SigmaHQ/rules/proxy/proxy_ursnif_malware_download_url.yml

title: Ursnif Malware Download URL Pattern
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
modified: 2021/08/09
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains|all: 
      - '/'
      - '.php?l='
    c-uri|endswith: '.cab'
    sc-status: 200
  condition: selection
fields:
  - c-ip
  - c-uri
  - sc-bytes
  - c-ua
falsepositives:
    - Unknown
level: critical
$frack113$ Split PR 1802 fix net rules 2021-08-09 15:23:15 +00:00			`title: Ursnif Malware Download URL Pattern`
			`id: a36ce77e-30db-4ea0-8795-644d7af5dfb4`
			`status: stable`
			`description: Detects download of Ursnif malware done by dropper documents.`
			`author: Thomas Patzke`
			`date: 2019/12/19`
			`modified: 2021/08/09`
			`logsource:`
			`category: proxy`
			`detection:`
			`selection:`
			`c-uri\|contains\|all:`
			`- '/'`
			`- '.php?l='`
			`c-uri\|endswith: '.cab'`
			`sc-status: 200`
			`condition: selection`
			`fields:`
			`- c-ip`
			`- c-uri`
			`- sc-bytes`
			`- c-ua`
			`falsepositives:`
			`- Unknown`
			`level: critical`