Hunting for Ursnif
By Joshua Penny Senior Threat Intelligence Analyst
Archived: 2026-04-05 13:34:33 UTC
[2] https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
Key Takeaways
In March 2023, America’s Cybersecurity & Infrastructure Security Agency published as report on the Royal
Ransomware group stating that Royal uses:
“…malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration.”
Royal Ransomware has been a prominent ransomware threat against global organisations since September 2022,
regularly posting victims across multiple sector verticals to their leak site each month. Below is a graph detailing
the total number per month. Ursnif is a tool utilised by the group during their intrusions and provided Cyber
Threat Intelligence teams an opportunity to identify and track command and control infrastructure linked to this
malware.
The use of Ursnif in their attack chain makes Ursnif a malware family worth hunting for, as such this report details
the findings of the hunting activity conducted by Bridewell CTI.
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 1 of 15

Ursnif Hunt Process
Our research began when analysing some relatively new Ursnif IP addresses published by other security
researchers. After conducting analysis, we observed notable features that could be leveraged to hunt for new IP
addresses in the wild. The Ursnif IP addresses in question were communicating with C2 servers which had an SSL
certificate with the following noticeable attributes: the issuer and subject fields.
SSL Certificate Issuer: C=XX, ST=1, L=1, O=1, OU=1, CN=*
SSL Certificate Subject: C=XX, ST=1, L=1, O=1, OU=1, CN=* 
Figure 1. Example Ursnif SSL certificate
Working with this and other features that can be fingerprinted, we were able to identify 72 further servers of
interest which matched our new Ursnif hunt rule. 
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 2 of 15

Figure 2. Shodan Results for the Bridewell Ursnif Hunt Rule
Hosting Infrastructure
Looking at the 72 servers, we can identify where they are geographically hosted and by which hosting providers:
Geographical Distribution - Top 3: Germany, Netherlands, Russia 
Figure 3. Geographical distribution of Ursnif C2 servers
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 3 of 15

Hosting Provider - Top 3: servinga GmbH, Datasource AG, GleSYS AB.
Figure 4. Hosting provider distribution of Ursnif C2 servers
In a report by Mandiant last year, they provided indicators of Ursnif C2’s hosted on the ISP Stark Industries
Solutions Limited, however it would appear now that the operators of Ursnif have completely migrated from this
ISP and diversified amongst many ISPs, who have been associated with many other malware C2s. 
Analysing the C2s
After analysing the 23 Ursnif C2 servers that have Ursnif communicating files, 6 have Ursnif files communicating
but remain unreported and undetected as Ursnif C2’s by Security vendors (at the time of writing this report):
95[.]46[.]8[.]157
193[.]164[.]149[.]143
79[.]133[.]124[.]62
45[.]11[.]181[.]117
92[.]38[.]169[.]142
31[.]214[.]157[.]31
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 4 of 15

---
We decided to investigate the IP addresses to understand whether the hunt rule was capturing Ursnif C2s and
identifying other pivoting opportunities to enhance our hunt rules by looking at associated domains and hardcoded
IPs communicating samples.
The most recently scanned IP in Shodan: 31.214.157[.]31 - Scanned 2023-04-30.
Virus Total Detections: 2/87
Analysing this IP in Virus Total, we can see two communicating files of Interest:
2023-04-12 - 112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56
2023-03-18 - 282856a51245496390e8c06ed9fa3dff6171aabffa6132dec93a9b4a30b1e524 - MSICBE.tmp
Looking at MSICBE.tmp:
Virus Total Detections: 21/69
After pivoting around in VT, we can see the file’s execution parent looks to be a malicious version of LibreOffice,
6ae710.msi.
Virus Total Detections: 3/41
The sample is configured to also beacon to IP 185.189.151[.]38 (tagged as ISFB by ThreatFox). This IP does not
appear to be active anymore (not captured by our hunt rule), however by inspecting the scan history in Shodan we
can see that the SSL cert with the same attributes matches our hunt rule in Jan 2023.
MSICBE.tmp also pulls down a DLL file:
(c.dll - 2d0f416aa030af708506fea815d4b268ba5a3bdd4680485a65c4cb112bc2ba7d) from 146.70.158[.]105.
Virus Total Detections: 1/88
Sample “92f56” also communicates with the same IP addresses. 
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 5 of 15

Figure 5. Relationship graph of Ursnif samples communicating with 185.189.151[.]38
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 6 of 15

Figure 6. Installation of malicious LibreOffice file
Figure 7. Virus Total Results for LibreOffice file.
Next on our result list was 31.214.157[.]160 - hosted on servinga GmbH, which was identified by Virus Total as
Ursnif. From this we were able to pivot to a new hunt rule to identify additional unreported Ursnif C2 servers.
This IP has a single .dll file called fxplugins.dll, communicating with it.
Virus Total Detections: 5/89
This file has connection attempts to the following IP addresses:
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 7 of 15

176.10.111[.]111
176.10.111[.]167
176.10.111[.]173
176.10.111[.]233
31.214.157[.]160
Several of these IP addresses are not captured by our current rule and to understand why, we built another hunt
rule, this time pivoting from 176.10.111[.]167 using additional HTTP header information:
The results of this hunt: 55 servers
After deduplicating results against our first hunt rule, we are left with 7 servers that were not caught by the initial
SSL hunt rule. This new rule also captures 176.10.111[.]111, one of the C2s used by the fxplugins.dll.
The new IP addresses:
176[.]10[.]111[.]111
91[.]241[.]93[.]152
77[.]91[.]86[.]116
45[.]147[.]200[.]47
62[.]3[.]58[.]57
45[.]155[.]250[.]55
92[.]38[.]169[.]142
Looking at these results further:
45.147.200[.]47 ← resolved from domains www.gameindikdowd[.]ru and jhgfdlkjhaoiu[.]su
Virus Total Detections: 1/87
The first domain has been tagged as ISFB.
Pivoting off the domain, gameindikdowd[.]ru we can see numerous files that have recently used it for C2 traffic. 
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 8 of 15

Figure 8. Ursnif communicating files
Looking at two recent files, control.exe (2023-04-04) and BethesdaNetHelper.exe (2023-03-07), we can identify
additional domains used for C2 communications, including any active IP addresses that may not be detected by
our hunt rules.
control.exe
gameindikdowd[.]ru
jhgfdlkjhaoiu[.]su
reggy505[.]ru - 109.94.209[.]203
Part of malicious AnyDesk campaign:
uelcoskdi[.]ru - 45.130.147[.]89 - caught by hunt rule
BethesdaNetHelper.exe
gameindikdowd.ru
iujdhsndjfks[.]ru - 45.130.147[.]89 - caught by hunt rule
reggy505[.]ru - 109.94.209[.]203
jhgfdlkjhaoiu[.]su, iujdhsndjfks[.]ru, gameindikdowd.ru domains are all referenced by esentire in their report.
Additionally, the above screenshot aligns to the reference of a control.exe that is downloaded and decrypted by the
BATLOADER malware in recent campaigns.
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 9 of 15

Apart from a single IP address, we were able to verify that we are capturing all the IP addresses resolved by these
domains and can link these back to activity reported in open source.
Another example of an Ursnif C2 yet to be detected by most antivirus providers is 92.38.169[.]142:
Virus Total Detection: 1/87
A single communicating file called glcheck.exe has been detected as Ursnif on 2023-02-13 and 2023-04-04 -
detected as Ursnif.
Virus Total Detection: 38/70
The file also communicates with 185.186.245[.]42 (captured by our hunt rule):
Virus Total Detection: 1/87
Which has the following domains resolving to it:
s28bxcw[.]xyz
8hak4j[.]xyz
dc3txd[.]xyz
2hrbjc[.]xyz
5icvzwz[.]xyz
These domains also have other IP addresses used for redundancy which are also captured by our hunt rule.
95.46.8[.]157 resolved by dantedbkoosov[.]site (3/87 VT) ← 361E.exe (58/70 VT, 2023-04-04) Detected as
Ursnif (Product: Letasoft Sound Booster):
Virus Total Detection: 1/87
Findings
Results After conducting our analysis, just under 30% of the infrastructure detected our two hunt rules have files
communicating with them that have been detected as Ursnif. Of the infrastructure identified as Ursnif C2’s due to
the communicating files, the average detection rate by security vendors in Virus Total is just 4.78. 71.3% of the IP
addresses currently have no communicating files. Based on the similarities in shared attributes and hosting
providers, we believe there is high likelihood that these IP addresses will be used in the future by Ursnif
operators. 
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 10 of 15

Figure 9. Proportion of identified servers having Ursnif-detected communicating files
Figure 10. AV Detection rates of Ursnif C2 servers in Virus Total
Conclusion
Ursnif is a backdoor that is used by threat actors in campaigns that lead to ransomware and data exfiltration,
posing a viable risk to organisations. The malware is delivered via malicious documents such as macro-enabled
office docs or via malicious installers downloaded via Google Ad campaigns.
Bridewell proactively searches for Ursnif C2 infrastructure to protect their customer environments from threats by
using a proactive research driven threat intelligence approach to security. As a result, Bridewell CTI provides
valuable insight in to our SOC service whilst improving customer’s security postures at both a strategic,
operational and tactical level.
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 11 of 15

Ursnif is a longstanding malware that has pivoted from banking trojan to facilitating ransomware intrusions,
particular for the Royal ransomware group. This malware communicates to C2 infrastructure, allowing CTI teams
to track the operators usage, allowing defenders to respond in a timely manner to any detections within customer
environments. Detecting these C2’s provides an opportunity to mitigate the impact of ransomware intrusions
before its too late.
Mitigation Strategies
To safeguard your organisation against Ursnif and similar threats, it is essential to:
Educate employees about the risks of opening attachments from unknown or suspicious senders.
Ensure that you have a robust application control policy that limits the execution of unauthorised applications
from untrusted sources.
Ensure that your organisation uses updated antivirus software and firewalls to detect and prevent Ursnif infections.
Search for the Indicators of Compromise (IoCs) listed in the appendix and set up reference sets for detection
within your organisation's security tools.
Implement a Managed Detection and Response (MDR) service to proactively monitor, detect, and respond to
threats targeting your organisation.
Leverage a Vulnerability Management service to identify and support remediation of security weaknesses within
your organisation's network and systems.
Incorporate a Cyber Threat Intelligence (CTI) services to stay informed of emerging threats and obtain tailored
intelligence to enhance your organisation's cybersecurity posture.
Appendix 1 – References
https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/ursnif
https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif
Appendix 2 – Indicators
C2 IPs
176[.]10[.]111[.]111
79[.]132[.]132[.]216
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 12 of 15

185[.]212[.]44[.]83
95[.]46[.]8[.]157
45[.]155[.]249[.]200
77[.]73[.]131[.]105
176[.]10[.]111[.]112
185[.]212[.]47[.]59
185[.]212[.]44[.]146
45[.]155[.]250[.]217
37[.]10[.]71[.]114
91[.]242[.]217[.]113
176[.]10[.]111[.]119
91[.]241[.]93[.]152
45[.]11[.]183[.]24
94[.]247[.]42[.]238
185[.]186[.]244[.]168
77[.]91[.]86[.]116
31[.]214[.]157[.]160
79[.]133[.]180[.]95
185[.]18[.]55[.]106
109[.]230[.]199[.]174
91[.]242[.]219[.]237
45[.]147[.]200[.]47
45[.]155[.]249[.]47
45[.]155[.]249[.]49
176[.]10[.]125[.]84
194[.]58[.]97[.]42
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 13 of 15

194[.]76[.]224[.]223
185[.]212[.]44[.]76
91[.]242[.]217[.]71
185[.]158[.]248[.]100
109[.]230[.]199[.]110
170[.]130[.]55[.]65
79[.]132[.]134[.]158
79[.]132[.]135[.]249
194[.]76[.]225[.]141
194[.]76[.]224[.]95
91[.]242[.]217[.]120
91[.]242[.]219[.]235
176[.]10[.]111[.]160
62[.]3[.]58[.]57
185[.]186[.]245[.]42
45[.]155[.]250[.]55
176[.]10[.]118[.]153
176[.]10[.]119[.]217
79[.]133[.]124[.]62
45[.]130[.]147[.]89
194[.]76[.]225[.]88
185[.]90[.]162[.]33
185[.]186[.]244[.]108
92[.]38[.]169[.]142
31[.]214[.]157[.]31
109[.]230[.]199[.]248
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 14 of 15

109.94.209[.]203
176[.]10[.]111[.]111
91[.]241[.]93[.]152
77[.]91[.]86[.]116
45[.]147[.]200[.]47
62[.]3[.]58[.]57
45[.]155[.]250[.]55
92[.]38[.]169[.]142
Domains
s28bxcw[.]xyz
8hak4j[.]xyz
dc3txd[.]xyz
2hrbjc[.]xyz
5icvzwz[.]xyz
gameindikdowd[.]ru
jhgfdlkjhaoiu[.]su
reggy505[.]ru
iujdhsndjfks[.]ru
reggy505[.]ru
jhzzj3[.]xyz
Source: https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
https://www.bridewell.com/insights/news/detail/hunting-for-ursnif
Page 15 of 15