The malware analyst Karsten Hahn recently published a very interesting video about the analysis of a sample of the well-known malware Ursnif.

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, spearphishing attacks and malicious links.

Hahn analyzed a specific variant of the malware:

Gozi is delivered via SEO poisoning of malicious websites and delivered as JScript in a ZIP archive, often disguised as important document. After installation it is fileless, using the registry to reside in and inject the payload into legitimate processes. We analyze a Gozi sample and statically unpack the various stages of the infection chain.

The video

Used tools