{
	"id": "aed99457-695e-44a3-98e7-7e1a67beb397",
	"created_at": "2026-04-06T00:14:58.57501Z",
	"updated_at": "2026-04-10T03:22:14.03982Z",
	"deleted_at": null,
	"sha1_hash": "42082a4c6ad4f295e59c9c2cc4c6c95d5c58384c",
	"title": "Analyzing Ursnif’s Behavior Using a Malware Sandbox - VMRay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 239861,
	"plain_text": "Analyzing Ursnif’s Behavior Using a Malware Sandbox - VMRay\r\nBy VMRay Labs\r\nPublished: 2019-06-25 · Archived: 2026-04-05 14:03:40 UTC\r\nUrsnif is a group of malware families based on the same leaked source code. When fully executed Urnsif has the\r\ncapability to steal banking and online account credentials. In this blog post, we will analyze the payload of a\r\nUrsnif sample and demonstrate how a malware sandbox can expedite the investigation process.\r\nUrsnif (also known as Gozi) is a banking Trojan that generally collects system activity, records keystroke data,\r\nand keeps track of network and\r\nAccess the VMRay Analyzer Report for Ursnif\r\nThis blog post will cover a behavioral analysis of a single Ursnif variant. It does not provide comprehensive\r\ninsights into web injects, infrastructure or attribution. For additional Ursnif analysis see Appendix D.\r\nOLSTEALER steals data from Outlook, including login information, and stores it in a local file. The internal\r\nname of the module is visible in Function log:\r\nThe contents of the created file appear as follows:\r\nThe IESTEALER module reads Internet Explorer history and passwords.\r\nhttps://www.vmray.com/analyzing-ursnif-behavior-malware-sandbox/\r\nPage 1 of 2\n\nAfter stealing from Internet Explorer, the malware also looks for Thunderbird, though the name of the\r\nThunderbird stealer module (TBSTEALER) did not explicitly appear.\r\nSystem Info Gathering\r\nUsing built-in Windows system tools Ursnif gathers information about the system. The tools used are:\r\nsysteminfo.exe – various info about the system including OS version, installed patches, domain, and basic\r\nhardware information\r\nnet view – show network shares\r\nnslookup 127.0.0.1 – local IP\r\ntasklist.exe /SVC – Services\r\ndriverquery.exe – Installed drivers\r\n(Installed software)reg.exe query “HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\nreg.exe query “HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\nData Exfiltration\r\nUrsnif caches stolen data to the hard drive into temp files, compresses them into CAB files, and uploads them.\r\nSteps followed to create the CAB:\r\n1. The various stealer modules create files on the hard drive. Some use the %TEMP% directory, others use the\r\nrandom directory created earlier.\r\nSource: https://www.vmray.com/analyzing-ursnif-behavior-malware-sandbox/\r\nhttps://www.vmray.com/analyzing-ursnif-behavior-malware-sandbox/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.vmray.com/analyzing-ursnif-behavior-malware-sandbox/"
	],
	"report_names": [
		"analyzing-ursnif-behavior-malware-sandbox"
	],
	"threat_actors": [],
	"ts_created_at": 1775434498,
	"ts_updated_at": 1775791334,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/42082a4c6ad4f295e59c9c2cc4c6c95d5c58384c.pdf",
		"text": "https://archive.orkl.eu/42082a4c6ad4f295e59c9c2cc4c6c95d5c58384c.txt",
		"img": "https://archive.orkl.eu/42082a4c6ad4f295e59c9c2cc4c6c95d5c58384c.jpg"
	}
}