Threat Intelligence Guides

Practical Examples of URL Hunting Queries - Part 1

Practical examples of URL hunting queries.

Practical Examples of URL Hunting Queries - Part 1

Random and interesting URLScan queries. Use these as an educational resource, or as starting points for investigations and experimentation.

Lumma Stealer

  • domain, alphabetical characters
  • any top level domain (TLD)
  • file url ends in /api
  • Hosted on CloudFlare

Link To Search

page.url:/https?:\/\/[a-z]+\.[a-z]+\/api/ AND page.server:cloudflare

Stealc

  • ip address
  • 16 character .php file, containing letters and numbers

Link To Search

 page.url:/https?:\/\/[0-9\.]+\/[a-z0-9]{16}\.php/

MassLogger/VIPKeylogger

  • IP Address, no domain
  • /txt/ folder
  • 13-18 character .exe file

Link To Search

page.url:/https?:\/\/[0-9\.]+\/txt\/[a-z0-9]{13,18}\.exe/

FakeUpdates

  • domain name, alphabetical characters
  • Any top level domain
  • folder name of font
  • Any .php file as filename

Link To Search

page.url:/https?:\/\/[0-9a-z]+\.[a-z]+\/font\/[a-z]+\.(php)/  AND page.mimeType:"text/html" AND stats.requests:2

MassLogger?

  • ip address (no domain)
  • htdocs as folder name
  • .exe file, approx 15 characters long (allowing for 13-18)

Link To Search

page.url:/https?:\/\/[0-9\.]+\/(htdocs)\/[a-z0-9]{13,18}\.exe/

StealC Again

  • http or https
  • IP (no domain name)
  • 16 character folder name
  • FileName of sqlite3.dll, mozglue.dll, or vcruntime140.dll

Link To Search 

page.url:/https?:\/\/[0-9\.]+\/[a-z0-9]{16}\/(sqlite3|mozglue|vcruntime140)\.dll/

DCRAT

  • 8 character subdomain, 1 letter, 7 numbers
  • Any primary domain, alphabetical characters
  • Any top level domain
  • 8 character .php file

Link to Search

page.url:/https?:\/\/[a-z][0-9]{7}\.[a-z]+\.[a-z]+\/[a-z0-9]{8}\.php/

Amadey

  • IP Address
  • 8-10 character folder name, mostly random
  • URL ending in /index.php
  • 404 error

Link To Search

page.url:/https?:\/\/[0-9\.]+\/[a-z0-9]{8,10}\/index.php/ AND page.status:404

SmartLoader

  • IP Address
  • /task/ folder
  • 40 character filename with no extension

Link To Search

page.url:/https?:\/\/[0-9\.]+\/task\/[a-zA-Z0-9]{40}/

Executable Files From WordPress Sites

  • Any Domain or IP
  • wp-admin or wp-includes folder
  • URL ending in .php file
  • Saved File is an .exe

Link To Search

files.filename:*.exe AND AND page.url:/.*\/wp\-(includes|admin)(\/[a-z]+)?\/[a-z]+\.php/

Read more