Win32/Spy.Ursnif [Threat Name] go to Threat

Win32/Spy.Ursnif.AM [Threat Variant Name]

Category trojan
Size 892512 B
Aliases TR/AD.Ursnif.ylxp (Avira)
  Trojan.Inject2.26490 (Dr.Web)
Short description

Win32/Spy.Ursnif.AM serves as a backdoor. It can be controlled remotely. The trojan collects various sensitive information. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using RAR SFX .


When executed, the trojan creates the following files:

  • %temp%\­RarSFX%number1%\­b.dll (535040 B, Win32/Spy.Ursnif.AO)

The following files are dropped in the same folder:

  • __tmp_rar_sfx_access_check_%number2%
  • b.rar
  • c.bat
  • ch.ico
  • u.exe

A variable numerical value is used instead of %number1-2% .

The trojan executes the following commands:

  • u.exe e -p6tygudyjf b.rar
  • rundll32 b.dll, DllRegisterServer
  • del /f /q u.exe
  • del /f /q b.rar
  • del /f /q c.bat

The trojan creates copies of the following files (source, destination):

  • %temp%\­RarSFX%number1%\­b.dll, %appdata%\­%variable1%\­%variable2%.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­RurrentVersion\­Run]
    • "%variable3%" = ""rundll32 %appdata%\­%variable1%\­%variable2%.dll",DllRegisterServer"

A string with variable content is used instead of %variable1-3% .

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager]
    • "PendingFileRenameOperations" = "\­??\­%temp%\­RarSFX%number1%\­b.dll"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • svchost.exe
Information stealing

The trojan collects various sensitive information.

The trojan is able to log keystrokes.

The trojan gathers sensitive information from processes which contain any of the following strings in their path:

  • java
  • javaw
  • jp2launcher
  • translink
  • bitcoin-qt
  • litecoin-qt
  • multibit
  • ecbl-lcl
  • -lbp
  • ecbl-cnce
  • ecbl-sg
  • ecbl-nxbp
  • dikeutil
  • elba5
  • ArubaSign
  • atlante
  • bit4pin
  • BLine
  • boni
  • busnet
  • ClientConfig
  • DVWIN32
  • Egisto
  • ev11w
  • fcmt
  • Fibu
  • FirmaVerifica
  • foe32
  • Inazienda2
  • inazloader
  • iTeleportConnect
  • kassa
  • KeePass
  • legalSign
  • Lohn
  • NBPayments
  • newfedra
  • NGClient
  • OEBMCC32
  • OEBMCL32
  • OlimpoClickYes
  • oseTokenServer
  • PaymMaster
  • Payroll
  • pigc
  • rclient
  • SAP Business One
  • sfirm
  • sfmain
  • sigla32
  • SIManager
  • SiscMaster
  • sleipnir
  • svnet
  • UniStream
  • VRNetWorld
  • wruncbl
  • sbmanager
  • ifrun60
  • palemoon
  • etaban
  • werfault
  • sbddesktop
  • treasurypaymentfilegeneration
  • launcher
  • PinManager
  • OppioForInternetBanking
  • crtmgr

The trojan collects the following information:

  • logged keystrokes
  • digital certificates
  • cookies
  • information about the operating system and system settings
  • e-mail addresses

The trojan can send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The trojan generates various IP addresses.

The HTTP, Kademlia protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • various file system operations
  • send requested files
  • create Registry entries
  • delete Registry entries
  • capture webcam video/voice
  • capture screenshots
  • remove itself from the infected computer
  • shut down/restart the computer
  • send gathered information

The trojan may create and run a new thread with its own program code within any running process.

The trojan may hook selected Windows APIs.

The trojan is generally spread through spam emails that include malicious code in the attachment.

Please enable Javascript to ensure correct displaying of this content and refresh this page.