{
	"id": "49ac481b-4555-4cb1-8887-77327a13c5b6",
	"created_at": "2026-04-06T00:11:27.023614Z",
	"updated_at": "2026-04-10T03:20:30.044884Z",
	"deleted_at": null,
	"sha1_hash": "a503594de13fd08b958e944888a0cc60fb1e986b",
	"title": "GitHub - mlodic/ursnif_beacon_decryptor: Ursnif beacon decryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47126,
	"plain_text": "GitHub - mlodic/ursnif_beacon_decryptor: Ursnif beacon\r\ndecryptor\r\nBy mlodic\r\nArchived: 2026-04-05 21:45:19 UTC\r\nUrsnif v.3 aka Dreambot/Gozi/ISFB\r\nThis is a simple script that could be used to:\r\ncheck if a suspicious URL is correlated to Ursnif activity\r\ndecrypt the URL check-in on the fly to get the data sent to the C2 server\r\nUsage:\r\npython3 ursnif_beacon_decryptor.py -u \u003curl\u003e -k \u003ckey\u003e\r\nA different version inserts the encrypted path as data of a POST request.\r\nIn case, use the option -o instead of -u\r\nExample:\r\nInput:\r\npython3 ursnif_beacon_decryptor.py -u \"http://qjdyugisselle.club/images/NM_2Ff8mqmMQjmr/c842xf8TIJp_2FlmC5/Ulz2\r\nOutput:\r\n[2019-04-15 11:24:25 - INFO] c2 domain: 'qjdyugisselle.club'\r\n[2019-04-15 11:24:25 - INFO] path to analyze: /images/NM_2Ff8mqmMQjmr/c842xf8TIJp_2FlmC5/Ulz244kFh/KMjQpHVvOnBhk\r\n[2019-04-15 11:24:25 - INFO] Congrats! decoded data: fjidtflrb=bdaxhhfg\u0026soft=3\u0026version=217173\u0026user=a618b5f78c4ff\r\nParams:\r\nfjidtflrb -\u003e junk param, always present at the start of the uri to generate randomness (and always different)\r\nsoft -\u003e major version\r\nversion -\u003e minor version\r\nuser -\u003e unique user id\r\nserver -\u003e unique c2 server id\r\nhttps://github.com/mlodic/ursnif_beacon_decryptor\r\nPage 1 of 2\n\nid -\u003e bot group id\r\ncrc -\u003e payload to retrieve (1-DLL32b, 2-DLL64b, 3-ps1)\r\nuptime -\u003e time elapsed from initial infection (seconds)\r\nDifferent versions could have more parametres. Example: hash time action os system tor\r\nRequirements\r\nPython3\r\ncryptopp library (libcrypto++6 debian repo)\r\nIf you run a Linux environment, you can just run the python script that will load Driver.so that is needed to\r\nperform decryption.\r\nIf you run a Windows OS, you should re-compile Driver.cpp and change the library loaded with the new one.\r\nAdditional info\r\nThe script needs the key that the malware uses for encryption.\r\nSome reverse engineering is required to get that info.\r\nHowever, observations led to the fact that the key is usually shared among a lot of samples and rarely changed.\r\nIf you don't have one, you could just run the script that would try our predefined keys that we saw the malware\r\nused in the wild\r\nWelcome to:\r\ntips on observed different behaviours of the malware\r\ndecryption for other phases of the communication with the C2 infrastructure\r\neverything that can help to fight this threat\r\nTwitter: https://twitter.com/matte_lodi\r\nSource: https://github.com/mlodic/ursnif_beacon_decryptor\r\nhttps://github.com/mlodic/ursnif_beacon_decryptor\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/mlodic/ursnif_beacon_decryptor"
	],
	"report_names": [
		"ursnif_beacon_decryptor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434287,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a503594de13fd08b958e944888a0cc60fb1e986b.pdf",
		"text": "https://archive.orkl.eu/a503594de13fd08b958e944888a0cc60fb1e986b.txt",
		"img": "https://archive.orkl.eu/a503594de13fd08b958e944888a0cc60fb1e986b.jpg"
	}
}