{
	"id": "18da07b1-3a88-4164-8530-9296ed539777",
	"created_at": "2026-04-06T00:08:59.50453Z",
	"updated_at": "2026-04-10T03:21:36.130477Z",
	"deleted_at": null,
	"sha1_hash": "3c9e463050cf1295b8153fc081a39683a9cd2889",
	"title": "Analysis: Ursnif - spying on your data since 2007",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 277017,
	"plain_text": "Analysis: Ursnif - spying on your data since 2007\r\nBy Eruel Ramos\r\nPublished: 2016-11-30 · Archived: 2026-04-05 20:49:30 UTC\r\n11/23/2016\r\nReading time: 5 min (1286 words)\r\nA game of cat and mouse has been going on ever since the first ever malware started circulating in the wild and\r\nthe first Antivirus appeared on the market. Although it may seem that brand new malware families appear on a\r\ndaily basis, the truth looks somewhat different. A lot of the malware which is in circulation is a reiteration of\r\nsomething that has existed for quite some time. After all, malware development costs criminals time and money,\r\nand if they can lower the cost by reusing something preexisting, they will do so. In this analysis we will take a\r\nlook as just such a case.\r\nLooking at the script: Analysis prevention\r\nWhen running the macro, an encoded VB script is dropped. It is decoded automatically on execution and\r\ndownloads the actual executable payload. The script contains obfuscated VB code with some garbage data added\r\nto confuse analysts. The executable payload is encrypted (1-byte XOR). The decryption is also done by the VB\r\nscript. To further throw analysts off its track, each sample of Ursnif is packed differently. In addition to this, the\r\nlatest versions also have a mechanism which determines whether the executable is running in a virtual machine.\r\nTo check if this is the case, several system parameters are queried. In this case, the hardware information of the\r\ndisk drive is queried using SetupDiGetClassDevsA to open a handle to device information set as well as two other\r\nAPIs (SetupDiEnumDeviceInfo and SetupDiGetDeviceRegistryProperyA) .\r\nIf Ursnif finds itself running inside a virtual machine, it will just terminate and take no further action. The purpose\r\nof this is to hinder analysis - most analysts tend to use virtual machines for their work.\r\nTo top\r\nPersistence, Hooking \u0026 Processing of External Commands\r\nOnce installed, Ursnif attempts to inject its components into a running instance of explorer.exe. Should this fail, it\r\nwill start a new instance of svchost.exe and injects its component into this process instead. Subsequently, it hooks\r\nthe APIs of widely used browsers, in this case Chrome, Opera, Internet Explorer and Firefox. As soon as a user\r\nvisits a predetermined banking or payment website, Ursnif performs a web inject to steal any login credentials.\r\nMonitored websites include (but are not limited to): *wellsfargo.com*, *.bankofamerica.com*, *paypal.com*,\r\nwww.amazon.com/ap/signin*, *.americanexpress.com*, www.chase.com*, www.discover.com and\r\nonline.cit*.com*\r\nhttps://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007\r\nPage 1 of 3\n\nUrsnif is also known to be able to accept and execute external commands it receives from its server. Should Ursnif\r\nreceive the command to perform the function LOAD_UPDATE, it will convert the command to CRC hash\r\n\"0xA172B308\". This value is then compared against a local list of hashed commands and will only be executed\r\n(using named pipes) if the hash value matches the local list. This is to ensure that analysts cannot just blindly feed\r\na list of frequently used commands into a given payload to see which input triggers any reaction. The infected\r\nmachine in return will report the request status as well as the execution time back to the C2 server. \r\nConclusion\r\nAs outlined earlier, criminals usually do not make attempts to reinvent the wheel. They stick with what has been\r\ntried and tested before rather than develop something new from the ground up. There are other examples for this\r\nas well, such as ransomware which is based on the \"Hidden Tear\" source code that was originally intended to be\r\nused for educational purposes.\r\nUrsnif has been around for quite a while now. The first version appeared in 2007. Back then it was a competitor of\r\nthe ZEuS banking malware. This goes to show that, at least in the world of malware, \"old\" does not mean \"dead\"\r\nor \"inactive\", because Ursnif is quite the opposite. Its source code is available online. This makes it easier for\r\nonline criminals to add new features that suit their own needs. The reliance on well-known tools is pretty common\r\nand even applies to modern APT scenarios.\r\nG DATA customers are protected from this on multiple levels. Besides having signatures, our BankGuard\r\ntechnology reliably detects any attempts by malware to hook into a browser to steal data. In addition to this, our\r\nBehavior Monitoring detects behavioral patterns which are associated with malicious software.\r\nIoC list\r\nIOC\r\nCampaign with password-protected word document:\r\nWord document file - 62443895379ab934ad0621c8a2e084414862cd6daa4fa1d09370a6d3e5de3d9b\r\nDropped VBS - 97d382d6eb5f2113dcbad702b43c648a34c9f2b516da27b0ce2cb2493e93171b\r\nPayload Gozi/URSNIF - 9db26083ffe1e1c83f47464a047e46e579787bea2ae945fb865f5cc588b86229\r\nUnpacked sample - 51f81493dd1c34c8909d65060b7e96e301e3ec38741660a1248fdc1203b543e8\r\n32 bit DLL module - 668ac0ef90e0db8dd33020335f43505d1afce803b7e659d51e3be2bdcc933c5f\r\n64 bit DLL module – 95921f6bde5e4d71fd4308822db46ce46b646d863037f89f236da7f0337c57d4\r\nOther campaign:\r\nWord document file - 371a81358595c639eb290516d763e2c9cfa1dda1506b0deb37c46504d31a79ea\r\nDropped VBS - 4d345043c03c09212abef68d84a82102d8409157b00bf89d9dc6f4b98238927e\r\nhttps://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007\r\nPage 2 of 3\n\nPayload Gozi/URSNIF - 172f359baa478d80a9a8eccde0393e3fb8a58f0444a1b71d99d87c6a50855297\r\nUnpacked Sample - 17af05823ed53b5e794c3a5696326454d8f91ad6af4f33e2ffa4b780bfd17d98\r\n32 bit DLL module – 7d7f03e772c0c2117923d82b4fff5bc20d03a5fff04d0605e1a35a04dd8be34c\r\n64 bit DLL module – cfadd9b071c80f75eb1eedcce8e697a9ac31334abc919e286336acc01c3db089\r\nOther campaign:\r\n1\r\nst\r\n Stage JS Downloader – 9a44ff53471012328a3b167c149ed71c2e82b117de8f9463f5773b5b4f5cc7b6\r\n2\r\nnd\r\n Stage Downloader – 827c1ce97229a99c9badfa79b144690c91314603f250696b80765ba8d9ad1423\r\n3\r\nrd\r\n Stage Downloader – d8bf69b386e80f3e4cc8c4d612900a38ca5b0f661be89cfcb3a0fe4999a96bf4\r\nPayload Gozi/URSNIF – 4f3926e686bfda88b28cd009d1a84396fc6e0bdc070a962f91da43fbde2a29c7\r\nUnpacked sample – 672c3cd4eb8a5e4dc974c8f14a23f23f5863c5fb8cc1043c49771de715259dde\r\n32 bit DLL module – 92e2cefcd7c334cad5b7eac0c2c79392a4e959317cdc993420395919e19d71c5\r\n64 bit DLL module – 579f53c1eda4fd18fb5265f399c67238da740059ae300374ee234866cc92f32f\r\nRelated articles:\r\nSource: https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007\r\nhttps://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007"
	],
	"report_names": [
		"29325-analysis-ursnif-spying-on-your-data-since-2007"
	],
	"threat_actors": [],
	"ts_created_at": 1775434139,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c9e463050cf1295b8153fc081a39683a9cd2889.pdf",
		"text": "https://archive.orkl.eu/3c9e463050cf1295b8153fc081a39683a9cd2889.txt",
		"img": "https://archive.orkl.eu/3c9e463050cf1295b8153fc081a39683a9cd2889.jpg"
	}
}