Home > Threat descriptions >

Trojan:W32/Ursnif

Classification

Category: Malware

Type: Trojan

Aliases: Ursnif, Trojan:W32/Ursnif, Trojan.Spy.Ursnif, Trojan.GenericKD.30550163, Gozi, ISFB

Summary


Ursnif steals system information and attempts to steal banking and online account credentials.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Behavior

Upon execution, Ursnif checks for the presence of any virtual or debugging environments; if found, it will show a fake alert message box with the text, "Error Initializing Client App!". It also performs process hollowing on svchost.exe or explorer.exe and injects a dll file (client.dll) based on the system enviornment (whether it is 32- or 64-bit).

Afterwards, it tries to steal multiple pieces of information from the system and store them in a file. It then connects to a malicious command and control (C&C) server.

Infection Vector

Ursnif is typically encountered when the user inadvertently opens a malicious file attachment that arrives via a spam email message.

Files Added
  • Create a copy of itself at "%appdata%\[Random_Folder]\[Dropped_Filename].exe" where "Dropped_Filename" is a combination of strings taken from %system32% directory filenames.
  • Creates a batch file at "%temp%\[Random_Folder]\[Random_File].bat" to execute and delete itself.
  • Creates a storage file at %temp%\[Random_Hex].bin to store the stolen data. Stolen data is in cab file format, which is created by executing makecab.exe. The storage file contains the following information:
    • Installed Device Drivers - Collected by executing driverquery.exe
    • Installed Programs - Collected by executing reg.exe "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    • System Information - Collected by executing systeminfo.exe
    • Current running process - Collected by executing tasklist.exe /SVC
Registry Changes

Adds the following registry key to run at startup:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Dropped_Filename]:
    "%appdata%\[Random_Folder]\[Dropped_Filename].exe
  • HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Vars
  • HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Files
  • HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Config
Network Activity

It connects to the following server:

  • bergesoma[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]
  • polinodara[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]

Where encrypted_data contains the Username, Compute Name, Version of Injected process, System IP address and malware specific configuration details.

Other Behavior

The malware also has the capability to:

  • Steal email data, which is collected by parsing different email file formats and applications (.wab, .pst)
  • Intercept the data and web-forms of the following browsers: Chrome, Internet explorer, Thunderbird, Firefox
  • Check for the presence of a virtual environment by checking the Device Informaton string against "vbox", "qemu", "vmware", "virtual hd"
  • Detect Phishwall software

Analysis on file: b3764e1a3d0f7d164436d565226800f3c06a58ec

Analysis by: Neeraj Singh

Date Created: -

Date Last Modified: -