SigmaHQ/rules/proxy/proxy_ursnif_malware_download_url.yml

title: Ursnif Malware Download URL Pattern
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
modified: 2021/08/09
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains|all: 
      - '/'
      - '.php?l='
    c-uri|endswith: '.cab'
    sc-status: 200
  condition: selection
fields:
  - c-ip
  - c-uri
  - sc-bytes
  - c-ua
falsepositives:
    - Unknown
level: critical