title: Ursnif Malware Download URL Pattern id: a36ce77e-30db-4ea0-8795-644d7af5dfb4 status: stable description: Detects download of Ursnif malware done by dropper documents. author: Thomas Patzke date: 2019/12/19 modified: 2020/11/28 logsource: category: proxy detection: selection: c-uri|contains|all: - '/' - '.php?l=' c-uri|endswith: '.cab' sc-status: 200 condition: selection fields: - c-ip - c-uri - sc-bytes - c-ua falsepositives: - Unknown level: critical --- title: Ursnif Malware C2 URL Pattern id: 932ac737-33ca-4afd-9869-0d48b391fcc9 status: stable description: Detects Ursnif C2 traffic. references: - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html author: Thomas Patzke logsource: category: proxy detection: b64encoding: c-uri|contains: - "_2f" - "_2b" urlpatterns: c-uri|contains|all: - ".avi" - "/images/" condition: b64encoding and urlpatterns fields: - c-ip - c-uri - sc-bytes - c-ua falsepositives: - Unknown level: critical tags: - attack.initial_access - attack.t1566.001 - attack.t1193 # an old one - attack.execution - attack.t1204.002 - attack.t1204 # an old one - attack.command_and_control - attack.t1071.001