Rewterz Threat Alert – Threat Indicators – Ursnif/Gozi Malspam

Wednesday, March 6, 2019



Analysis Summary

The noticeable aspects of this specific campaign are the use of existing e-mail threads within compromised e-mail account to spread their malware, use of encrypted ZIP compressed archive to protect a malicious Word Document, and a polymorphic Ursnif payload- the hash of downloaded Ursnif payload changes regularly.

When the document is opened, the On-Open (AutoOpen) VBA/Macros triggers an encoded PowerShell command which downloads a binary – Decoded-PS-1.png in attachments.


Malware infection

Indicators of Compromise


  • v73adrian79[.]company
  • v73adrian79[.]company/hssuwpqksm/o.php?l=koagura9.bz2
  • z50rvfhcasandra[.]com
  • p26ui42annamarie[.]com
  • gefren1267[.]band


Email Address

  • support[@]thebloks[.]com
  • soccernews[@]challenger-soccer[.]com

Malware Hash (MD5/SHA1/SH256)

  • 324dabe55bdbc0e4b13e16a258483a76
  • d6d0d94c72b187a7d3fc39eef4301c20fe2dd34f
  • f638665a11098a4da5849264c80a083bd4e278e6d7874d7e55ec13d8048aee02
  • bbd7c5a469a65ca1102888b1bd47f5f6
  • 6b49c392ce88a750e40571784f42e9f2226e8e29
  • 48a99d007f50db9e00f64cc4176618c619af0c48eab602c833db4277d4b215c7
  • 1b23d8e7b0fd32f85c7ba26d9c193cd1
  • 562067d3ff65d065e7a68102d3c6692e9670d64f
  • 249712f0652990a9dfa40e58399a01cc8b3954462c04f4d34d81d599b5b75f69


  • Block threat indicators at your respective controls.
  • Always be suspicious of the emails sent by unknown senders.
  • Never click on the link/ attachments given on the link sent by unrecognized senders.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 22, August 2019 Rewterz Threat Advisory – CVE-2019-15295 – BitDefender Antivirus Free 2020 – Privilege Escalation to SYSTEM
  • 22, August 2019 Rewterz Threat Alert – Banks All over the World Attacked by Silence Advanced Hackers
  • 22, August 2019 Rewterz Threat Alert – Adwind Bypasses Microsoft ATP to Attack Utilities Industry
  • 21, August 2019 Rewterz Threat Advisory – Multiple vulnerabilities fixed in VLC media player

Copyright © Rewterz. All rights reserved.