Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0386: Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

EnterpriseS0386MalwareObject v1.5 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Ursnif matters because ATT&CK describes it as a Windows banking trojan associated primarily with data theft, with variants that can include backdoor, spyware, and file-injection capabilities. For leaders, the practical issue is not just “malware detection”; it is whether email-delivered or exploit-kit-delivered malware can collect credentials and local data, communicate over web traffic, stage and exfiltrate information, and hide through obfuscation or process injection before responders have enough evidence to scope the incident.

Executive priority

Prioritize Ursnif-related readiness where Windows endpoints, email-based delivery risk, credential theft, and sensitive local data exposure would create business disruption or audit concern. Executives should ask whether the organization can prove coverage across prevention, endpoint telemetry, web/C2 monitoring, credential-access investigation, and incident response scoping. Because TA551 is documented as using Ursnif and is described as financially motivated and email-focused, security leaders should also validate phishing resilience and malware triage workflows without assuming current exposure or activity.

Technical view

SOC and IR teams should validate Windows-focused visibility across the behaviors ATT&CK relates to Ursnif: registry and service discovery, process and system discovery, PowerShell and Visual Basic execution, WMI abuse, process injection including TLS callback injection and process hollowing, credential API hooking, local data collection/staging, web-protocol C2, proxy or multi-hop proxy use, ingress tool transfer, exfiltration over C2, file deletion, removable media replication, and tainted shared content. MITRE provides no official detection text for this malware object, so detections should be behavior-led using the related techniques rather than relying only on static malware names or signatures.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry, including PowerShell, Visual Basic, WMI, service-query, process-query, and registry-query activity
  • Endpoint detection telemetry for process injection, suspicious memory behavior, process hollowing indicators, and TLS callback-related execution where available
  • Windows Registry access and modification events relevant to discovery, masquerading, and persistence-like investigation context
  • File system telemetry for local data staging, encoded or encrypted files, dropped tools, deletion activity, and files placed in trusted-looking paths or shared locations
  • Credential-access telemetry where available, including API hooking or suspicious access to authentication-related processes/functions

Detection direction

  • Build coverage around ATT&CK behaviors related to Ursnif rather than the malware name alone, because the object notes multiple variants and components with a wide variety of behaviors.
  • Correlate email delivery indicators with post-delivery Windows execution, especially script execution, WMI activity, registry/service/process discovery, and unexpected child processes from user-facing applications.
  • Tune for suspicious discovery sequences on Windows endpoints, but account for administrative tools and software inventory products that may legitimately query services, processes, registry keys, and system information.
  • Hunt for process-injection and process-hollowing patterns paired with outbound web traffic, file staging, or credential-access signals; these combinations are more useful than any single noisy event.
  • Validate network monitoring for web-protocol C2 and proxy behavior, recognizing that malicious traffic may blend with normal HTTP/S activity and that multi-hop proxying can obscure infrastructure attribution.

Mitigation priorities

  • Start with phishing and malicious-link controls, attachment detonation, user reporting, and email investigation workflows because ATT&CK describes Ursnif distribution through spearphishing attachments and malicious links.
  • Harden Windows endpoints against script, WMI, and unauthorized process activity using least privilege, application control, and script-execution governance appropriate to the business environment.
  • Strengthen credential protection and monitoring because related behavior includes Credential API Hooking and the malware is associated with data theft.
  • Ensure EDR and centralized logging capture process, registry, file, memory-behavior, and network evidence needed for scoping, not just blocking alerts.
  • Segment and monitor sensitive data locations, shared storage, and removable-media pathways where related techniques such as local data staging, tainted shared content, and removable-media replication are relevant.
Analyst notes and limits

This take is based only on the supplied ATT&CK S0386 fields, references, and relationships. The strongest defensive value comes from mapping Ursnif to its related behaviors: Windows execution and discovery, credential collection, evasion, C2 over web protocols, staging, and exfiltration. The official object does not specify tactics directly and does not provide official detection guidance, so local control validation should be technique-based.

The supplied ATT&CK object does not include official detection text, aliases, labels, or direct indicators of compromise. It identifies Windows as the platform for Ursnif, while some related techniques list broader platforms; this summary treats Ursnif readiness as Windows-centered and uses non-Windows platform references only as technique context. No claim is made about active exploitation, current campaigns, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

35 rows
Domain ID Name Relationship / procedure
Enterprise T1007 System Service Discovery

Ursnif has gathered information about running services.[3]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Ursnif has used Registry Run keys to establish automatic execution at system startup.CitationTrendMicro PE_URSNIF.A2CitationTrendMicro BKDR_URSNIF.SM
Enterprise T1105 Ingress Tool Transfer

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.CitationTrendMicro PE_URSNIF.A2CitationTrendMicro BKDR_URSNIF.SM
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.[2] Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.CitationBromium Ursnif Mar 2017
Enterprise T1090.003 Multi-hop Proxy Sub-technique

Ursnif has used Tor for C2.[1][2]
Enterprise T1074.001 Local Data Staging Sub-technique

Ursnif has used tmp files to stage gathered information.[3]
Enterprise T1106 Native API

Ursnif has used CreateProcessW to create child processes.[4]
Enterprise T1497.003 Time Based Checks Sub-technique

Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.CitationTrendMicro Ursnif File Dec 2014
Enterprise T1559.001 Component Object Model Sub-technique

Ursnif droppers have used COM objects to execute the malware's full executable payload.CitationBromium Ursnif Mar 2017
Enterprise T1056.004 Credential API Hooking Sub-technique

Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.[3]
Enterprise T1057 Process Discovery

Ursnif has gathered information about running processes.[3]CitationTrendMicro BKDR_URSNIF.SM
Enterprise T1041 Exfiltration Over C2 Channel

Ursnif has used HTTP POSTs to exfil gathered information.[3][4][2]
Enterprise T1132 Data Encoding

Ursnif has used encoded data in HTTP URLs for C2.[2]
Enterprise T1055.005 Thread Local Storage Sub-technique

Ursnif has injected code into target processes via thread local storage callbacks.[3]CitationTrendMicro PE_URSNIF.A2[4]
Enterprise T1140 Deobfuscate/Decode Files or Information

Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.[2]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[3]
Enterprise T1005 Data from Local System

Ursnif has collected files from victim machines, including certificates and cookies.CitationTrendMicro BKDR_URSNIF.SM
Enterprise T1027.010 Command Obfuscation Sub-technique

Ursnif droppers execute base64 encoded PowerShell commands.CitationBromium Ursnif Mar 2017
Enterprise T1113 Screen Capture

Ursnif has used hooked APIs to take screenshots.[3]CitationTrendMicro BKDR_URSNIF.SM
Enterprise T1543.003 Windows Service Sub-technique

Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.CitationTrendMicro PE_URSNIF.A2
Enterprise T1059.001 PowerShell Sub-technique

Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.CitationBromium Ursnif Mar 2017
Enterprise T1071.001 Web Protocols Sub-technique

Ursnif has used HTTPS for C2.[3][4][2]
Enterprise T1070.004 File Deletion Sub-technique

Ursnif has deleted data staged in tmp files after exfiltration.[3]
Enterprise T1012 Query Registry

Ursnif has used Reg to query the Registry for installed programs.[3]CitationTrendMicro BKDR_URSNIF.SM
Enterprise T1112 Modify Registry

Ursnif has used Registry modifications as part of its installation routine.CitationTrendMicro BKDR_URSNIF.SM[2]
Enterprise T1568.002 Domain Generation Algorithms Sub-technique

Ursnif has used a DGA to generate domain names for C2.[2]
Enterprise T1059.005 Visual Basic Sub-technique

Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.CitationBromium Ursnif Mar 2017
Enterprise T1082 System Information Discovery

Ursnif has used Systeminfo to gather system information.[3]
Enterprise T1090 Proxy

Ursnif has used a peer-to-peer (P2P) network for C2.[1][2]
Enterprise T1047 Windows Management Instrumentation

Ursnif droppers have used WMI classes to execute PowerShell commands.CitationBromium Ursnif Mar 2017
Enterprise T1055.012 Process Hollowing Sub-technique

Ursnif has used process hollowing to inject into child processes.[4]
Enterprise T1185 Browser Session Hijacking

Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).CitationTrendMicro BKDR_URSNIF.SM
Enterprise T1080 Taint Shared Content

Ursnif has copied itself to and infected files in network drives for propagation.[3]CitationTrendMicro Ursnif File Dec 2014
Enterprise T1091 Replication Through Removable Media

Ursnif has copied itself to and infected removable drives for propagation.[3]CitationTrendMicro Ursnif File Dec 2014
Enterprise T1564.003 Hidden Window Sub-technique

Ursnif droppers have used COM properties to execute malware in hidden windows.CitationBromium Ursnif Mar 2017
Associated objects

Groups, software, and campaigns

Group Enterprise

G0127: TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. [1] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [2]

Relationship explorer

All related ATT&CK context

uses · Technique T1007: System Service Discovery Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1090.003: Multi-hop Proxy Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1497.003: Time Based Checks Enterprise uses · Technique T1559.001: Component Object Model Enterprise uses · Technique T1056.004: Credential API Hooking Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1132: Data Encoding Enterprise uses · Technique T1055.005: Thread Local Storage Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1027.010: Command Obfuscation Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1012: Query Registry Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.5
Created
Modified
Raw hash
01b386732b43a84b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.5 Current bundle 01b386732b43…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NJCCIC Ursnif Sept 2016

    NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.

    Open source URL
  2. [2]
    ProofPoint Ursnif Aug 2016

    Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.

    Open source URL
  3. [3]
    TrendMicro Ursnif Mar 2015

    Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.

    Open source URL
  4. [4]
    FireEye Ursnif Nov 2017

    Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.

    Open source URL
  5. [5]
    Dreambot

    (Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)

  6. [6]
    Gozi-ISFB

    (Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)

  7. [7]
    PE_URSNIF

    (Citation: TrendMicro Ursnif Mar 2015)

  8. [8]
    Ursnif

    (Citation: NJCCIC Ursnif Sept 2016)

  9. [9]
    mitre-attack S0386
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use