{
	"id": "7e5a6261-794d-45df-8659-008cf25686a8",
	"created_at": "2026-04-06T00:07:15.49857Z",
	"updated_at": "2026-04-10T03:20:17.133064Z",
	"deleted_at": null,
	"sha1_hash": "6deda340d82bd78534b055b3460a4e1cf67663f4",
	"title": "Ursa/Mispadu InfoStealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 944524,
	"plain_text": "Ursa/Mispadu InfoStealer\r\nPublished: 2025-03-30 · Archived: 2026-04-05 22:49:31 UTC\r\nURSA/MISPADU InfoStealer\r\nApril 9, 2025\r\nHello Everyone,\r\nIn this blog, we will investigate the URSA/Mispadu infostealer, a banking trojan that has been active since 2019.\r\nInitially focused on targeting organizations in Latin America, this infostealer has since broadened its reach beyond\r\nLatin countries. The Infostealer uses various applications throughout the attack chain and steals the victim’s\r\nmail/browser credentials, browser clipboard data, captures screenshots, and performs keylogging.\r\nThe Ursa/Mispadu infostealer checks the OS language ID and executes only if the language is set to Portuguese or\r\nSpanish. The infostealer also checks if it is running in a virtual environment\r\nThe infostealer, after stealing the victim’s data, uses the victim’s Outlook application to send phishing emails to\r\nother recipients. After sending the mass phishing emails, the sent folder is emptied to cover up the operation.\r\nAttack Chain: RAR-\u003e HTA file-\u003e VBScript-\u003e Auto IT script+ Auto IT EXE-\u003e DLL+shellcode-\u003e\r\nattrib.exe/regsvcs.exe-\u003e VBScript+Exe-\u003e Scheduled Task\r\nhttps://jmp-esp.org/2025/03/30/ursa-mispadu/\r\nPage 1 of 7\n\nURSA infostealer is usually distributed via phishing emails. The email will contain a malicious PDF or a ZIP file.\r\nThe Zip file contains a self-extracting archive executable(7zS.sfx.exe) and a HTA\r\nfile(❉❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉❉_XXXXX.hta).\r\nIn the below sample PDF, when the user clicks on the button, the webpage is redirected to sprl.in/oaSEygn to\r\ndownload the Zip file.\r\nSample PDF\r\nFirst Stage – HTA File Analysis\r\nThe HTA file contains a JSON data blob and a JavaScript. The JavaScript connects to the Command and Control\r\nserver to download the next stage payload(JavaScript and VBS script).\r\nhttps://jmp-esp.org/2025/03/30/ursa-mispadu/\r\nPage 2 of 7\n\nCode snippet showcasing the obfuscated JavaScript\r\nSecond Stage – VB Script Analysis(1)\r\nThe script is obfuscated using a custom encryption and decryption method.\r\nThe script uses WMI objects to retrieve OS information such as language, geographical location, manufacturer\r\ndetails, virtual machine configuration, and hypervisor details.\r\nThe script establishes connection to the C2 server and retrieves an obfuscated code. The code contains strings that\r\nwill later be used to name the custom folders and files. After creating the customer folders, the scripts downloads\r\nthree different obfuscated payloads from the C2 server and places into the custom folder.\r\nThe decrypted payloads contains an AutoIT script, an AutoIT Executable and an obfuscated payload (later loaded\r\nby the Executable)\r\nVB script establishing connections to C2 to retrieve data.\r\nSample IOC’s:\r\nhttps://jmp-esp.org/2025/03/30/ursa-mispadu/\r\nPage 3 of 7\n\nThird Stage – AutoIT Script Analysis\r\nThe AutoIT Script contains a shellcode and an obfuscated DLL.\r\nObfuscated AutoIT script\r\nFourth Stage – DLL Analysis\r\nThe DLL file loads the obfuscated payload that was downloaded during the second stage. The DLL spawns the\r\nprocess(attrib.exe) to change the file attribute. The DLL later initiates the process(regsvcs.exe) to load and register\r\nthe assembly shellcode. The DLL connects to C2C server and downloads URSA payload(EXE file). Finally the\r\nDLL drops and executes another VBA script using the process(cscript.exe)\r\nFifth Stage – URSA executable Analysis\r\nhttps://jmp-esp.org/2025/03/30/ursa-mispadu/\r\nPage 4 of 7\n\nThe payload is a Delphi executable file and contains Nirsoft WebBrowserPassView and MailPassView. The\r\nExecutable connects to C2 for data exfiltration.\r\nNirsoft WebBrowserPassView is used to get the password stored in the following browsers: Internet Explorer\r\n(Version 4.0 – 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera. Also retrieves passwords\r\nfrom Facebook, Yahoo, Google, and GMail,\r\nNirsoft MailPassView retrieves passwords and account details from the following email clients: Outlook,\r\nWindows Mail.\r\nSample IOC’s:\r\nhttps://jmp-esp.org/2025/03/30/ursa-mispadu/\r\nPage 5 of 7\n\nSixth Stage – VB Script Analysis(2)\r\nThe script mainly tries to harvest email addresses and tries to send phishing emails to other recipients as part of\r\nMass email campaign attack. The script also accesses Outlook Data stores to steal the email data.\r\nDetails:\r\nRetrieves a VBS script from any of the following C2 domains and Creates the file(/Computername_j.vbs)\r\nj.indentar.xyz\r\nj.indentar.online\r\nj.indentar.site\r\nj.indentar.store\r\nj.indentar.xyz\r\nCreates the file “OneSync.lnk” in the startup folder for persistence\r\nCreates a scheduled Task(name: Rsync) to run the VBS script hourly using the WScript process\r\nThe VBScript targets the Outlook application and accesses the following data:\r\nAccess the Outlook Data stores\r\nEnumerate Account objects and access the default delivery store for the account\r\nEnumerate all folders and search folders in all stores in the current session.\r\nAccess the current user’s:\r\nInbox folder\r\nSent Mail folder\r\nContacts folder and Contacts\r\nDeleted Items folder\r\nHarvest email address from Inbox/Sent folder\r\nExfiltrate the harvested email addresses to the Attacker\r\nhttps://jmp-esp.org/2025/03/30/ursa-mispadu/\r\nPage 6 of 7\n\nSource: https://jmp-esp.org/2025/03/30/ursa-mispadu/\r\nhttps://jmp-esp.org/2025/03/30/ursa-mispadu/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://jmp-esp.org/2025/03/30/ursa-mispadu/"
	],
	"report_names": [
		"ursa-mispadu"
	],
	"threat_actors": [],
	"ts_created_at": 1775434035,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6deda340d82bd78534b055b3460a4e1cf67663f4.pdf",
		"text": "https://archive.orkl.eu/6deda340d82bd78534b055b3460a4e1cf67663f4.txt",
		"img": "https://archive.orkl.eu/6deda340d82bd78534b055b3460a4e1cf67663f4.jpg"
	}
}