{
	"id": "76fe6670-7c01-414e-9f46-25ae378a1440",
	"created_at": "2026-04-06T00:16:21.080686Z",
	"updated_at": "2026-04-10T03:20:56.712377Z",
	"deleted_at": null,
	"sha1_hash": "bba1d76437de75194fd8f607a7b0158543313c3d",
	"title": "Banking Trojans: Ursnif Global Distribution Networks Identified",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1020394,
	"plain_text": "Banking Trojans: Ursnif Global Distribution Networks Identified\r\nBy Kaoru Hayashi\r\nPublished: 2017-02-16 · Archived: 2026-04-05 18:52:31 UTC\r\nThe infamous banking Trojan Ursnif (a.k.a Gozi) has been continuously used in attacks against Japan for more\r\nthan a year. The main delivery technique used is spam email with a malicious attachment that downloads the\r\nUrsnif executable from a remote site.\r\nThe Tokyo Metropolitan Police Department and Japan Cybercrime Control Center have recently been issuing\r\npublic warnings of these malicious email activities.  In our analysis we identified distribution networks that are\r\nused to target various countries, including Japan and several European nations, with banking Trojans. The network\r\nconsists of two primary components: a spam botnet which delivers e-mails, and a set of compromised web servers.\r\nSpecifically:\r\nThe spam botnet focuses on delivering Banking Trojans or Downloader Trojans to Japan, Italy, Spain,\r\nPoland, Australia, and Germany.\r\nCompromised web servers host Banking Trojans and spam bot files that are download by malicious\r\ndownloader program distributed by spam.\r\nAnalysis of Ursnif infection vector in Japan\r\nUsing our threat intelligence platform AutoFocus, Palo Alto Networks observed millions of e-mails sent to\r\nJapanese targets throughout 2016. Most of the emails were written in Japanese (see example in Figure 1). The\r\nlatest attachment we’ve seen, detected in January 2017, is a JavaScript downloader that simply downloads Ursnif\r\nfrom a remote site and executes it on compromised machine.\r\nFigure 1 Japanese email with malicious attachment\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 1 of 19\n\nShiotob (a.k.a Bebloh or URLZone) was the most widely distributed threat in this attack campaign last year. We\r\nidentified 75 unique Shiotob variants in 7 million spam emails. Interestingly, Shiotob itself can steal online bank\r\ncredentials, but the adversary used it only for downloading main payloads at least since mid-2016. Figure 2 shows\r\nthe infection steps.\r\nFigure 2 Infection steps\r\n1. Victim receives the malicious e-mail and opens the attachment, infecting victim’s system with Shiotob.\r\n2. Shiotob starts communicating C2 server over HTTPS and receiving commands periodically.\r\n3. Shiotob installs additional threats (like Ursnif) based on the commands from the C2 server\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 2 of 19\n\nFigure 3 Download commands from C2\r\nFigure 3 is the example of commands from Shiotob C2 server. You can see the C2 provided three “\u003eLD”\r\ncommands in a session. This is the download command installing a remote file on the compromised systems. Two\r\nof them are same Ursnif binary from different locations. The other is notorious spam bot called Pushdo (a.k.a\r\nCutwail or Pandex) on another server. Once infected, the threat sends spam emails based on commands from\r\nbotnet master.\r\nSpam Activity\r\nUnit 42 observed millions of spam emails attacking Japanese recipients, some of whom could be running the\r\nbanking Trojan and spam bot simultaneously. Though it is difficult to know the exact numbers of infections by the\r\nemail campaign, we know the number is significant considering an increase in Japan-based IP addresses as a\r\nsource of emails with malicious attachment (Figure 4). We consider this a result of increasing spam bot infections\r\nby this attacker.\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 3 of 19\n\nFigure 4 Increasing emails with malicious attachment from Japan\r\nTo understand the spam bot network activity, we randomly extracted 200 unique Japanese IP addresses that were\r\nspamming Shiotob and investigated what was sent by email. They belong to the email campaign and may have\r\nbeen transmitting something malicious in addition to Shiotob. The result was that the IPs sent 250 unique malware\r\nsamples among 268,000 emails in 2016 (Figure 5).\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 4 of 19\n\nFigure 5 Malware sent by 200 Japanese IP addresses\r\nMost of the malware files are classified as either Banking Trojans or Downloader Trojans. Also, some\r\ndownloaders were installing Banking Trojans listed above. The botnet apparently focused on delivering Banking\r\nTrojans through spam.\r\nBased on our telemetry, Italy, Japan, Spain, Poland and Germany were top target countries by the samples. The\r\nattackers customized the delivery e-mails depending on the target and used a localized email subject and body to\r\nlure people who speak the language. Some words and topics are frequently observed in their spam emails among\r\nall languages (Table 1).\r\nTarget Australia Italy Japan Spain Poland Germany\r\nBanking\r\nTrojans\r\nUrsnif\r\nShiotob\r\nKINS\r\nUrsnif\r\nShiotob\r\nUrsnif\r\nUrsnif\r\nTinba\r\nUrsnif\r\nTinba\r\nUrsnif\r\nKINS\r\nFrequent\r\nword in\r\nEmails\r\nPhoto Foto 写真 Foto Zdjęcie Foto\r\nOrder D'ordine 注文 Orden Oferta Bestellung\r\nInvoice Fattura 請求 Factura Faktura Rechnung\r\nNotification Notifica\r\nお知ら\r\nせ\r\nNotificación Powiadomienie Versandbenachrichtigung\r\nDelivery Recapito 配達 Entregar Dostawa\r\nTable 1 Targets and Email characteristics\r\nMalware hosting servers\r\nNext, we started searching malware-hosting web servers accessing by the threat in spam. We soon realized the\r\nthreat actor(s) make their infrastructure redundant by copying threat files on multiple servers. For example, they\r\nput a malicious file on both server A and B, and another file on server B and C (Figure 4).\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 5 of 19\n\nFigure 6 Malware redundancy\r\nBy following the link to servers and malicious files, we found more than 200 malicious files on 74 servers that\r\nhave been used since April 2015 to January 2017 by the threat actor(s). Most of them were compromised personal\r\nor small-to-medium-sized business websites located in  Europe. They host outdated contents and owners seem to\r\nhave not maintained the servers for years. Figure 7 shows the geographic locations of the web servers.\r\nFigure 7 Geographical location of the web servers\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 6 of 19\n\nFigure 8 shows the breakdown of malware found on the web servers and where the malware downloaded from\r\nbased on our telemetry (Table 2). The results correspond to the analysis of targets and malware by SPAM in the\r\nprevious section.\r\nFigure 8 Malware on Web Servers\r\nMalware Downloading countries\r\nUrsnif Japan, Italy, Spain\r\nKINS Italy\r\nRovnix Japan\r\nShiotob Australia,\r\nZeus Italy\r\nPushdo Japan, Italy\r\nTable 2 Malware family found on Web servers\r\nA full graph of relations between servers and malicious files is below (Figure 9).\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 7 of 19\n\nFigure 9 Relations between servers and malicious files\r\nConclusion\r\nThe actors deploying these banking Trojans use a spam bot network and compromised web servers. It is still\r\nunclear whether a single group attacks multiple countries with various threats by using the infrastructures, or if\r\nnumerous threat actors share them.\r\nPalo Alto Networks customers are protected against this threat in the following ways:\r\nAll samples are appropriately marked malicious in WildFire.\r\nMalware families are tagged in AutoFocus using a variety of tags, including Ursnif, KINS, Shiotob,\r\nPushdo, Tinba and Andromeda\r\nIndicators\r\nUrsnif\r\n3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 8 of 19\n\n5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994\r\nc7a2bc376d6ddfc678e7c7b3324b021edf19c896a80ab1ec7c2f36bc004ef29e\r\n1cef688950b9ca01bea0ec9883ab25cebae3db169ff4fb034696868918889f93\r\n26a3f192fab07bb2bffa66f028d793f4a5ca851672430d778b537c4dde800d9c\r\n7f0359314eb3577075367df11699cafd8a5f6c36da0e58890acebbce4144eb05\r\nc5a98f873734fc144f8128c147318599ba993cb0ac103437b37c26774eb51a62\r\n53362b6ec2f87d3044116c955094314d82f340ebc1d8b395513e2be4db3e32a6\r\nb5b222a05156ea8b3c47a1a5da567d191cc8e7a546f2b0edab08a5956ad73ade\r\neff9abfd254271f46d9fba0064a890ef3b0236434938e1ba42bd29fd0f8f60d1\r\n69292e69d48a5151d47aabd30f3056166032ef9f53e877f09bbd69053b7f4b37\r\n3f3bdb38e4878331de5e867a2606bd9cb9c351303af53194d72f8dc2ddd04a97\r\n88cbc2fdaf4b0f7c0ea6104d2f6c942b915fad5486db2567e94342e76f943a4e\r\n31055c7167c369313262fb0fb2bf1ac1db895d04067ed505732ccd3d5ef43b29\r\nfde59700c02a58752cd28d6adb0389a5d69657f6f6925a0bd8ba35a1f724de5c\r\n54162c5399a945f16080d0d8b44cceca3176ecc8e03d03e5aa2295498b7c0cf7\r\n111dd5576fd9c9108a801eded1ab93d21583c84cdfb86ea81fea14ae2ed8ed40\r\n3fd65bd55e4dadbf079c6a533941135b0ddf217dea16eec6ebc33f2098ea6276\r\n55acc2455ba3bef79840ead843cf29af239e7384f7d62246fe93fe427ed99587\r\n530326ed9cafede731a478242b0f1f13f7263c1bec156adb2f3f26132667464d\r\na778cdaf3d360f5d06be9846bc4ab74d679324bf0e9b03616000367dc27c3f0e\r\ne331b749c3f5896adb5a271ea2a4a037e811344162cd574b11892a18a85c1722\r\ncb57b3c5ec62a83b3096bd2d737cad83119d19939d76b483d0429fd26d492ef4\r\n602353156303f7fd02b33d1912f8ee93bf324f5c4fb993993137bd13abfa9a9d\r\nb03333b35266db0faf6fc407b36efc2f9f8a574921cf87f4a5fb60a13cbcdb14\r\nf6805cd59dfe012afd50a6bd3ccded29432d444a73016755ee1b217b13b59fb8\r\n93e2bff638a61503780fb7cb90d85b6f5cb027c8ff732f495a6d13734a5741b1\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 9 of 19\n\ne9b0adc36455c221a680336ee6ec59320b618c6352621c5d721811e122f83747\r\nc45b8444e8551666ddd4e13445e3a196039b9065e64ba7102d16067f40e0f412\r\n4948be38b1d66191e5f201b88c920ebd4ac7450fb6eaadaf6215b64cd0af6f30\r\n08a5a1c0b53592a8f0890447d71bcec5380f104a176277512ee52c063188e151\r\ncbbfa84227d82360d79baf8ab4ee0f9a13d0fa7128eac72c0bd627d4dbbb06f9\r\n3044a4b0cffdeaeeab425109e8cddc597e708f5025849b5d29bff35ce24f4e42\r\n3656e5ced322c9aabb78983c2a40657c83ba7805320423e66b402cd20cdd57eb\r\n28150a3e9f8d23c784923e9664086ad18aae71ef83e4a60ebfb1fd8bd5abbd80\r\nf30838a6b53a892ae4e5231de1d2f74a2e51919a66e9e60da3de125c9bd1a521\r\nc2adf4031508ade44343097904c63300c4bfbaa8727fce120a11b09da9bc0be0\r\n596c2b8306493ba51bc0ca116a0508d3c1f47389e6fc9a2b313748f4fa3014bc\r\nafa53aa70e484a3d35c1e8a1a50c96f9186f48c7aa10888b5c42b648fa5bfbfb\r\n1f8da66ce073a08f45f724bfa31ffe2b266ada3847186018af8d381ffeaf1dac\r\n5477e90ff3755d2807951850964a881b60158ae1f911ef2ffb4bdef32a4d62e9\r\n4f846222f454c773b3db1a467155e388672e20b6edacc6406a75dbf09432108c\r\n7c8e9eb4a6b3d59d02faab21b94664ed473c346731cc28c0036c2c3e14db581c\r\n9405198e358c330918ad6c0965e4dd748663c8a8c564e37d54c8e13f01fe6536\r\n904344a1193a0910153f034f6ec7c17feab572392454afb6a8dfd15dd4a38c19\r\nb7bf333f959bb6b6aaaa53a724b5f9b02ea774ba4d093e14052c45fe83e8f02b\r\ndcf99c3378de03489a62b131580c1e2fd9df1187ac25912cc6cd856cfe661037\r\n555dd50c95045d2bbeae895286a00789089e6a86845975041d11879e7e8fbd37\r\n6bbc47fd039bce4c7a6a163dd6ff380fdda9fd27d552fa8c66be20e3fabf6cd3\r\n1f739f3f90382fb729401085388e2142d12fac724684c5b3dcf367b645781695\r\nShiotob\r\n0733779b99ccced9808136088e08bed6518097fd892c51c150a5d7e99b755562\r\n124e6d6d3da321ad04e7f3aa9ae1b29fea2f382e8903a72ce48091cce47127ce\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 10 of 19\n\n164eab81c9ef0b14b4f93f7f5b60b0111d9eb3de3131c35f2f388837e0309b9e\r\n194e6644ea8c81e8e6073434f5305c48fbd22dcbfe7d911ad36a314bf61ce301\r\n1af5467950d5e171827936d522ae7fc47d7e92cb639d83a6d1b1e6170568987c\r\n1ede3e09794eb4fbb5a9a67702aeca7495d7b9d12b47dc4493d5f645fa04279d\r\n2209aa1f8719cc1f1bec10c0e2c611fff44107c54754b63af8bce748a9c2ba11\r\n22fe4de964db8874728d54c8327f0763383b56bb838983ac2d0ad16f9a9f0296\r\n24af6a68330743f0ba7e152d426f16768a915d619e807b56a4b7944c780fe46d\r\n24d6ff074c68060d5bfd31c2a8784fc58033d865110f01778b6f43fb71d1be82\r\n25e49603ccd58159180e10cc9df9944845870d3bd6dbaa2ce2a5ad16d5d224b8\r\n2b7c4c4370000b258932ffe871e3cd9ec613c223ea129fd164d32070544ee53f\r\n2d43697cacccfa10ac4fe3119a86bcc1113925f04d7b95e3297ace3ee1dbcb75\r\n2edfc720a92bcdd2d42416ed6bb79ce84eec28a8316cb6160527627779c6b4db\r\n317bfbe3107ac085d1751e04202b99e2ce8a75285e5033b789de34457c7ae7a7\r\n347430676e7811c4433d4d10d7ff5695dd34083d9f37a32f5130e29263f3cb72\r\n3a5020bbd52ef368d98f51a9caca2b266f0f5ec7719e8159e32dd08ad80e60c4\r\n3a59673578576a0d1551c120f612217aa3ab1a511bb6eba03908ba3aa2719bf8\r\n3b6a2050bfd395756237a48e39007279a0ed80cb1e1cec05bbe77f813befb002\r\n3e325fe43a78054dad21049abc7ea56510959eb2da5a1e21dae3fe168106cade\r\n4039ab72bce95e0ec30092a12a7d6d4f8509d5a6bc05fc8e6463c9a262060434\r\n40a8deaeb8902947c6ba98ce0af62a6a487c3afcaf6e96dcda2fb27e6af9c122\r\n4b64a23de0d09e2f9daeef283d4582bf04b416b465c1c6863b7698eb82b56c4e\r\n4ee9a7fd63daab6d756193756c3a63b2bcc3a2c04397c6126b9c6f3b1ada0b5c\r\n504d71d3e1ddf4487033d6c8a5840c7eccc5babcd7f23a5587eaa07aa61ea148\r\n5914a658c65237b9e9516313c39efffd646b6e9573315a6353375863c1d5b6e5\r\n5a41e1429c92d6cf63df37ef37f4d8b5ebcf51b6c002b118ea4edee5bca4669b\r\n5b7e4c2df278c2bc9cc2dfa736227e28fdc3787173f4c5fcd30e0004ec06bdcb\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 11 of 19\n\n5f2c52c65412800f0fa9d92c99a28196be265b8cded2d0c4699ecdf960acf2ef\r\n60322c5ca2e234bcd7124c86e46f645d7aad2b5595038bc8343ac5324c482607\r\n606708c9479e1df26545d469d3d54a0e268f01ad8aa061f6504968c3b1594a0c\r\n60e0f5deef23f463180ea830bb9f237a4f542cd73c1bb2c52912ccb594fc0e08\r\n67e0e3d8c9152ff41865fb9bf4deaf3a6a16939c7c6eb2b0ada9b3395594e45e\r\n70b055c547b0d3f5a0b51ef1fe25abbff77f468cd3265da9b669fbd82e32fe56\r\n77641a32ba820581a8abebcea6616570c4a8e290dfbf63a74577dc8355678160\r\n77980048740f4b60b50bd1a2e4b1c2b1389b5bf66ad2e737591a68fa4172b456\r\n78af5ca8fb40b44a8c0678c85df7d014c72758388345c36aa429aab66f0b2385\r\n7cef6a7410d9d16d7981108a5c0320fdcc93d23dcbe6c35174ca5de061fd83e7\r\n82c59dbb167a40cdfaab000c562ef97e3dc8fca7bb82a837790fc2cab36586b8\r\n869ed7fdf1838b065b26e2700adfd95b6d3fe9f28cb5c41a839802cdd6b065cb\r\n8bf6825e1ab1a6b09fe9cc2eae461d80b431309887b5c5fe14ed299c1a2f44c3\r\n90510218184f3c92a14a04476aa1b8b7a00e6d98504fa13efe96ce19ba0e531a\r\n94fd3688cbe6a0c732321ff7d6841e709d5530ecfc562343bc123637504f852b\r\n957fd7a14616587ffedabe246bc397bba7e53ef4b02e805473ba6a2a6f68dc55\r\n95fdb4474227c938f83b02005b90e8b3cb9103cc6c9b7472020eb09af5f00dab\r\n9cd895dbaac82328557e290217c558053703f6374284243a2ba17ef69e4cfba3\r\n9e416802a31ee6a61074dee670fe3a4f9f9897eb9327cff79e0721cab066f353\r\n9eaa00aa6ca9122a1c7cbeeb3ef2ac0caa52794b85cdf811b0436aba70097528\r\na37d84e6c6fe7b4f426f28b0379dba9e3045ac083d46a95f8378c3c98d7ca9e2\r\na91cc0ef59dee1229644bd70f7744bd94d2af6dae19a1cbae685ed06fce707ea\r\nabb6fe1515e8d0f9d7b23965a35db4a863f92daafa46942d1d42662f9937b99a\r\naf0f00906d833b09adac0caa7028e9691c4090ef041d7cf62a80e8b7b10962e6\r\naff8f8711ca8eed648080884ff84c4dbe62d0ad401af6379def639b90098e802\r\nb06746ed57ebeaf64c58217adafad28b9d2445c2d1cbeb67fa7a17a4be9a6328\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 12 of 19\n\nb0752f8ae7d2a4922f018c8f02fd0e20d7674eadf94374734b75e64084af1d84\r\nb098d0fcadab456a28db6cc7cfa9955e1d5c3fb88f9e457121a01af4a3169ec4\r\nba264b6fd7795fdea336364082491c7aba457cbf2edabf6c44df0562e34810ba\r\nc670d4f30fb06df997adb263c753e21b2a6e2ebdad8ac436c24d4ddf44dc9924\r\nc9e2d4881b2f8ce1d5503f56815541a90d1c0c7dc008b4e9b8456f05b377381a\r\ncc2b53c035e575343bb5436e65b9b15d9fb8782637642c0b4c2ad87c314687b5\r\ncfe49c0ce561b7834275f7f2d9f0cb8977025a095ab25d08c6c36c75863ddcc9\r\nd3e34102a27677946131161ad3d3dce57f15b9b53bd0a1929bc226909b4ceea0\r\nd5850ed32b01a10d2e6aa4a3997ae8f35cb3c595fde75929d61ecd13fab2455c\r\nd906da427d56262f0ab04684edc1ca843618ad8033d063fd249ddd887981488e\r\ndbe42c50bfa0dd6fe0b236fe5371bc294f43d48bbf1243d4f3b2a98041f0d3ab\r\ne0bdde6336208df8807c299ef8157ec7fd9e777dfd1cc1d49534c19e1a44f811\r\ne5114ab13097dff71d3f33dc5b9a9c4fb0206137babf41dde7c4ca614362098c\r\ne51477fe6b9bf8d73b37825cf4033f34e634ea59e672fed823c4f0850e5dce54\r\nece07fc91c99bb3ea3ffdfaadb51e38679cba43287413ea95c8a47d157fcd488\r\nf3e6cacf2a4fa6fa15596416263a0087ec0194db746081a08360cc69beec2f31\r\nfb0f5ff4760f6869a63fc6ed01d19241d83919b88f70343473cb6af014fa8954\r\nfc00bf8cc177e561cfa89a8d48fbc9a3d7bd57d3da33c56c401fd9c2437600ff\r\nfcb208a9d8ad4c6ade0798410c3620bb3d57613efd1c01d35bd5b3b42c90db9b\r\nfe9b87d98cb1e708ea6df4052677f2ea651f3c14f2a7c6d6aca9f4b905cbbdfa\r\nfed5de3f9dbc37cf404e3a530d3358e6c1fbaf1a7d4833d19184b492a6f0da6b\r\nKINS\r\n786e347d5de0b2461049964b382ec2d93db62ad2541519c2f1be423fbde3e632\r\n0f300996a5d57c43b90bf97f158fed23709284b1fe4bbcabc6b843538f4fe961\r\nea05b0aff29ff657a578eed301f79a2ae7a469cda10030151426eff85b2390ea\r\n840d7f349f02bea4467b5a8f3cf7f3f4f43c6cc9452b01e75d2ee795c25f96ba\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 13 of 19\n\n2392a69e522bd0a37e114ec53ef6c4e48aa6b8c5aa61b6a8ee7ed05d9e941014\r\na5c4fc9bcbdf145a880a80d0ec28d874d646100dda4f9a571b011d31c78d6b05\r\na12ba2482f7fc7f8e514c0f1e630d66357ddce32893873b3ebf8bc2c79e6aa2d\r\n7c384f0d01cf765e2f90eb52bfc7e2c832d59c328809b5a9436050dfc6017b52\r\n569e01c714f94d09cf379f9f21bf67a84b943b97df020493767aef3efd4a8aa4\r\nb0924478d914647bc30460d7b0c5cd3aef79fff04a26a6fdc10728ba8bcd9418\r\nfc38901913dad80cf32b2ffd124ffd850ee913295df4b1cc861589445527ffd7\r\n162bfe3f8513c03d94908d04858974a3b27ad903ed263183b28a2230b8357e19\r\n85a80a5706149c0be9f6ce1c6d23fdc405b992c2b7a2665da6b72ab213de9342\r\n460acfc0a1eb8d7b1dac420d4500c386817706aa234997d7cb6df3ca869a9242\r\ncf2eb541c0a546970ea3a3baf96dfd6be4515c54f5a220a57f049af137d418d5\r\nf3bf1e6cfd4a21f6f6907833bfbd9d44a9499eea4e27c0e4415f7e3975fa559f\r\nbd6b9940e87be866fd8cb893769c51a3e4266452f97270a97bc13685b420d308\r\n62c32639b102a684d7aa8e1f04db7018d7107da0a3956904967f9fa79b021239\r\ne00385bdda02b8cf7ddef4f4bff8301846a7f723a6b56a7f8151d5c7c978f502\r\nc70ea6ec20ba7368009b46264102faba72aae16185f17b5bfc852f5d45bb7884\r\nc98c731e7f38471cbe178eb117a25bda56c1cc8752419470f202c6aeaa5c1ad1\r\n61a65f91952a71ef119b5a54012b4a48521d739a3afc881fe33276e733e421b6\r\n1627e0c5c72d36738b6c94439a4d7d3d8a1202b4c8bc9f5c8f5b41a5c0216407\r\n418863a96acfb5c4dcf6da12b6c2d44a29fbfc18e1ed78b26ae2070df9b48018\r\n1b74f2bd5aa6dc07ab8014d3a59e192ad5a8020f9b71db4492f4c141fec64d58\r\n6e66090be9481caff2cf24ccc4b6cb688f4a94a6ad0c51ae8fa9eb69c2f6baf2\r\n4778c2771aee8926ffbf8d289c0792e16afbd838e599190af212b14cd8277784\r\n4a013d43c58d55190b022c306344ff894210975181452085d058901444108eb8\r\nb368428fd71a354d9e6a707b573c4b4a8131034efc0c4669b683ac7c486920b0\r\n40791e4bb3d98c3154e85b6d463aa4b1be51857b298db3336d61d17a2220164a\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 14 of 19\n\nc7c0e80232ed3dca0aa7e169560b5ec80d238550e6e536840a82ff3ae6457647\r\n0021c6127bc6941a9b46d68e292b8de1a11d97ef3d19be168d3a77672feaa079\r\na6424a031483ba52aa444a0100e7332b6cdc1688bb31288a703e16c22851ae2e\r\nb4be93cd20a86b77b43fac886182b1bc6c453ab63cb2851f259f10cd19e96035\r\ne9e009edc5d1f4eb605483a107a2231743bbc3de071850cb00d31a9e878420e0\r\n8edc01e7d5310780b21ece7a93287fbbd8ad50f5dbcb1c73079cd72706d01225\r\nf221dd7f8f0c548dacf48fe2f51cfb853ea6434fefb7df3ea8ed9be3e3ae7d63\r\n2456ccca16ef6470daded775c6b4a9236c979f762f921a6eb9efa5a87989daef\r\naa7d3ea85a3f57eb372d067c153d17137482e7e72de0fd943facf6db9d67af00\r\n6bf91c779c5bad7d30051f12958464f183e6c0b9c3ed70b2e342828e166a3dd3\r\nddb71312f01fcaabdad15b8ed5fafc74114c6dffdb765c42cb5973001828090f\r\nee0395c2d4767f949989b6f5c97a8739e7fd90a2c064b997b1dcee34093db0ca\r\ncf715fbd04bde7580c1f2fd38f5df56977cb9f39f06fe92a5e0b5426738eaa08\r\n6c71f6103815004964aafbaa83ea9e33a8700f9d07d736e9a54d1cf1ec673612\r\nf21872a03fcb62dbac5cd7ea2c92db4595f4a55906d7a91ffa6ce5cae2b84e91\r\ncc6e90286ed80e36fad1899fd0c5fd8f9fd849235378b5a0a7afb1df6bf5c9de\r\n57c6eccd40b32c73a0453a3df14ecabe4b5e21ed780f8c158232bfa43adcbd38\r\n7cf2efec6a788c4a51cf32045bef1e1bf000bc51cff7b4158f5bff7c1a71c9ab\r\na536344cd162eaf8d45a0065fdfaa5aa10a302c8c10b3da4ef190f2e3207d583\r\n7e2e0d6da8d4ff8db10a4c6859a79d87be4f0f1e488460ab134a2e11a24e2138\r\n3864227ce59e0ddb9ded29ab35c33b550cdbb74a75ce125bcd4ce71e233a9745\r\n02112837d7e28a074f8c265ed37ad7c2e1bc36d629ec9a2f1ba7bb83d614f342\r\n0b40ea3ac6c5c4518bad068dd0478e4a76d202a1475bdaaabf6a81eeb36f5b66\r\ne7642802bf90c9186d3ed93d946658e60b9708cba3286f5752b42ddd9c4e5c51\r\ne28b8acd4028cd4a72449519f73a5abc9a0f1b742f01cb385b3737d5847e59e2\r\n7a47eb663b35d6ffd47cba9cd5275208df638a17c084c99121ad7c3231bd15b3\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 15 of 19\n\n019917abb1be811655303e4cc514d3abaa66b58d3455c5a4084bc6f2fe1dc2b0\r\nf22eefafad27b61716d96cc54ef8c2e332c71b30e50bbc1c9cc0f15396c1e112\r\n948597902acdbc6ee8fd6499bd8b8b7c1c940019d5fea4ce7e88dd388ec939d8\r\n2a275c3f37280158309d67a86054516a8bba7a5cb364d51b3552996c2b6040e8\r\n9e7036ae2f3f513a42a1201dfeaa607568eeda9b43ef4212e9d68cddead53eab\r\n6beb5b396d26991feb16eeeb4ee8ced22e965607be056528f6fdee535134e7b7\r\n93dcb90a22744e8b3c5ab3a4974cc9b72f6198189f3a42bb12417e775d0ad718\r\n5a37dd804f4add6b2e75c366438181fafed4ab979cb694f6aa1e7ff77c1225e0\r\n025f9924f04ff1b4b0953ef07ba9d60ce970c2fd9e887269caa72db3a9bba814\r\n27236ebd9a399d394e83dccd4c267ca0213ed431e06b7cdd132274f402831d21\r\n8fc39e6e868bbae45328e24a953f4974a22106c84c7c0fd713999687be774b22\r\nd486d824d857a1dc294e6cfed2dc0c58514226125e4995cdcd04a8f8d9051f25\r\n6ade6e7226c35f958bade2e81c6dfe8e4d083beba2a1a3fea6f5d7a7fc1051a9\r\n912c59051f858c78194d30f08a337479db002e073c24d69cc9d23aabd662a3c9\r\n04f5d3d96405b47c51aab8d8d0ad4b849c7b62e8869b8ce145de4528f73b4232\r\n22c426e765df18cbaa92f42ad4d5b48dbbc78f9ed0ae6fe2881517814703027e\r\n9937646b9aa37b3256eac7f4ac464e414ca4a4bc12fd6a1091001e7855f36e3d\r\n43a90192ba12ab92ea567f2156bd53554d72cac7be15034e04c89d82e66500a2\r\n5005f9bac9f0df698041221ee6abdca062d4fae39f0a0f04544d005e307b466d\r\n326bd07373dc878054bef86dc7030eaecc51f0878fe4ccf43ecea7f60f6cf890\r\n31f8346b01d9e3c307280bf900de4e91a57d579d5327f75fd697431bcdd20dd4\r\n6d604f20aee68b276eaddb2a3d852137e8a34344838f3022abaef53770944646\r\n51633bf1265ae5a3dacb435a78e15bb1ae96fd0da284b5faff97f412f9d362fc\r\nab2beec5b712d030810f4ec975c8f398cdc9486f678007375a692e23d1a50a1c\r\nda9a6c0842062661384ef37683a196fbb768e6c43b358d059f20e07177a3fd65\r\nc35a5f45b13b88d453cb953515783416def2537a0a372780fe4e6e20c58d9717\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 16 of 19\n\ne855ab4fd90ec109fcf34d068f5162d462bb26d1998406af94d9c6050c72d9fb\r\n23a71f634dadac915df9332a126343d8989b5492fe113b21badc3cfecb431c41\r\n98ba54b02a466ca902d21d2a41f6d21efd7e8f38cd9a1d2d669dcbe0d31a8413\r\n6c84df041c4da7ee5866a3dd46131dbde3f41613e871ee739bf021a32aefe03a\r\nfffbc4536b681bd6e06a809593852d54db71f9d7d304491a425c49e1945c5085\r\n30b97daff703812e860d15e18172ea1bcff9090c3ca02717c8ebabfb88d6fb7b\r\n7d98ae50cccb308c51365ea7e76d793c845990724052923187a056ba36a0d9ca\r\na1f0956e034356a36be25f5213fd21857347a571034e65b14f3960a8cb8c1c42\r\ne4e8aac2107834b2d895fc35d71bb396075d971c650ff173714c3d17956c7da6\r\n62989ab56f11701b109cddf0eb20e995c833078bb40942a8c931589497c25948\r\nPushdo\r\n14c358cc64a929a1761e7ffeb76795e43ff5c8f6b9e21057bb98958b7fa11280\r\n242f192b9e985864ba5e3f6b0cb15efc280980e2b097d2ebaabd1d8de7117663\r\n4c50fbe0c5e39ed3fe88136f3ce45d82f3e9975d1ba524d76466609ccded41d2\r\n59a512bcd4af8aef4769ce8b4f31c5116c2e9b6bd09e76f4824a073072ea822e\r\n5fe8cc8734fddd09e1479eac5fda9826eb44d191fd992e63f3db58ac6a23af67\r\n676a14cda7ff14af9d944326ec4635facf9eb999208f5a7badbeff76d55321e4\r\n6d921e055466eccc308ca73ada27b249eff33786fc7f4a6f2946158b91175505\r\n7120cc2689e70fb4dfdab7708828476efea10fa9ef2a1cdfcd020a500ffcddbf\r\n757f2c62637765cbc8c7b9f5f63ed4ab00f34485f516a66b2a81b4edfb731920\r\n89cbfd9360251bbbcda1bac4d0674576ba19d6ae5a1828113ac7bd5adbfa809a\r\n9cf72776a0e0a81a099028393c8fe8ee4e98c9da9a1e887807845939633661c8\r\nbbeffcfe632fbdacd49e7370f5546c067bf513cf24dd86f6cb34d255a4dc6607\r\nbcfcea47fac4e61330fec7c6c221cc926f4f90dd43891cecdd2995c8ff937d2a\r\nc205430c4a278255a880f7eb301b6d43405752ecc19123305cc4278dd1b4f867\r\nc2e8d313a086ad89e43130870977d9d1984311f9383d520b5c43f73ca4be6938\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 17 of 19\n\nc38b5ac3e5c3fdcbf6752809e3e68d7d2bce6122613293f8822f008e7fa64139\r\nc49ba3b8be64442bfbb0ce1c2b1a28c9e0b5829e9523558561163140183e36ac\r\ncfd08932544be4608030cc7ec8deb1f8c93d01915e7b49c1da8b686ba1e00733\r\nd2b23e336bad80b0a0f04b0b042bd76421b9342fe3329ad243b7806f242e4bda\r\nd9a21f5a7c8560ce9a1368943509f791b568d18c2abd329cbb095662a7642ed6\r\nda7d0125b71db066fa8f3981b0125f1955d2c4b20f37679eb99b55fd226c8693\r\ndc07002a47c481613868ed10cf93fd4e4772d52da21c2b9cd1d6b5dc31cd9e71\r\ndecaf81a2f8a0f94f3ba112fcf805b7c1c955548486d615f56626a3b5771e384\r\ne061a37cef414f8943972bf0fd2a990f7283a07b460aa2c9292c00323432f3b4\r\ne6c7bfb41e99fceab5da3175267dcdfc0ff50263f8718dfb638539bc9aa4a862\r\nef28d191d15e2f00dfa9612c8ea4923af25c13ee68a9ac1c41cee5f8ab8f1a6c\r\nf0c85788f33916c6d2f811860d5e1d6bdc44a44ada980aad7a65039757cae6c7\r\nfb4933942a1bbea64443fd94118efe412cfc3db3242fe6bd60643c7d7595998f\r\nTinba\r\n0482ac285c4e941a82de2425c3572ef2b951f90423d85627a282147fb3b95d14\r\n3026114a699e5f50a49c2a4ee0844c8a6ac217f8e9185d1735b79a13379e8fd8\r\n43740f3254084090f5d9dc5e74af184b8021a3e07c4d0e645f227852eccb0020\r\n5eea0da8c31b48ce3e88fdd0f24192a4305a472f1f44f3740796d0622feb7f9b\r\n78fb0b44a54d336178ea021503c71539ef364bfa9f4c003c91591a0a4a4047fa\r\n94c12b0de0e28a5c88d9b3242793f1d1cd4ff4a86a4bce991e68f3d2e04c56a6\r\na8c8b1fd20d79235fd74f7c3722453412ad5ff589bbd8e3ce300e364e3495c2e\r\nfcee667cb6900ddf55029f1f806995f73cd5be75912f1c94c905a6d177353e1f\r\nZeus\r\nc27160f42b2ace99149db759c4edc15c95b5a8b95e8daf70f02b201d804e2ac2\r\n4b66d77bd775c7695f7211b95808e14c5cbef8c6d69e3749b21868bad296f22e\r\nRovnix\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 18 of 19\n\nfdca8fa4368763899eff263d472850273ac9df672e0867d4aa3546bb439be291\r\nSource: http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/"
	],
	"report_names": [
		"unit42-banking-trojans-ursnif-global-distribution-networks-identified"
	],
	"threat_actors": [],
	"ts_created_at": 1775434581,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bba1d76437de75194fd8f607a7b0158543313c3d.pdf",
		"text": "https://archive.orkl.eu/bba1d76437de75194fd8f607a7b0158543313c3d.txt",
		"img": "https://archive.orkl.eu/bba1d76437de75194fd8f607a7b0158543313c3d.jpg"
	}
}