Ursnif Malware Download URL Pattern

calendar Jun 12, 2025 · attack.command-and-control attack.t1071.001 detection.emerging-threats  ·
Share on: linkedin copy

Detects download of Ursnif malware done by dropper documents.

Sigma rule (View on GitHub)

 1title: Ursnif Malware Download URL Pattern
 2id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
 3status: stable
 4description: Detects download of Ursnif malware done by dropper documents.
 5references:
 6    - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
 7author: Thomas Patzke
 8date: 2019-12-19
 9modified: 2022-08-15
10logsource:
11    category: proxy
12tags:
13    - attack.command-and-control
14    - attack.t1071.001
15    - detection.emerging-threats
16detection:
17    selection:
18        c-uri|contains|all:
19            - '/'
20            - '.php\?l='
21        c-uri|endswith: '.cab'
22        sc-status: 200
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top