{
	"id": "9a8ed6aa-462e-41da-a04e-ce268d3609a0",
	"created_at": "2026-04-10T03:20:16.197661Z",
	"updated_at": "2026-04-10T13:12:15.505668Z",
	"deleted_at": null,
	"sha1_hash": "fa061e1e56d557b53bd1b364d594842f9d9242bf",
	"title": "Ursnif via LOLbins",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 876592,
	"plain_text": "Ursnif via LOLbins\r\nBy editor\r\nPublished: 2020-04-24 · Archived: 2026-04-10 03:01:12 UTC\r\nUrsnif is a variant of the Gozi malware family has recently been responsible for a growing campaign targeting\r\nvarious entities across North America and Europe. The campaign looks to have started around the 6th of April via\r\na number of domains taking up residence at 8.208.90.28.\r\nOverall 16 domains have been pointed to the IP since the start of the campaign.\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 1 of 10\n\nAs of 04/22 these actors have moved their campaign to a new IP: 47.241.106.208\r\nInitial Access:\r\nThe particular point of interest in this campaign is the effectiveness of the TTP’s at bypassing many security tools.\r\nIn the delivery stage the campaign uses compromised email accounts to inject into previous conversations by\r\nadding a link and imploring the recipient to check the latest update to the ongoing conversation.\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 2 of 10\n\nThe link provided is to a Google Drive account, a trusted entity to users, and often not capable of being blocked in\r\nmany enterprises. The Google Drive link downloads a password protected zip file with a javascript (JS) file inside.\r\nExecution:\r\nUpon execution, the JS file will be executed by wscript. Wscript then gives way to Regsrv32 which loads a txt file\r\ninto memory. The txt file however is actually a DLL file that once loaded into memory runs under the regsrv32\r\nprocess.\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 3 of 10\n\nThe use of these infection methods were able to bypass several security layers including Windows Defender at the\r\ntime of run but we witnessed it detect the txt DLL and eat the file on disk while missing the running executable\r\nrunning in memory.\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 4 of 10\n\nWhile several infections witnessed during the campaign never moved past beaconing to the Ursnif C2 at\r\n8.208.90.28 with the DLL in memory, some samples proceeded further.\r\nPersistence:\r\nFor those samples the following behavior occurred.\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 5 of 10\n\nIn the registry location seen referenced below, there could be found more modules for the malware to call upon.\r\nCommand and Control:\r\nInitial C2 picked up on the following alerts:\r\nETPRO_TROJAN_Ursnif_Variant_CnC_Beacon_12_M2 8.208.90.28\r\nETPRO_TROJAN_Ursnif_Variant_CnC_Beacon_12_M1 8.208.90.28\r\nWith the TorClient Registry Binary being confirm for its namesake after some time:\r\nET_P2P_Tor_Get_Server_Request\r\nAfter around a 24 hour time passage, Ursnif received new activity with alerts triggering for a VNC module and a\r\nnew C2 IP.\r\nETPRO_TROJAN_Possible_Ursnif_VNC_Module_CnC_Beacon 162.244.35.233\r\nThis then followed with a flurry of new malware dropped to the system. These turned out to include both Cobalt\r\nStrike beacons as well as TVRat (Team Viewer RAT).\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 6 of 10\n\nCobalt Strike was delivered in the form of 3 dll’s loaded into memory again with the help of run32dll.\r\nMeanwhile TVrat uses the “legitimate” access tool Teamviewer to provide remote access to the attacker.\r\nsvcc.exe 99e0fbb8b4d6bbd5fe4eec1530aa51a818d06e245efb2c2fb41199a390a73db8\r\n1.exe 497129b7b2a940a812b9f3cf3d1a149d903a4179fc75adaf085e4edba533a7c9\r\nThis exe reaches out to many of the various teamviewer infrastructure:\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 7 of 10\n\nAt this point the Cobalt Strike and TVrat C2 overtook all previous communications.\r\nETPRO_TROJAN_Cobalt_Strike_Beacon_Observed 23.81.246.22\r\nETPRO_TROJAN_Cobalt_Strike_Beacon_Observed 93.190.138.35\r\nET_TROJAN_Win32.Spy/TVRat_Checkin 89.39.107.106\r\nAction on Objectives:\r\nThis continued for some time but we did not witness final actions on objectives from the actors.\r\nConclusion:\r\nBased on the actors capability to bypass security controls and the pivot to new IP infrastructure we expect this\r\ncampaign to continue for some time. We recommend paying close attention to AV alerts tied to files that you\r\nwouldn’t normally expect AV alerts (like text files). And make sure your network signatures are up to date and\r\nmonitored as these threats tend to use default or known configurations that are quite noisy if someone is listening.\r\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nIOC’s:\r\nopen_attach_a1i#793032.zip|8a1ffc3ea2280f34f91df70ef538880b\r\n8a1ffc3ea2280f34f91df70ef538880b\r\na5d8c89c49ae8d02cc1e6c32a223e0c00b3e6bf1\r\n3440bc915d40d1bcab8d5ef946d18fe10419385559689ebf2ba36c9eae61faaf\r\nXikFYehxR.txt|d819173a8babdf625c2774bbf17ed710\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 8 of 10\n\nd819173a8babdf625c2774bbf17ed710\r\n629e79904edfcbede3e7d4ff9240c8571d8e2291\r\n588058cd3661c48b372ad870ce3e03af62e61ffd917355895ac8342736704673\r\nn.dll|334fc19e4c1358d0979c0a74a321278e\r\n334fc19e4c1358d0979c0a74a321278e\r\naed74cbba6a3da72d16a205b2893865eddc2e936\r\n28b935ba6987b2784a654951d304ff2e86367b064d1a9201215892fe547b0d9a\r\nartc.dll|1d6869199813a9090478312c2ec13ec9\r\n1d6869199813a9090478312c2ec13ec9\r\n011e7948dc760e8c4d5f7a41bb037e9cabc1e262\r\nd2ac48ba8a476cd6166a0c35ebe276d136b1b82e865560b2564f39b5c7f3a3a9\r\n08f3b51c8493c5ed8948ab35c956a465e0043094248d2f27a5d8fa9a696e3cbf\r\n284afda4ceda3880864bf692f153ab0354ca7359\r\nfc22d0c3f15c763ccf1a5f56f35b795f\r\nldr.exe|fc22d0c3f15c763ccf1a5f56f35b795f\r\nAuthtdvr.ps1|009b53fffb404e7b0dd1479617e967b9\r\n009b53fffb404e7b0dd1479617e967b9\r\n742d5399415e96bfe1a2dfd9af3b9e3cb8d8000c\r\n915ff83ab8e1a4ad1e9e63ea84bab24e36b88f9264c42085569786079232ff75\r\npeuhop32.exe|897b07feeb22f8de7378740c33052f1c\r\n897b07feeb22f8de7378740c33052f1c\r\ne75260f9347068d26714f99719b5e65d7316f5e7\r\na59d6490e8bb757d08ae3e0e800cc8b1b3d90b960e10d6ca46166a450111505a\r\nnww.dll|334fc19e4c1358d0979c0a74a321278e\r\n334fc19e4c1358d0979c0a74a321278e\r\naed74cbba6a3da72d16a205b2893865eddc2e936\r\n28b935ba6987b2784a654951d304ff2e86367b064d1a9201215892fe547b0d9a\r\natr.dll|1d6869199813a9090478312c2ec13ec9\r\n1d6869199813a9090478312c2ec13ec9\r\n011e7948dc760e8c4d5f7a41bb037e9cabc1e262\r\nd2ac48ba8a476cd6166a0c35ebe276d136b1b82e865560b2564f39b5c7f3a3a9\r\nQaBJCQJnsODD.txt|d819173a8babdf625c2774bbf17ed710\r\nd819173a8babdf625c2774bbf17ed710\r\n629e79904edfcbede3e7d4ff9240c8571d8e2291\r\n588058cd3661c48b372ad870ce3e03af62e61ffd917355895ac8342736704673\r\nCHxRrver|48e81fc9a95c810651d1b5a45fc135d5\r\n48e81fc9a95c810651d1b5a45fc135d5\r\n982ff97a4325f1707815e6ccb6962decd2df75be\r\n926f8cab4714fda8068d877c2daa79c2b8ea3a91cdc146bd3926f8dff8a20b59\r\n8.208.90.28\r\n47.241.106.208\r\ndianer.at\r\napi10.dianer.at\r\nmobify.at\r\npipen.at\r\nf1.pipen.at\r\nbeen.dianer.at\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 9 of 10\n\ndeem.dianer.at\r\nvv.malorun.at\r\nwww.kamalak.at\r\nfree.up100n.at\r\nahah100.at\r\ntwo.ahah100.at\r\nahonpot.at\r\ntargoo.at\r\nkamalak.at\r\napi5.malorun.at\r\ndxdeedle.host\r\n162.244.35.233\r\n89.39.107.106\r\n23.81.246.22\r\n93.190.138.35\r\nSource: https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nhttps://thedfirreport.com/2020/04/24/ursnif-via-lolbins/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/"
	],
	"report_names": [
		"ursnif-via-lolbins"
	],
	"threat_actors": [],
	"ts_created_at": 1775791216,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa061e1e56d557b53bd1b364d594842f9d9242bf.pdf",
		"text": "https://archive.orkl.eu/fa061e1e56d557b53bd1b364d594842f9d9242bf.txt",
		"img": "https://archive.orkl.eu/fa061e1e56d557b53bd1b364d594842f9d9242bf.jpg"
	}
}