{
	"id": "bf05efe1-13cd-44dc-b631-6a55edfbda1f",
	"created_at": "2026-04-06T00:07:46.891952Z",
	"updated_at": "2026-04-10T13:11:36.862368Z",
	"deleted_at": null,
	"sha1_hash": "fa4674562f5f46370728ec5a12f904417da95de4",
	"title": "Malware-Traffic-Analysis.net - 2017-04-03 - Ursnif and Pushdo infection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2892684,
	"plain_text": "Malware-Traffic-Analysis.net - 2017-04-03 - Ursnif and Pushdo\r\ninfection\r\nArchived: 2026-04-05 17:48:16 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-04-03-Ursnif-and-Pushdo-infection.pcap.zip   9.2 MB (9,156,400 bytes)\r\n2017-04-03-Ursnif-and-Pushdo-infection.pcap   (10,643,014 bytes)\r\n2017-04-03-Ursnif-and-Pushdo-emails-and-malware.zip   685.7 kB (685,705 bytes)\r\n2017-04-03-DHL-themed-malspam-0928-UTC.eml   (22,764 bytes)\r\n2017-04-03-DHL-themed-malspam-1117-UTC.eml   (22,746 bytes)\r\n2017-04-03-DHL-themed-malspam-1220-UTC.eml   (22,812 bytes)\r\n2017-04-03-image-themed-malspam-1357-UTC.eml   (22,126 bytes)\r\n2017-04-03-image-themed-malspam-1546-UTC.eml   (22,646 bytes)\r\n2017-04-03-image-themed-malspam-1646-UTC.eml   (22,391 bytes)\r\n33521.exe   (353,965 bytes)\r\n462137.exe   (295,936 bytes)\r\nBalt.dll   (49,152 bytes)\r\nCommercial_CVS_inv.03.04.2017.cvs.js   (25,273 bytes)\r\nCommercial_CVS_inv.03.04.2017.zip   (15,870 bytes)\r\nimg-20170403-0014,jpeg.zip  (15,446 bytes)\r\nimg-20170403-0054.jpeg.js   (24,464 bytes)\r\nNOTES:\r\nSaw two waves of malspam with zip attachments containing .js files that generated the same infection\r\ntraffic.\r\nPost-infection traffic generated alerts for Ursnif and Pushdo.\r\nEMAIL\r\nhttp://malware-traffic-analysis.net/2017/04/03/index2.html\r\nPage 1 of 6\n\nShown above:  Screen shot of an email from the first wave.\r\nShown above:  Screen shot of an email from the second wave.\r\nEMAIL HEADERS - FIRST WAVE:\r\nDate:  Monday 2017-04-03 at 09:27 UTC\r\nFrom:  \u003cBGYHUBIMPORTS@DHL[.]COM\u003e\r\nSubject:  commercial invoice - customer 4364201038 102642523877\r\nAttachment name:  Commercial_CVS_inv.03.04.2017.zip\r\nExtracted file name:  Commercial_CVS_inv.03.04.2017.cvs.js\r\nDate:  Monday 2017-04-03 at 11:17 UTC\r\nFrom:  \u003cBGYHUBIMPORTS@DHL[.]COM\u003e\r\nSubject:  NOTICE CUSTOMS CHARGES 0094793224 767285436700\r\nAttachment name:  Commercial_CVS_inv.03.04.2017.zip\r\nExtracted file name:  Commercial_CVS_inv.03.04.2017.cvs.js\r\nDate:  Monday 2017-04-03 at 12:20 UTC\r\nFrom:  \u003cebillingcmfs.ddi@DHL[.]COM\u003e\r\nSubject:  Dhl Commercial Invoices 6807164709 856884589470\r\nAttachment name:  Commercial_CVS_inv.03.04.2017.zip\r\nhttp://malware-traffic-analysis.net/2017/04/03/index2.html\r\nPage 2 of 6\n\nExtracted file name:  Commercial_CVS_inv.03.04.2017.cvs.js\r\nEMAIL HEADERS - SECOND WAVE:\r\nDate:  Monday 2017-04-03 at 13:57 UTC\r\nFrom:  marco.desiderio@cogug[.]com\r\nSubject:  photo 08\r\nAttachment name:  img-20170403-0089,jpeg.zip\r\nExtracted file name:  img-20170403-0054.jpeg.js\r\nDate:  Monday 2017-04-03 at 15:46 UTC\r\nFrom:  direzione@nyloq[.]com\r\nSubject:  img_2550\r\nAttachment name:  img-20170403-0014,jpeg.zip\r\nExtracted file name:  img-20170403-0054.jpeg.js\r\nDate:  Monday 2017-04-03 at 16:46 UTC\r\nFrom:  marzia.berghella@yahoo[.]com[.]hk\r\nSubject:  photo 2DNXAY\r\nAttachment name:  img-20170403-0015,jpeg.zip\r\nExtracted file name:  img-20170403-0054.jpeg.js\r\nShown above:  Attachment taken from the malspam.\r\nTRAFFIC\r\nhttp://malware-traffic-analysis.net/2017/04/03/index2.html\r\nPage 3 of 6\n\nShown above:  Traffic from the infection filtered in Wireshark.\r\nASSOCIATED DOMAINS:\r\n178.136.218[.]52 port 80 - sillo[.]net - GET /1002.exe\r\n31.135.125[.]26 port 80 - monsteradds[.]at - GET /x64.bin   --   [Ursnif module download]\r\n52.52.2[.]146 port 80 - constitution[.]org - GET /usdeclar.txt   --   [Gozi/Ursnif/Papras connectivity\r\ncheck]\r\n5.248.126[.]219 port 80 - sillo[.]net - GET /30.bin   --   [Zbot Generic URI/header struct .bin]\r\nVarious IP addresses on port TCP 80 - various domains - POST /   --   [Pushdo.s checkin]\r\nVarious IP addresses on various TCP ports - various domains - Tor traffic\r\nVarious IP addresses on various ports - attempted TCP connections and non-Tor traffic\r\nFILE HASHES\r\nEMAIL ATTACHMENTS:\r\nSHA256 hash:  1b402c3ccfe5380425023022614abc4af53369536bda9c70b3074e50484bb340\r\nFile name:  Commercial_CVS_inv.03.04.2017.zip\r\nhttp://malware-traffic-analysis.net/2017/04/03/index2.html\r\nPage 4 of 6\n\nSHA256 hash:  ef3bbbace6eeaf06c2101612d45d694f734b6759ec89b83db0e3d07ea5c49f57\r\nFile name:  img-20170403-0014,jpeg.zip\r\nFile name:  img-20170403-0015,jpeg.zip\r\nFile name:  img-20170403-0089,jpeg.zip\r\nEXTRACTED JS FILES:\r\nSHA256 hash:  faad4f8730db9825cfc5fd29f105a16849c83e61e836d68b2e3eff55fe0f1ec5\r\nFile name:  Commercial_CVS_inv.03.04.2017.cvs.js\r\nSHA256 hash:  a62712ff422477b15e512d3d83285d61c760c468e8f8bae26a7e5f0174e57db9\r\nFile name:  img-20170403-0054.jpeg.js\r\nFILES RETRIEVED FROM THE INFECTED HOST:\r\nSHA256 hash:  94380803ac48bec2ca431f968240f4444fdc3a30bd04dbc62bf099bf0ece01f8\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Temp\\33521.exe\r\nFile location:  C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Cmcfspex\\admpptsp.exe\r\nSHA256 hash:  d26161bc381625ade7fb51db987f2e69c244acc642911948b1507860e90fd3f9\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Temp\\462137.exe\r\nFile location:  C:\\Users\\[username]\\bsebegfabe.exe\r\nSHA256 hash:  7b1bcab8e3aa932c6ebac8df67d0797b0c8aaa3a7870408085341500687720a6\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Temp\\Balt.dll\r\nIMAGES\r\nShown above:  Some alerts on the traffic from the Emerging Threats Pro (ETPRO) rulesets using Sguil on Security\r\nOnion.\r\nClick here to return to the main page.\r\nhttp://malware-traffic-analysis.net/2017/04/03/index2.html\r\nPage 5 of 6\n\nSource: http://malware-traffic-analysis.net/2017/04/03/index2.html\r\nhttp://malware-traffic-analysis.net/2017/04/03/index2.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://malware-traffic-analysis.net/2017/04/03/index2.html"
	],
	"report_names": [
		"index2.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434066,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa4674562f5f46370728ec5a12f904417da95de4.pdf",
		"text": "https://archive.orkl.eu/fa4674562f5f46370728ec5a12f904417da95de4.txt",
		"img": "https://archive.orkl.eu/fa4674562f5f46370728ec5a12f904417da95de4.jpg"
	}
}