{
	"id": "de13e851-f1cb-43eb-bde7-0604ff57cce7",
	"created_at": "2026-04-06T00:21:33.863682Z",
	"updated_at": "2026-04-10T13:11:47.241779Z",
	"deleted_at": null,
	"sha1_hash": "736473f76e1e7ba382e7198b7b567d7232614997",
	"title": "Hunting for Ursnif",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 768457,
	"plain_text": "Hunting for Ursnif\r\nBy Joshua Penny Senior Threat Intelligence Analyst\r\nArchived: 2026-04-05 13:34:33 UTC\r\n[2] https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nKey Takeaways\r\nIn March 2023, America’s Cybersecurity \u0026 Infrastructure Security Agency published as report on the Royal\r\nRansomware group stating that Royal uses:\r\n“…malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration.”\r\nRoyal Ransomware has been a prominent ransomware threat against global organisations since September 2022,\r\nregularly posting victims across multiple sector verticals to their leak site each month. Below is a graph detailing\r\nthe total number per month. Ursnif is a tool utilised by the group during their intrusions and provided Cyber\r\nThreat Intelligence teams an opportunity to identify and track command and control infrastructure linked to this\r\nmalware.\r\nThe use of Ursnif in their attack chain makes Ursnif a malware family worth hunting for, as such this report details\r\nthe findings of the hunting activity conducted by Bridewell CTI.\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 1 of 15\n\nUrsnif Hunt Process\r\nOur research began when analysing some relatively new Ursnif IP addresses published by other security\r\nresearchers. After conducting analysis, we observed notable features that could be leveraged to hunt for new IP\r\naddresses in the wild. The Ursnif IP addresses in question were communicating with C2 servers which had an SSL\r\ncertificate with the following noticeable attributes: the issuer and subject fields.\r\nSSL Certificate Issuer: C=XX, ST=1, L=1, O=1, OU=1, CN=*\r\nSSL Certificate Subject: C=XX, ST=1, L=1, O=1, OU=1, CN=* \r\nFigure 1. Example Ursnif SSL certificate\r\nWorking with this and other features that can be fingerprinted, we were able to identify 72 further servers of\r\ninterest which matched our new Ursnif hunt rule. \r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 2 of 15\n\nFigure 2. Shodan Results for the Bridewell Ursnif Hunt Rule\r\nHosting Infrastructure\r\nLooking at the 72 servers, we can identify where they are geographically hosted and by which hosting providers:\r\nGeographical Distribution - Top 3: Germany, Netherlands, Russia \r\nFigure 3. Geographical distribution of Ursnif C2 servers\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 3 of 15\n\nHosting Provider - Top 3: servinga GmbH, Datasource AG, GleSYS AB.\r\nFigure 4. Hosting provider distribution of Ursnif C2 servers\r\nIn a report by Mandiant last year, they provided indicators of Ursnif C2’s hosted on the ISP Stark Industries\r\nSolutions Limited, however it would appear now that the operators of Ursnif have completely migrated from this\r\nISP and diversified amongst many ISPs, who have been associated with many other malware C2s. \r\nAnalysing the C2s\r\nAfter analysing the 23 Ursnif C2 servers that have Ursnif communicating files, 6 have Ursnif files communicating\r\nbut remain unreported and undetected as Ursnif C2’s by Security vendors (at the time of writing this report):\r\n95[.]46[.]8[.]157\r\n193[.]164[.]149[.]143\r\n79[.]133[.]124[.]62\r\n45[.]11[.]181[.]117\r\n92[.]38[.]169[.]142\r\n31[.]214[.]157[.]31\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 4 of 15\n\n---\r\nWe decided to investigate the IP addresses to understand whether the hunt rule was capturing Ursnif C2s and\r\nidentifying other pivoting opportunities to enhance our hunt rules by looking at associated domains and hardcoded\r\nIPs communicating samples.\r\nThe most recently scanned IP in Shodan: 31.214.157[.]31 - Scanned 2023-04-30.\r\nVirus Total Detections: 2/87\r\nAnalysing this IP in Virus Total, we can see two communicating files of Interest:\r\n2023-04-12 - 112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56\r\n2023-03-18 - 282856a51245496390e8c06ed9fa3dff6171aabffa6132dec93a9b4a30b1e524 - MSICBE.tmp\r\nLooking at MSICBE.tmp:\r\nVirus Total Detections: 21/69\r\nAfter pivoting around in VT, we can see the file’s execution parent looks to be a malicious version of LibreOffice,\r\n6ae710.msi.\r\nVirus Total Detections: 3/41\r\nThe sample is configured to also beacon to IP 185.189.151[.]38 (tagged as ISFB by ThreatFox). This IP does not\r\nappear to be active anymore (not captured by our hunt rule), however by inspecting the scan history in Shodan we\r\ncan see that the SSL cert with the same attributes matches our hunt rule in Jan 2023.\r\nMSICBE.tmp also pulls down a DLL file:\r\n(c.dll - 2d0f416aa030af708506fea815d4b268ba5a3bdd4680485a65c4cb112bc2ba7d) from 146.70.158[.]105.\r\nVirus Total Detections: 1/88\r\nSample “92f56” also communicates with the same IP addresses. \r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 5 of 15\n\nFigure 5. Relationship graph of Ursnif samples communicating with 185.189.151[.]38\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 6 of 15\n\nFigure 6. Installation of malicious LibreOffice file\r\nFigure 7. Virus Total Results for LibreOffice file.\r\nNext on our result list was 31.214.157[.]160 - hosted on servinga GmbH, which was identified by Virus Total as\r\nUrsnif. From this we were able to pivot to a new hunt rule to identify additional unreported Ursnif C2 servers.\r\nThis IP has a single .dll file called fxplugins.dll, communicating with it.\r\nVirus Total Detections: 5/89\r\nThis file has connection attempts to the following IP addresses:\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 7 of 15\n\n176.10.111[.]111\r\n176.10.111[.]167\r\n176.10.111[.]173\r\n176.10.111[.]233\r\n31.214.157[.]160\r\nSeveral of these IP addresses are not captured by our current rule and to understand why, we built another hunt\r\nrule, this time pivoting from 176.10.111[.]167 using additional HTTP header information:\r\nThe results of this hunt: 55 servers\r\nAfter deduplicating results against our first hunt rule, we are left with 7 servers that were not caught by the initial\r\nSSL hunt rule. This new rule also captures 176.10.111[.]111, one of the C2s used by the fxplugins.dll.\r\nThe new IP addresses:\r\n176[.]10[.]111[.]111\r\n91[.]241[.]93[.]152\r\n77[.]91[.]86[.]116\r\n45[.]147[.]200[.]47\r\n62[.]3[.]58[.]57\r\n45[.]155[.]250[.]55\r\n92[.]38[.]169[.]142\r\nLooking at these results further:\r\n45.147.200[.]47 ← resolved from domains www.gameindikdowd[.]ru and jhgfdlkjhaoiu[.]su\r\nVirus Total Detections: 1/87\r\nThe first domain has been tagged as ISFB.\r\nPivoting off the domain, gameindikdowd[.]ru we can see numerous files that have recently used it for C2 traffic. \r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 8 of 15\n\nFigure 8. Ursnif communicating files\r\nLooking at two recent files, control.exe (2023-04-04) and BethesdaNetHelper.exe (2023-03-07), we can identify\r\nadditional domains used for C2 communications, including any active IP addresses that may not be detected by\r\nour hunt rules.\r\ncontrol.exe\r\ngameindikdowd[.]ru\r\njhgfdlkjhaoiu[.]su\r\nreggy505[.]ru - 109.94.209[.]203\r\nPart of malicious AnyDesk campaign:\r\nuelcoskdi[.]ru - 45.130.147[.]89 - caught by hunt rule\r\nBethesdaNetHelper.exe\r\ngameindikdowd.ru\r\niujdhsndjfks[.]ru - 45.130.147[.]89 - caught by hunt rule\r\nreggy505[.]ru - 109.94.209[.]203\r\njhgfdlkjhaoiu[.]su, iujdhsndjfks[.]ru, gameindikdowd.ru domains are all referenced by esentire in their report.\r\nAdditionally, the above screenshot aligns to the reference of a control.exe that is downloaded and decrypted by the\r\nBATLOADER malware in recent campaigns.\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 9 of 15\n\nApart from a single IP address, we were able to verify that we are capturing all the IP addresses resolved by these\r\ndomains and can link these back to activity reported in open source.\r\nAnother example of an Ursnif C2 yet to be detected by most antivirus providers is 92.38.169[.]142:\r\nVirus Total Detection: 1/87\r\nA single communicating file called glcheck.exe has been detected as Ursnif on 2023-02-13 and 2023-04-04 -\r\ndetected as Ursnif.\r\nVirus Total Detection: 38/70\r\nThe file also communicates with 185.186.245[.]42 (captured by our hunt rule):\r\nVirus Total Detection: 1/87\r\nWhich has the following domains resolving to it:\r\ns28bxcw[.]xyz\r\n8hak4j[.]xyz\r\ndc3txd[.]xyz\r\n2hrbjc[.]xyz\r\n5icvzwz[.]xyz\r\nThese domains also have other IP addresses used for redundancy which are also captured by our hunt rule.\r\n95.46.8[.]157 resolved by dantedbkoosov[.]site (3/87 VT) ← 361E.exe (58/70 VT, 2023-04-04) Detected as\r\nUrsnif (Product: Letasoft Sound Booster):\r\nVirus Total Detection: 1/87\r\nFindings\r\nResults After conducting our analysis, just under 30% of the infrastructure detected our two hunt rules have files\r\ncommunicating with them that have been detected as Ursnif. Of the infrastructure identified as Ursnif C2’s due to\r\nthe communicating files, the average detection rate by security vendors in Virus Total is just 4.78. 71.3% of the IP\r\naddresses currently have no communicating files. Based on the similarities in shared attributes and hosting\r\nproviders, we believe there is high likelihood that these IP addresses will be used in the future by Ursnif\r\noperators. \r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 10 of 15\n\nFigure 9. Proportion of identified servers having Ursnif-detected communicating files\r\nFigure 10. AV Detection rates of Ursnif C2 servers in Virus Total\r\nConclusion\r\nUrsnif is a backdoor that is used by threat actors in campaigns that lead to ransomware and data exfiltration,\r\nposing a viable risk to organisations. The malware is delivered via malicious documents such as macro-enabled\r\noffice docs or via malicious installers downloaded via Google Ad campaigns.\r\nBridewell proactively searches for Ursnif C2 infrastructure to protect their customer environments from threats by\r\nusing a proactive research driven threat intelligence approach to security. As a result, Bridewell CTI provides\r\nvaluable insight in to our SOC service whilst improving customer’s security postures at both a strategic,\r\noperational and tactical level.\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 11 of 15\n\nUrsnif is a longstanding malware that has pivoted from banking trojan to facilitating ransomware intrusions,\r\nparticular for the Royal ransomware group. This malware communicates to C2 infrastructure, allowing CTI teams\r\nto track the operators usage, allowing defenders to respond in a timely manner to any detections within customer\r\nenvironments. Detecting these C2’s provides an opportunity to mitigate the impact of ransomware intrusions\r\nbefore its too late.\r\nMitigation Strategies\r\nTo safeguard your organisation against Ursnif and similar threats, it is essential to:\r\nEducate employees about the risks of opening attachments from unknown or suspicious senders.\r\nEnsure that you have a robust application control policy that limits the execution of unauthorised applications\r\nfrom untrusted sources.\r\nEnsure that your organisation uses updated antivirus software and firewalls to detect and prevent Ursnif infections.\r\nSearch for the Indicators of Compromise (IoCs) listed in the appendix and set up reference sets for detection\r\nwithin your organisation's security tools.\r\nImplement a Managed Detection and Response (MDR) service to proactively monitor, detect, and respond to\r\nthreats targeting your organisation.\r\nLeverage a Vulnerability Management service to identify and support remediation of security weaknesses within\r\nyour organisation's network and systems.\r\nIncorporate a Cyber Threat Intelligence (CTI) services to stay informed of emerging threats and obtain tailored\r\nintelligence to enhance your organisation's cybersecurity posture.\r\nAppendix 1 – References\r\nhttps://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/ursnif\r\nhttps://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud\r\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\r\nhttps://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif\r\nAppendix 2 – Indicators\r\nC2 IPs\r\n176[.]10[.]111[.]111\r\n79[.]132[.]132[.]216\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 12 of 15\n\n185[.]212[.]44[.]83\r\n95[.]46[.]8[.]157\r\n45[.]155[.]249[.]200\r\n77[.]73[.]131[.]105\r\n176[.]10[.]111[.]112\r\n185[.]212[.]47[.]59\r\n185[.]212[.]44[.]146\r\n45[.]155[.]250[.]217\r\n37[.]10[.]71[.]114\r\n91[.]242[.]217[.]113\r\n176[.]10[.]111[.]119\r\n91[.]241[.]93[.]152\r\n45[.]11[.]183[.]24\r\n94[.]247[.]42[.]238\r\n185[.]186[.]244[.]168\r\n77[.]91[.]86[.]116\r\n31[.]214[.]157[.]160\r\n79[.]133[.]180[.]95\r\n185[.]18[.]55[.]106\r\n109[.]230[.]199[.]174\r\n91[.]242[.]219[.]237\r\n45[.]147[.]200[.]47\r\n45[.]155[.]249[.]47\r\n45[.]155[.]249[.]49\r\n176[.]10[.]125[.]84\r\n194[.]58[.]97[.]42\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 13 of 15\n\n194[.]76[.]224[.]223\r\n185[.]212[.]44[.]76\r\n91[.]242[.]217[.]71\r\n185[.]158[.]248[.]100\r\n109[.]230[.]199[.]110\r\n170[.]130[.]55[.]65\r\n79[.]132[.]134[.]158\r\n79[.]132[.]135[.]249\r\n194[.]76[.]225[.]141\r\n194[.]76[.]224[.]95\r\n91[.]242[.]217[.]120\r\n91[.]242[.]219[.]235\r\n176[.]10[.]111[.]160\r\n62[.]3[.]58[.]57\r\n185[.]186[.]245[.]42\r\n45[.]155[.]250[.]55\r\n176[.]10[.]118[.]153\r\n176[.]10[.]119[.]217\r\n79[.]133[.]124[.]62\r\n45[.]130[.]147[.]89\r\n194[.]76[.]225[.]88\r\n185[.]90[.]162[.]33\r\n185[.]186[.]244[.]108\r\n92[.]38[.]169[.]142\r\n31[.]214[.]157[.]31\r\n109[.]230[.]199[.]248\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 14 of 15\n\n109.94.209[.]203\r\n176[.]10[.]111[.]111\r\n91[.]241[.]93[.]152\r\n77[.]91[.]86[.]116\r\n45[.]147[.]200[.]47\r\n62[.]3[.]58[.]57\r\n45[.]155[.]250[.]55\r\n92[.]38[.]169[.]142\r\nDomains\r\ns28bxcw[.]xyz\r\n8hak4j[.]xyz\r\ndc3txd[.]xyz\r\n2hrbjc[.]xyz\r\n5icvzwz[.]xyz\r\ngameindikdowd[.]ru\r\njhgfdlkjhaoiu[.]su\r\nreggy505[.]ru\r\niujdhsndjfks[.]ru\r\nreggy505[.]ru\r\njhzzj3[.]xyz\r\nSource: https://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nhttps://www.bridewell.com/insights/news/detail/hunting-for-ursnif\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bridewell.com/insights/news/detail/hunting-for-ursnif"
	],
	"report_names": [
		"hunting-for-ursnif"
	],
	"threat_actors": [],
	"ts_created_at": 1775434893,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/736473f76e1e7ba382e7198b7b567d7232614997.pdf",
		"text": "https://archive.orkl.eu/736473f76e1e7ba382e7198b7b567d7232614997.txt",
		"img": "https://archive.orkl.eu/736473f76e1e7ba382e7198b7b567d7232614997.jpg"
	}
}