The sub-techniques beta is now live! Read the release blog post for more info.


Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

ID: S0386
Associated Software: Gozi-ISFB, PE_URSNIF, Dreambot
Platforms: Windows
Version: 1.1
Created: 04 June 2019
Last Modified: 15 October 2019

Associated Software Descriptions

Name Description
Gozi-ISFB [7][2]
Dreambot [1][2]

Techniques Used

Domain ID Name Use
Enterprise T1175 Component Object Model and Distributed COM

Ursnif droppers have used COM objects to execute the malware's full executable payload.[8]

Enterprise T1090 Connection Proxy

Ursnif has used a peer-to-peer (P2P) network for C2.[1][2]

Enterprise T1094 Custom Command and Control Protocol

Ursnif has used a custom packet format over TCP and UDP for a peer-to-peer (P2P) network for C2.[2]

Enterprise T1132 Data Encoding

Ursnif has used encoded data in HTTP URLs for C2. [2]

Enterprise T1005 Data from Local System

Ursnif has collected files from victim machines, including certificates and cookies.[4]

Enterprise T1074 Data Staged

Ursnif has used tmp files to stage gathered information.[3]

Enterprise T1140 Deobfuscate/Decode Files or Information

Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.[2]

Enterprise T1483 Domain Generation Algorithms

Ursnif has used a DGA to generate domain names for C2.[2]

Enterprise T1106 Execution through API

Ursnif has used CreateProcessW to create child processes.[7]

Enterprise T1107 File Deletion

Ursnif has deleted data staged in tmp files after exfiltration.[3]

Enterprise T1143 Hidden Window

Ursnif droppers have used COM properties to execute malware in hidden windows.[8]

Enterprise T1179 Hooking

Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.[3]

Enterprise T1185 Man in the Browser

Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).[4]

Enterprise T1036 Masquerading

Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[3]

Enterprise T1112 Modify Registry

Ursnif has used Registry modifications as part of its installation routine.[4][2]

Enterprise T1188 Multi-hop Proxy

Ursnif has used Tor for C2.[1][2]

Enterprise T1050 New Service

Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.[6]

Enterprise T1027 Obfuscated Files or Information

Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk. Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.[2][8]

Enterprise T1086 PowerShell

Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.[8]

Enterprise T1057 Process Discovery

Ursnif has gathered information about running processes.[3][4]

Enterprise T1093 Process Hollowing

Ursnif has used process hollowing to inject into child processes.[7]

Enterprise T1055 Process Injection

Ursnif has injected code into target processes via thread local storage callbacks.[3][6][7]

Enterprise T1012 Query Registry

Ursnif has used Reg to query the Registry for installed programs.[3][4]

Enterprise T1060 Registry Run Keys / Startup Folder

Ursnif has used Registry Run keys to establish automatic execution at system startup.[6][4]

Enterprise T1105 Remote File Copy

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[6][4]

Enterprise T1091 Replication Through Removable Media

Ursnif has copied itself to and infected removable drives for propagation.[3][5]

Enterprise T1113 Screen Capture

Ursnif has used hooked APIs to take screenshots.[3][4]

Enterprise T1064 Scripting

Ursnif droppers have used VBA macros and PowerShell to download and execute the malware's full executable payload.[8]

Enterprise T1071 Standard Application Layer Protocol

Ursnif has used HTTPS for C2 as well as HTTP POSTs to exfil gathered information.[3][7][2]

Enterprise T1082 System Information Discovery

Ursnif has used Systeminfo to gather system information.[3]

Enterprise T1007 System Service Discovery

Ursnif has gathered information about running services.[3]

Enterprise T1080 Taint Shared Content

Ursnif has copied itself to and infected files in network drives for propagation.[3][5]

Enterprise T1497 Virtualization/Sandbox Evasion

Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.[5]

Enterprise T1047 Windows Management Instrumentation

Ursnif droppers have used WMI classes to execute PowerShell commands.[8]