\r\nSHA256 hash: 208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258 (not malware)\r\nFile size: 176,640 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\XPIALj1\\PresentationSettings.exe \r\nAssociated Registry key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nhttps://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nPage 5 of 8\n\nValue name: Ehlho\r\nValue type: REG_SZ\r\nValue data: \"C:\\Users\\[username]\\AppData\\Roaming\\XPIALj1\\PresentationSettings.exe\"\r\nStart menu shortcut: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\Ehlho\r\nFile description: Legitimate system file that loads any DLL named winmm.dll in the same directory.\r\nSHA256 hash: 018084df00799387be61c5f849af8fce093aab8f73420a2ece7b47d0f45fa07e\r\nFile size: 176,640 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\XPIALj1\\WINMM.dll\r\nFile description: Malicious component called by PresentationSettings.exe\r\nFile description: Malware DLL loaded by legitimate system file PresentationSettings.exe in the same\r\ndirectory\r\n1st run infection traffic:\r\n188.25.175.38 port 80 - ijqdjqnwiduqujqiuezxc.com - GET /NU/sof.php?utma=baw\r\n188.25.175.38 port 80 - ijqdjqnwiduqujqiuezxc.com - GET /NU/baw.pfx\r\n188.25.175.38 port 80 - ijqdjqnwiduqujqiuezxc.com - GET /s.php?id=baw\r\n109.166.237.170 port 80 - adistributedmean.net - GET /images/[long string].gif\r\n109.166.237.170 port 80 - adistributedmean.net - POST /images/[long string].bmp\r\n212.98.131.181 port 80 - adistributedmean.net - GET /images/[long string].gif\r\n212.98.131.181 port 80 - adistributedmean.net - POST /images/[long string].bmp\r\n86.120.77.221 port 80 - adistributedmean.net - GET /images/[long string].gif\r\n86.120.77.221 port 80 - adistributedmean.net - GET /images/[long string].jpeg\r\n86.120.77.221 port 80 - adistributedmean.net - POST /images/[long string].bmp\r\n80.80.165.93 port 80 - adistributedmean.net - GET /images/[long string].gif\r\n80.80.165.93 port 80 - adistributedmean.net - POST /images/[long string].bmp\r\n186.73.245.226 port 80 - adistributedmean.net - GET /images/[long string].gif\r\n188.237.190.24 port 80 - adistributedmean.net - GET /images/[long string].gif\r\n184.168.187.1 port 80 - fyibc.com - GET /vvv.bin\r\n184.168.187.1 port 80 - fyibc.com - GET /nori3.bin\r\n184.168.187.1 port 80 - fyibc.com - GET /nori6.bin\r\nDNS queries (using Google DNS) for dtybgsb.com\r\n86.120.168.154 port 80 - zepter.com - POST /5lpomdt9j/index.php\r\n203.91.116.53 port 80 - zepter.com - POST /5lpomdt9j/index.php\r\n155.133.93.30 port 80 - zepter.com - POST /5lpomdt9j/index.php\r\n85.105.167.110 port 80 - carfax.com - POST /\r\n85.105.167.110 port 80 - zepter.com - POST /\r\nNOTE: carfax.com and zepter.com are legitimate domains and not compromised.  They just resolve to bad\r\nIP addresses for dtybgsb.com due to the nature of this Nymaim infection.\r\n2nd run infection traffic:\r\nhttps://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nPage 6 of 8\n\n84.54.187.24 port 80 - fortrunernaskdneazxd.com - GET /NA/sof.php?utma=kur\r\n84.54.187.24 port 80 - fortrunernaskdneazxd.com - GET /NA/kur.pfx\r\n84.54.187.24 port 80 - fortrunernaskdneazxd.com - GET /s.php?id=kur\r\n213.6.121.106 port 80 - bithedistributedlicense.net - POST /images/[long string].bmp\r\n85.105.167.110 port 80 - bithedistributedlicense.net - POST /images/[long string].bmp\r\n85.105.167.110 port 80 - bithedistributedlicense.net - GET /images/[long string].gif\r\n90.180.1.23 port 80 - bithedistributedlicense.net - GET /images/[long string].gif\r\n184.168.187.1 port 80 - fyicreative.ca - GET /dih.bin\r\n184.168.187.1 port 80 - fyicreative.ca - GET /nori3.bin\r\n184.168.187.1 port 80 - fyicreative.ca - GET /nori6.bin\r\n41.193.159.41 port 443 - Encrypted traffic both with and without cerificate data \r\n69.90.132.196 port 443 - Encrypted traffic both with cerificate data\r\n69.75.114.66 port 443 - Encrypted traffic (no certificate data)\r\n74.50.133.9 port 443 - Encrypted traffic (no certificate data)\r\n41.193.159.41 port 444 - attempted TCP connections, but no response from the server\r\n95.150.74.40 port 443 - attempted TCP connections, but no response from the server\r\n179.108.87.11 port 443 - attempted TCP connections, but no response from the server\r\n190.208.42.36 port 443 - attempted TCP connections, but no response from the server\r\nOf note, during the first infection, I rebooted the infected Windows host 3 or 4 times, which might account for\r\nmultiple copies of what I assume are Nymaim.  If you review the pcaps, the reboots are indicated any place you\r\nsee an HTTP request to www.msftncsi.com.\r\nMalicious domains\r\nIndicators are not a block list.  If you feel the need to block web traffic based on this diary, I suggest the following\r\ndomains:\r\nijqdjqnwiduqujqiuezxc.com\r\nadistributedmean.net\r\nfyibc.com\r\nfortrunernaskdneazxd.com\r\nbithedistributedlicense.net\r\nfyicreative.ca\r\nFinal words\r\nPcaps and malware for today's diary can be found here.\r\nGood spam filtering, proper Windows administration, and best security practices will ensure most people never\r\nsee this malware.  However, criminals are constantly tweaking their methods in an attempt to slip past our\r\ndefenses.  It pays to be aware of current malware indicators, so we're prepared if any ever make it into our\r\nnetwork.\r\nhttps://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nPage 7 of 8\n\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nhttps://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245"
	],
	"report_names": [
		"23245"
	],
	"threat_actors": [],
	"ts_created_at": 1775434072,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ded8cfb815b3077c7e61fb5aa24f2fec267e788.pdf",
		"text": "https://archive.orkl.eu/2ded8cfb815b3077c7e61fb5aa24f2fec267e788.txt",
		"img": "https://archive.orkl.eu/2ded8cfb815b3077c7e61fb5aa24f2fec267e788.jpg"
	}
}