Analysis and Deobfuscation of Malicious VBScript URSnif Dropper

Introduction On June 25, 2020 I came across the following Tweet posted by @ps66uk emails have an originating IP of 165.138.96.21 WHOIS: Indiana Department of Education@EducateIN pic.twitter.com/6MNjTOmQZz — ps66uk (@ps66uk) June 25, 2020 It appears that the victims received a phishing email with a  link to download a ZIP file through Firefox Send. Upon downloading […]