Malware-Traffic-Analysis.net - 2019-07-05 - Quick post: Gozi/ISFB (Ursnif) infection with Trickbot and IcedID

2019-07-05 - QUICK POST: GOZI/ISFB (URSNIF) INFECTION WITH TRICKBOT AND ICEDID

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

NOTES:

In the pcap, traffic to germakhya[.]xyz represents the IcedID network activity, but I didn't find any IcedID malware or artifacts saved to the infected host.

ASSOCIATED FILES:

2019-07-05-Ursnif-with-Trickbot-and-IcedID.pcap.zip 33.4 MB (33,409,966 bytes)

2019-07-05-Ursnif-with-Trickbot-and-IcedID.pcap (40,998,383 bytes)

2019-07-05-Ursnif-with-Trickbot-malware-and-artifacts.zip 43.1 MB (43,128,485 bytes)

DC/2019-07-05-Scheduled-task-for-Trickbot-on-DC.txt

DC/2019-07-05-Windows-registry-update-for-Trickbot-on-DC.txt

DC/AppData/Roaming/44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe

DC/AppData/Roaming/diskram/44983o8uh99g8n8_pmubyhu7vfxxbh898xq8hnttmrrzf28tudu7mwrrm_11c1jn.exe

DC/AppData/Roaming/diskram/data/importDll64

DC/AppData/Roaming/diskram/data/injectDll64

DC/AppData/Roaming/diskram/data/injectDll64_configs/dinj

DC/AppData/Roaming/diskram/data/injectDll64_configs/dpost

DC/AppData/Roaming/diskram/data/injectDll64_configs/sinj

DC/AppData/Roaming/diskram/data/mailsearcher64

DC/AppData/Roaming/diskram/data/mailsearcher64_configs/mailconf

DC/AppData/Roaming/diskram/data/networkDll64

DC/AppData/Roaming/diskram/data/networkDll64_configs/dpost

DC/AppData/Roaming/diskram/data/NewBCtestnDll64

DC/AppData/Roaming/diskram/data/NewBCtestnDll64_configs/bcconfig2

DC/AppData/Roaming/diskram/data/psfin64

DC/AppData/Roaming/diskram/data/psfin64_configs/dpost

DC/AppData/Roaming/diskram/data/pwgrab64

DC/AppData/Roaming/diskram/data/pwgrab64_configs/dpost

DC/AppData/Roaming/diskram/data/shareDll64

DC/AppData/Roaming/diskram/data/systeminfo64

DC/AppData/Roaming/diskram/data/tabDll64

DC/AppData/Roaming/diskram/data/tabDll64_configs/dpost

DC/AppData/Roaming/diskram/data/wormDll64

DC/AppData/Roaming/diskram/settings.ini

DC/AppData/Roaming/diskram/TEXAFXCUj.exe

DC/AppData/Roaming/mslibrary/uetur.exe

DC/ProgramData/TEXAFVCSj.exe

DC/Windows/44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe

DC/Windows/lgwgf4lrucfcaa_vo6bqb08eo1nja1f4d_h2dnradrkw11hvguuphvk__7sg7rwb.exe

DC/Windows/System32/setup.exe

DC/Windows/SysWOW64/44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe

DC/Windows/SysWOW64/Tasks/44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe

client/2019-07-05-scheduled-task-for-Trickbot.txt

client/2019-07-05-Ursnif-EXE-retreived-by-Word-macro.exe

client/2019-07-05-Windows-registry-updates-for-Ursnif.txt

client/2019-07-05-Word-doc-with-macro-for-Ursnif.doc

client/AppData/Local/Temp/1076999.exe

client/AppData/Local/Temp/xhmealbjn.exe

client/AppData/Roaming/diskram/TEXAFVCCUj.exe

client/AppData/Roaming/mslibrary/data/importDll64

client/AppData/Roaming/mslibrary/data/injectDll64

client/AppData/Roaming/mslibrary/data/injectDll64_configs/dinj

client/AppData/Roaming/mslibrary/data/injectDll64_configs/dpost

client/AppData/Roaming/mslibrary/data/injectDll64_configs/sinj

client/AppData/Roaming/mslibrary/data/mailsearcher64

client/AppData/Roaming/mslibrary/data/mailsearcher64_configs/mailconf

client/AppData/Roaming/mslibrary/data/networkDll64

client/AppData/Roaming/mslibrary/data/networkDll64_configs/dpost

client/AppData/Roaming/mslibrary/data/psfin64

client/AppData/Roaming/mslibrary/data/psfin64_configs/dpost

client/AppData/Roaming/mslibrary/data/pwgrab64

client/AppData/Roaming/mslibrary/data/pwgrab64_configs/dpost

client/AppData/Roaming/mslibrary/data/shadnewDll64

client/AppData/Roaming/mslibrary/data/shadnewDll64_configs/dom

client/AppData/Roaming/mslibrary/data/shareDll64

client/AppData/Roaming/mslibrary/data/systeminfo64

client/AppData/Roaming/mslibrary/data/tabDll64

client/AppData/Roaming/mslibrary/data/tabDll64_configs/dpost

client/AppData/Roaming/mslibrary/data/wormDll64

client/AppData/Roaming/mslibrary/settings.ini

client/AppData/Roaming/mslibrary/uetur.exe

client/AppData/Roaming/mslibrary/TEXAFXCUj.exe

client/ProgramData/mslibrary/data/importDll64

client/ProgramData/mslibrary/data/injectDll64

client/ProgramData/mslibrary/data/injectDll64_configs/dinj

client/ProgramData/mslibrary/data/injectDll64_configs/dpost

client/ProgramData/mslibrary/data/injectDll64_configs/sinj

client/ProgramData/mslibrary/data/mailsearcher64

client/ProgramData/mslibrary/data/mailsearcher64_configs/mailconf

client/ProgramData/mslibrary/data/networkDll64

client/ProgramData/mslibrary/data/networkDll64_configs/dpost

client/ProgramData/mslibrary/data/psfin64

client/ProgramData/mslibrary/data/psfin64_configs/dpost

client/ProgramData/mslibrary/data/pwgrab64

client/ProgramData/mslibrary/data/pwgrab64_configs/dpost

client/ProgramData/mslibrary/data/shadnewDll64

client/ProgramData/mslibrary/data/shadnewDll64_configs/dom

client/ProgramData/mslibrary/data/shareDll64

client/ProgramData/mslibrary/data/systeminfo64

client/ProgramData/mslibrary/data/tabDll64

client/ProgramData/mslibrary/data/tabDll64_configs/dpost

client/ProgramData/mslibrary/data/wormDll62771184

client/ProgramData/mslibrary/settings.ini

client/ProgramData/mslibrary/uetur.exe

client/ProgramData/mslibrary/TEXAMOXcU.exe

client/ProgramData/TEXAFVCSj.exe

client/ProgramData/TEXAKMVcS.exe

Click here to return to the main page.