title: Ursnif Malware C2 URL Pattern id: 932ac737-33ca-4afd-9869-0d48b391fcc9 status: stable description: Detects Ursnif C2 traffic. references: - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html author: Thomas Patzke date: 2019/12/19 modified: 2021/08/09 logsource: category: proxy detection: b64encoding: c-uri|contains: - '_2f' - '_2b' urlpatterns: c-uri|contains|all: - '.avi' - '/images/' condition: b64encoding and urlpatterns fields: - c-ip - c-uri - sc-bytes - c-ua falsepositives: - Unknown level: critical tags: - attack.initial_access - attack.t1566.001 - attack.execution - attack.t1204.002 - attack.command_and_control - attack.t1071.001