title: Ursnif Malware Download URL Pattern
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
modified: 2020/09/03
logsource:
  category: proxy
detection:
  selection:
    c-uri: '*/*.php?l=*.cab'
    sc-status: 200
  condition: selection
fields:
  - c-ip
  - c-uri
  - sc-bytes
  - c-ua
falsepositives:
    - Unknown
level: critical
---
title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
  - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
logsource:
  category: proxy
detection:
  b64encoding:
    c-uri:
      - "*_2f*"
      - "*_2b*"
  urlpatterns:
    c-uri|all:
      - "*.avi"
      - "*/images/*"
  condition: b64encoding and urlpatterns
fields:
  - c-ip
  - c-uri
  - sc-bytes
  - c-ua
falsepositives:
  - Unknown
level: critical
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.t1193  # an old one
    - attack.execution
    - attack.t1204.002
    - attack.t1204  # an old one
    - attack.command_and_control
    - attack.t1071.001