{
	"id": "05782a61-71f9-43e3-84ea-4377b367fce9",
	"created_at": "2026-04-06T00:21:14.988561Z",
	"updated_at": "2026-04-10T03:22:04.275335Z",
	"deleted_at": null,
	"sha1_hash": "c61670926dfe08f2511b765e4d9ba21c154cef0b",
	"title": "German language malspam pushes Ursnif - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2925235,
	"plain_text": "German language malspam pushes Ursnif - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 12:59:29 UTC\r\nIntroduction\r\nOn Tuesday 2020-01-21, a wave of malicious spam (malspam) hit various recipients in Germany.  Messages from\r\nthis German malspam were email chains associated with infected Windows hosts, and these emails all had\r\npassword-protected zip archives as attachments.  A closer look revealed this malspam was pushing Ursnif.\r\nToday's diary reviews this malspam and an Ursnif infection from one of the attachments on Tuesday 2020-01-21.\r\nShown above:  Flow chart for an infection from this wave of German malspam.\r\nThe malspam\r\nSee the next three images for examples from this wave of malspam.  Of note, this campaign often used 777 as the\r\npassword for the attached zip archive.  In this wave of malspam, we saw passwords 111, 333, and 555.  Other\r\npasswords were probably used as well in examples we have not yet reviewed.\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 1 of 9\n\nShown above:  An example of the malspam from Tuesday 2020-01-21 (1 of 3).\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 2 of 9\n\nShown above:  An example of the malspam from Tuesday 2020-01-21 (2 of 3).\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 3 of 9\n\nShown above:  An example of the malspam from Tuesday 2020-01-21 (3 of 3).\r\nThe attachments\r\nUsing the password from the email, you can extract a Microsoft Word document from the password-protected zip\r\narchive.  The message in the Word document is in German, and it directs you to enable macros.  All of the Word\r\ndocuments are named info_01_21.doc.  Of note, in recent versions of Microsoft Office, you must disable\r\nProtected Mode and bypass some other security features to enable macros and infect a vulnerable Windows host.\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 4 of 9\n\nShown above:  Extracting a Word document from one of the password-protected zip archives.\r\nShown above:  An example of an extracted Word document.\r\nThe infection traffic\r\nInfection traffic is typical for Ursnif infections in recent months.  Other examples of Ursnif traffic can be found\r\nhere, which contains infections from 2019.  Of note, the follow-up malware for this Ursnif infection was another\r\nUrsnif variant.\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 5 of 9\n\nShown above:  Traffic from an infection filtered in Wireshark.\r\nForensics on an infected Windows host\r\nThe infected windows host contained artifacts commonly seen with these type of Ursnif infections.  See the\r\nimages below for details.\r\nShown above:  Artifacts in seen the C:\\Windows\\Temp directory after enabling macros.\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 6 of 9\n\nShown above:  Follow-up malware found on the infected Windows host.\r\nShown above:  Update to the Windows registry caused by Ursnif to keep it persistent on the infected host.\r\nIndicators of Compromise (IoCs)\r\nInfection traffic from the initial Ursnif infection:\r\n80.85.157[.]246 port 80 - emblareppy[.]com GET /gunshu/lewasy.php?l=ambobi9.cab\r\nport 80 - settings-win.data.microsoft[.]com - GET /images/[long string].avi\r\n80.85.153[.]218 port 80 - pzhmnbarguerite4819[.]com - GET /images/[long string].avi\r\n95.169.181[.]33 port 80 - n60peablo[.]com - GET /images/[long string].avi\r\nport 443 - settings-win.data.microsoft[.]com - HTTPS traffic\r\n45.141.103[.]204 port 443 - nk47yicbnnsi[.]com - HTTPS traffic\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 7 of 9\n\nRequest for the follow-up malware:\r\n104.193.252[.]157 port 80 - 104.193.252[.]157 - GET /fonelsid.rar\r\nInfection traffic caused by the follow-up malware (another Ursnif variant):\r\nport 80 - google[.]com - GET /\r\nport 80 - www.google[.]com - GET /\r\nDNS queries for onionpie[.]at - no response from the server\r\nDNS queries for tahhir[.]at - no response from the server\r\n80.249.145[.]116 port 80 - limpopo[.]at - GET /images/[long string]\r\n109.175[.]7.8 port 80 - estate-advice[.]at - GET /images/[long string]\r\n5.56.73[.]146 port 80 - sweetlights[.]at - GET /g32.bin\r\n5.56.73[.]146 port 80 - sweetlights[.]at - GET /g64.bin\r\n5.56.73[.]146 port 80 - estate-advice[.]at - POST /images/[long string]\r\n185.95.185[.]58 port 80 - estate-advice[.]at - GET /images/[long string]\r\n80.249.145[.]116 port 80 - limpopo[.]at - POST /images/[long string]\r\n51.223.47[.]15 port 80 - estate-advice[.]at - POST /images/[long string]\r\nMalware info:\r\nSHA256 hash: 957573dc5e13516da0d01f274ab28a141dddc8b6609fa35fde64a4900cb793e6\r\nFile size: 127,243 bytes\r\nFile name: info_12_21.doc\r\nFile description: Word doc with macro for Ursnif\r\nSHA256 hash: 05ec03276cdbb36fdd8433beca53b6c4a87fa827a542c5d512dcbb2cf93023c9\r\nFile size: 3,651 bytes\r\nFile location: C:\\Windows\\Temp\\axsUG8.xsl\r\nFile description: XSL file dropped by Word macro\r\nSHA256 hash: c7f801c491d705cd5e6a202c7c5084874235e19b5505d8e0201111cb3789a9c8\r\nFile size: 265,216 bytes\r\nFile location: hxxp://emblareppy[.]com/gunshu/lewasy.php?l=ambobi9.cab\r\nFile location: C:\\Windows\\Temp\\aaNuLh.dll\r\nFile description: Ursnif DLL file retrieved using XSL file\r\nDLL note: \"C:\\Windows\\System32\\rundll32.exe\" c:\\Windows\\Temp\\aaNuLh.dll,DllRegisterServer\r\nSHA256 hash: df824e3e5bb15c7b74d5e8a021f3cbcd867100a02399b9c383488c660ae920b4\r\nFile size: 873,472 bytes\r\nFile location: hxxp://104.193.252[.]157/fonelsid.rar\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\[random digits].exe\r\nFile description: Follow-up malware, another Ursnif variant\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 8 of 9\n\nFile location note: binary returned from fonelsid.rar URL was encoded/encrypted as it was sent over the\r\nnetwork\r\nFinal words\r\nA pcap of the infection traffic, the associated malware and artifacts, and some malspam examples can be found\r\nhere.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nhttps://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/"
	],
	"report_names": [
		"25732"
	],
	"threat_actors": [],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c61670926dfe08f2511b765e4d9ba21c154cef0b.pdf",
		"text": "https://archive.orkl.eu/c61670926dfe08f2511b765e4d9ba21c154cef0b.txt",
		"img": "https://archive.orkl.eu/c61670926dfe08f2511b765e4d9ba21c154cef0b.jpg"
	}
}