abuse.ch Threat Intelligence Real Time Feed

There are several real time feeds available from abuse.ch. Each feed is distributed through a different channel and exposes a different set of data.

URLhaus

The feed name is urlhaus. URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. This real time feed provides notification whenever:

  • A new URL gets reported (and subsequently added) to URLhaus;

  • A URL tracked gets removed from URLhaus, either by the initial reporter (submitter) for the URL or by the admin (e.g. in case of a false positive);

  • The information on a URL tracked by URLhaus changes (e.g. tags get added or removed, url_status changes);

  • A payload gets observed in combination with a URL tracked by URLhaus;

  • The information on a payload changes for a URL tracked by URLhaus (e.g. malware family associated with a payload).

URL Additions

This message gets triggered when a new URL gets reported (and subsequently added) to the URLhaus database.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "2F4C0B31-B9A0-4D6B-81FF-43C6300D40CC",
    "type": "url_addition",
    "id": 2272298,
    "url": "http://201.138.189.134:46829/.i",
    "host": "201.138.189.134",
    "url_status": "online",
    "anonymous": false,
    "reporter": "geenensp",
    "tags": [
        "Hajime"
    ]
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message.

  • id represents the ID of the URL in the URLhaus database. It uniquely identifies the specific URL tracked. It also can be used to assemble the HTTP link to the URLhaus record page (https:// urlhaus.abuse.ch/url/id/).

  • url is the added URL.

  • host the host associated with this URL (extracted from the URL).

  • url_status is a string that represents the status of the URL. Possible values are ‘online’, ‘offline’, and ‘unknown’. ‘unknown’ is reported when the URL has not yet been checked by URLhaus.

  • anonymous is a boolean value indicating if the reporter of the URL wants to stay anonymous.

  • reporter is the handle of the reporter of the URL or ‘null’ if it should be anonymous. Currently, the handle equals the Twitter handle of the reporter. After migration to a new authentication system for abuse.ch, this handle will change to one from abuse.ch’s own authentication platform.

  • tags are a list of tags associated with the added URL, as shown in URLhaus. Tags are “free field” and defined by the reporter (submitter) for the URL.

URL removals

This message is generated every time a URL is removed from the URLhaus database.

The message had the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "0994b98e-6618-4344-856e-d893dda63057",
    "type": "url_removal",
    "id": 1882954,
    "url": "http://175.107.6.22:50423/mozi.maaa",
    "removal_note": "Removed by admin"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the realtime infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message.

  • id represents the ID of the URL in the URLhaus database. This is needed to assemble the HTTP link to the URLhaus record page.

  • url is the URL being added.

  • removal_note is a text string, human-readable, that describes why the URL has been removed.

URL changes

This message is generated every time a URL changes its state.

A state change is defined as the following:

  • when the URL changes;

  • when the status switches from online to offline and vice versa;

  • when any of the tags are changed, added or is removed.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "ba2221cb-3e11-4a4d-a95a-35c0551c18d1",
    "type": "url_change",
    "id": 50428,
    "url": "http://ld.mediaget.com/index4.php?l=en",
    "field": "url_status",
    "value": "offline",
    "action": "change"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message.

  • id represents the ID of the URL in the URLhaus database. This is needed to assemble the HTTP link to the URLhaus record page (https:// urlhaus.abuse.ch/url/id/).

  • url is the URL being modified.

  • field shows which field has been changed. Fields currently supported are: tag, url_status

  • value is the new value of the affected field.

  • action This represents what action happened to the field. The action could be add, remove or change.

New file download

On release, this message will get triggered every time a new file download is available. A new file download is defined whenever URLhaus is able to retrieve a new (unseen) payload from a URL it tracks.

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "f5cdf155-8c93-4389-90fa-116ce977e2f1",
    "type": "file_download",
    "sha256_hash": "477fed0554457b36c085b2e9174edd978e7fe537840eb793d038bec798f8e129",
    "md5_hash": "cc1924283df97f24500f5559c95098ca",
}

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type describes the type of this message and is always “file_download”.

  • sha256_hash is the SHA256 hash of the file.

  • md5_hash is the MD5 hash of the file.

Observed payloads

This message gets triggered every time a payload gets observed in combination with a URL, no matter whether the payload has been seen before or not (-> new file download).

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "987c3174-7854-40f8-a365-99ad523bd08b",
    "type": "payload_observed",
    "id": 2579654,
    "url": "http://92.52.217.50/1120_002/csrss.exe",
    "mime_type": "application/x-dosexec",
    "file_type": "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive",
    "file_ext": "exe",
    "file_size": 570442,
    "file_name": null,
    "md5_hash": "6e73708e3d21f04b6f18aa31a68f582e",
    "sha256_hash": "c46e251d3f75d5171ef41c926444aa590b089eca868141b1abad8ec0930b506e",
    "imphash": "e2a592076b17ef8bfb48b7e03965a3fc",
    "ssdeep": "12288:cqp+8Qve8l8AFe57GK1BoBXAPl0666xTzLSS0/K779NKKc06Kux:48Ue8l8HGK12wPl0666pF58h06Kux",
    "tlsh": "T163C4230423D2D22AE9638F72ABA3A9D9DBB2EB0146331507771C3FAF7732552851DB",
    "telfhash": null,
    "malware": null
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type describes the type of this message and is always “payload_observed”.

  • id represents the ID of the URL in the URLhaus database. This is needed to assemble the HTTP link to the URLhaus record page (https:// urlhaus.abuse.ch/url/id/).

  • url is the full URL from which the file was downloaded.

  • mime_type is the Multipurpose Internet Mail Extensions (MIME) type of the payload received.

  • file_type is the result of the Unix “file” command (not to be confused with the content-type header from the webserver).

  • file_ext is the guessed file extension (or ‘null’, if not available).

  • file_size is the size (in bytes) of the payload received.

  • file_name is the filename as extracted from the HTTP Content-Disposition header in the response. It’s ‘null’ if the info is not available.

  • md5_hash is the MD5 hash of the payload received.

  • sha256_hash is the SHA256 hash of the payload received.

  • imphash is the imphash of the payload received.

  • ssdeep is the ssdeep of the payload received.

  • tlsh is the tlsh of the payload received.

  • telfhash is the telfhash of the payload received.

  • malware this is the malware family.

The Import Hash (ImpHash) is a hash over the imported functions by Portable Executable (PE) file. More information about imphash is available here: https://secana.github.io/PeNet/articles/imphash.html

ssdeep is a program for computing - Context Triggered Piecewise Hashes (CTPH). More information about ssdeep is available here: https://ssdeep-project.github.io/ssdeep/index.html

TLSH is a fuzzy matching program and library. More information about TLSH is available here: https://tlsh.org/

telfhash is a symbol hash for Executable and Linkable Format (ELF) files; just like imphash is Import Hash for PE files. More information about telfhashis available here: https://github.com/trendmicro/telfhash

malware is the internal naming scheme of abuse.ch that identifies the malware family.

Payload changes

This message gets triggered when the metadata of the payload changes (e.g. the malware family).

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "087ff73b-3451-47d0-a226-1971c1927d98",
    "type": "payload_change"
    "md5_hash": "5dbd5adab3974080b52d01cb158e3f00",
    "sha256_hash": "773d9c42e57107d4e4c9286f477659bf22684be2f589cb9cc12ddea6cd1702ac",
    "field": "malware",
    "value": "CoinMiner",
    "action": "add"
}

Each field has the following format:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type describes the type of this message and is always “payload_change”.

  • md5_hash is the MD5 hash of the payload received.

  • sha256_hash is the SHA256 hash of the payload received.

  • field shows the affected field where the change occurred. Currently, only malware is supported.

  • value is the new value of the affected field.

  • action This represents what action happened to the field. The action could be add, remove or change.

MalwareBazaar

The feed name is malwarebazaar. MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers. This real time feed provides a notification whenever:

  • A new malware sample is uploaded to MalwareBazaar;

  • The metadata of a file changes (e.g. tags, malware);

  • A file gets removed from MalwareBazaar, either by the initial reporter (submitter) of the file or by the admin (e.g. in case of a false positive).

File additions

This message is generated when a new file gets uploaded to MalwareBazaar.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "f97b3a79-40b9-4863-ae40-01636298ee61",
    "type": "file_addition",
    "file_name": "DHL Shipment documents.exe",
    "file_size": 620544,
    "md5_hash": "e5a757537adac180cdbdb96d212e2edc",
    "sha256_hash": "5d027f10fc0bacdc530e40f75be7559f47416fe32ac9bbaa958e40e87cdbcb0a",
    "sha1_hash": "6a2685420e9ec3c8a39fbb134424c2fe1e937a1a",
    "sha3_384_hash": "878d562a7a8133245bdad18f4eba41434f2c39caa70245bbc0741de5d9a5167603054e91c9cc432f4b4d0ed96ccb107e",
    "humanhash": "quiet-nineteen-leopard-stream",
    "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
    "ssdeep": "12288:2lyM2TgHvrmbbainkZRH8ZYvK+eKMc/w2kWhLIQbg0Fmki9bF32:2lEgPrliksZqIawcEQJk3",
    "tlsh": "T18BD4CFDF2ECC5605CC3A0774ECAC1184AAF2BDA53612D6DE5CA3709BC4B239C8758E56",
    "telfhash": null,
    "gimphash": null,
    "dhash_icon": "71f0c8cce8e0f071",
    "mime_type": "application/x-dosexec",
    "file_type": "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows",
    "file_ext": "exe",
    "malware": "Loki",
    "anonymous": false,
    "reporter": "GovCERT_CH",
    "origin_country": "CH",
    "delivery_method": "Distributed via e-mail attachment",
    "tags": [
        "exe",
        "Loki"
    ],
    "comment": null
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘file_addition’.

  • file_size is the size (in bytes) of the payload received.

  • file_name is the filename as extracted from the HTTP Content-Disposition header in the response.

  • md5_hash is the MD5 hash of the payload received.

  • sha256_hash is the SHA256 hash of the payload received.

  • sha1_hash is the SHA1 hash of the file.

  • sha3_384_hash is the SHA3-384 hash of the file.

  • humanhash is the human-readable hash.

  • imphash is the imphash of the payload received.

  • ssdeep is the ssdeep of the payload received.

  • tlsh is the tlsh of the payload received.

  • telfhash is the telfhash of the payload received.

  • gimphash is the gimphash of the file.

  • dhash_icon is the dhash of the file icon.

  • mime_type is the Multipurpose Internet Mail Extensions (MIME) type of the payload received.

  • file_type is the result from Unix “file” command.

  • file_ext is the guessed file extension (or ‘null’, if not available).

  • malware this is the malware family.

  • tags is a list of tags associated with this file.

  • anonymous is a boolean that indicates whether the submitter of this file wants to remain anonymous or not.

  • reporter is the abuse.ch handle of the submitter of this file (or ‘null’, if not available).

  • origin_country is the two letter Country code of the country from where the submission has been made

  • delivery_method is the method how this payload gots delivered / spread

  • comment is a comment from the reporter of the URL (or ‘null’, if not available).

humanhash provides human-readable representations of digests. More information about humanhash is available here

File changes

This message gets triggered when metadata of a file changes (e.g. tags, malware).

Please note that this feed does not include threat intelligence from 3rd parties (e.g. vendors).

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "de47c35b-b5c5-4ad9-9f67-adbaab48c20f",
    "type": "file_change",
    "md5_hash": "8eb671d21d3712e417ca8a7a381286cc",
    "sha256_hash": "92c5936c5dc0d02c0f05838c2f7a0ebed0c9c066d6c0b5b87bbdbe47e3fe967a",
    "sha1_hash": "4592e126df0a7e6c7da4e98f3fbe5b45057fc6ac",
    "sha3_384_hash": "a7aec4774933b72c8681081e0dec01e568e4ab8036cfdb2a5f146ede70df083b7ab8559e1ccd5dfef603fff1f440534e",
    "field": "tag",
    "value": "remove",
    "action": "test"
}

Each field has the following format:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘file_change’.

  • md5_hash is the MD5 hash of the payload received.

  • sha256_hash is the SHA256 hash of the payload received.

  • sha1_hash is the SHA1 hash of the file.

  • sha3_384_hash is the SHA3-384 hash of the file.

  • field shows the affected field where the change occurred (supported fields: tag, malware, file_ext).

  • value is the new value of the affected field.

  • action is an enumerated field that describes the action. May contain add, remove, change.

File removals

This message gets triggered when the reporter (user) of a file, or the administrator, removes a file from MalwareBazaar (e.g. due to a false positive).

This message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "ccf41785-a05a-4d77-bf27-cc012bddf7f6",
    "type": "file_removal",
    "md5_hash": "8eb671d21d3712e417ca8a7a381286cc",
    "sha256_hash": "92c5936c5dc0d02c0f05838c2f7a0ebed0c9c066d6c0b5b87bbdbe47e3fe967a",
    "sha1_hash": "4592e126df0a7e6c7da4e98f3fbe5b45057fc6ac",
    "sha3_384_hash": "a7aec4774933b72c8681081e0dec01e568e4ab8036cfdb2a5f146ede70df083b7ab8559e1ccd5dfef603fff1f440534e",
    "removal_note": "Removed by admin"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘file_removal’.

  • md5_hash is the MD5 hash of the payload received.

  • sha256_hash is the SHA256 hash of the payload received.

  • sha1_hash is the SHA1 hash of the file.

  • sha3_384_hash is the SHA3-384 hash of the file.

  • removal_note is a text string showing the removal note as inserted by the system or the remover.

YARA matches

This message gets triggered every time a YARA rule matches a file present on MalwareBazaar.

{
  "uuid": "cca72b8c-50e8-4e2a-81bf-cb33a9ed1f0d",
  "type": "yara_match",
  "md5_hash": "d46a243899465e22b61c95ce73d11508",
  "sha256_hash": "e6f2d277d61fd27d2a6452619111c272047ff478247251c9ec5651f5f67e1519",
  "sha1_hash": "3d549aa079ed02ffa6d5b602ccb3b58a48b9f347",
  "sha3_384_hash": "af3ade9df479a0c882a73e5170977edee72aa4a45f2ee6fb6b4dde649a382d5b0129684936c0470f6532f2aa571d41a5",
  "yara": {
    "rule_name": "CAP_HookExKeylogger",
    "author": "Brian C. Bell -- @biebsmalwareguy",
    "description": null,
    "reference": "https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar",
    "tlp": "WHITE"
  }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘yara_match’.

  • md5_hash is the MD5 hash of the payload received.

  • sha256_hash is the SHA256 hash of the payload received.

  • sha1_hash is the SHA1 hash of the file.

  • sha3_384_hash is the SHA3-384 hash of the file.

  • yara.rule_name is the name of the matching YARA rule

  • yara.author is the author of the matching YARA rule

  • yara.description is the descrption of the matching YARA rule

  • yara.reference is the reference of the matching YARA rule

  • yara.tlp is the Traffic Light Protocol (TLP) of the matching YARA rul

Code Signing Certificate Blocklist (CSCB) additions

This message gets triggered every time a certificate gets added to MalwareBazaar’s Code Signing Certificate Blocklist (CSCB).

{
  "uuid": "7bcdb475-54b1-4113-8f12-a66e9b3fe389",
  "type": "cscb_addition",
  "subject_cn": "APPI CZ a.s",
  "issuer_cn": "Sectigo RSA Code Signing CA",
  "algorithm": "sha256WithRSAEncryption",
  "valid_from": "Oct 23 00:00:00 2020 GMT",
  "valid_to": "Oct 23 23:59:59 2021 GMT",
  "serial_number": "51CD5393514F7ACE2B407C3DBFB09D8D",
  "thumbprint_algorithm": "SHA256",
  "thumbprint": "D497A1698F4B9A558DED6CFD8BC4B1D881EEB3C04F349B215FFA89946F63C7F0",
  "bl_reason": "Quakbot",
  "malware_samples": [
    {
      "md5_hash": "c0e542a6270d57d5dc2c319a79e91c69",
      "sha256_hash": "1f622642ed6ea23622fb1786f08270c81b635c29b00350f7dc5ba41c76c0e3f7",
      "sha1_hash": "4eada9d3ff43852dbe527d8558358506eba58b6f",
      "sha3_384": "6b895fb5cac1dfd797461ffead69ec4bae30bf228c0a97b99318a8e3754e687b2847461e3a269a010e5dd9c6cc20b59d",
      "signature": "QuakBot",
      "first_seen": "2020-11-01 10:11:16 UTC"
    },
    {
      "md5_hash": "288bc129d402228bb3cac14828d26ecf",
      "sha256_hash": "3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba5529b2baaae918f7cf30",
      "sha1_hash": "d5a6c35bbeb0990bb7d890abdaca1533f31305a2",
      "sha3_384": "2247ad44b4dee89b0847e72f68fc1a0a41b22d26359589df571214ba54f1b95691f7617ced1163879f2af0cee16740b7",
      "signature": "QuakBot",
      "first_seen": "2020-11-01 10:11:26 UTC"
    }
  ]
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘cscb_addition’.

  • subject_cn is the Subject Common Name (CN)

  • issuer_cn is the Issuer Common Name (CN)

  • algorithm is the Algorithm used

  • valid_from is the Datetime from when this Code Signing Certificate is valid from

  • valid_to is the Datetime to when this Code Signing Certificate is valid to

  • serial_number is the Serial number of the Code Signing Certificate

  • thumbprint_algorithm is the Thumbprint algorithm

  • thumbprint is the Thumbprint

  • bl_reason is the Code Signing Certificate Blocklist (CSCB) listing reason

  • malware_samples is a List of malware samples signed with this Code Signing Certificate

ThreatFox

The feed name is threatfox. ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. This real time feed provides a notification whenever:

  • An IOC is pushed to ThreatFox (no matter whether it has been seen before or not);

  • The meta information of an IOC changes;

  • An IOC gets removed by the initial reporter (submitter) of an IOC, or by the admin (e.g. in case of a false positive).

IOC additions

This message gets triggered when a new IOC is pushed to ThreatFox or an IOC that is already known to ThreatFox gets pushed to the platform again.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "ddd8b411-77e5-4311-b36b-e15ee390ee9f"
    "type": "ioc_addition",
    "id": 795292,
    "ioc": "76.25.142.196:443",
    "confidence_level": 75,
    "ioc_type": "ip:port",
    "threat_type": "botnet_cc",
    "threat_type_description": "ip:port combination that is used for botnet Command&control (C&C)",
    "sightings": 45052,
    "malware": "win.qakbot",
    "malware_printable": "QakBot",
    "malware_alias": [
        "Oakboat",
        "Pinkslipbot",
        "Qbot",
        "Quakbot"
    ],
    "anonymous": false,
    "reporter": "abuse_ch",
    "reward": [
      {
       "credits_from": "anonymous",
       "credits_amount": 10
      },
      {
       "credits_from": "0xrb",
       "credits_amount": 10
      }
    ],
    "tags": [
        "QakBot|#6CA981"
    ],
    "reference": "https://search.censys.io/hosts/45.61.137.200",
    "comment": "QakBot botnet C2 detected by Feodo Tracker"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘ioc_addition’.

  • id is the ThreatFox ID of the IOC. You can also use this ID to craft the link to see the entry on the ThreatFox platform (https:// threatfox.abuse.ch/ioc/id/).

  • ioc is the IOC (value).

  • ioc_type is the type of the IOC (example: ip:port). A list of possible values is available through the API: https://threatfox.abuse.ch/api/#types

  • confidence_level is the confidence level of this IOC (set by the reporter). The value is between 0 and 100.

  • threat_type is the type of threat - a list of possible values is available through the API: https://threatfox.abuse.ch/api/#types

  • threat_type_description is a short description, human-readable description, of threat_type.

  • malware is the malware family (using the Malpedia naming scheme).

  • malware_printableis the printable name of malware family (Malpedia)

  • malware_alias are the Malware aliases (Malpedia)

  • sightings indicates how many times this IOC has been reported/observed.

  • anonymous boolean that indicates whether the submitter or this IOC wants to remain anonymous or not.

  • reporter is the abuse.ch handle of the submitter of this file (or ‘null’).

  • reward is a list of rewards (credits) the reporter received from other users for this submission

  • tags is a List of tags associated with this file. A list of current tags is available through the API: https://threatfox.abuse.ch/api/#tag-list

  • reference is the reference (URL)

  • comment is a human-readable string comment from the reporter on this IOC.

IOC changes

This message gets triggered when the metadata of an IOC changes (e.g. tag or malware family).

The message has the following format:

{
     "_idx": 123456,
     "_ts": 12345678,
     "uuid": "dcf90eeb-2093-41db-ac6d-fd879daae478"
     "type": "ioc_change",
     "id": 843106,
     "ioc": "http://wewilltoptheearth.top/index.php",
     "ioc_type": "url",
     "threat_type": "botnet_cc",
     "threat_type_description": "URL that is used for botnet Command&control (C&C)",
     "field": "tag",
     "value": "test",
     "action": "add"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘ioc_change’.

  • id is the ThreatFox ID of the IOC. You can also use this ID to craft the link to see the entry on the ThreatFox platform (https:// threatfox.abuse.ch/ioc/id/).

  • ioc is The IOC (value).

  • ioc_type this is the type of the IOC (example: ip:port). A list of possible values is available through the API: https://threatfox.abuse.ch/api/#types

  • threat_type this is the threat type. A list of possible values is available through the API: https://threatfox.abuse.ch/api/#types

  • threat_type_description this is a short description, human-readable, of threat_type.

  • field shows the affected field where the change occurred.

  • value is the new value of the affected field.

  • action is an enumerated field that describes the action. May contain add, remove, change.

IOC removal

This message gets triggered when a user or administrator removes an IOC from ThreatFox (e.g. due to a false positive).

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "6d99f13f-9a87-4e04-8659-59c797f3d7a9"
    "type": "ioc_removal",
    "id": 843107,
    "ioc": "7f8ca86d343ef0a4dae7be8b2872734d1bfa0afec57e31eac9c316e59a331d51",
    "ioc_type": "sha256_hash",
    "threat_type": "payload",
    "threat_type_description": "SHA256 hash of a malware sample (payload)",
    "removal_note": "Removed by admin"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘ioc_removal’.

  • id is the ThreatFox ID of the IOC. You can also use this ID to craft the link to see the entry on the ThreatFox platform (https:// threatfox.abuse.ch/ioc/id/).

  • ioc is the IOC (value).

  • ioc_type this is the type of the IOC (example: ip:port). A list of possible values is available through the API: https://threatfox.abuse.ch/api/#types

  • threat_type this is the threat type. A list of possible values is available through the API: https://threatfox.abuse.ch/api/#types

  • threat_type_description this is a short description, human-readable, of threat_type.

  • removal_note is a string containing any removal note.

YARAify

The feed name is yaraify. YARAify is a project from abuse.ch that allows anyone to scan suspicious files such as malware samples or process dumps against a large repository of YARA rules. With YARAhub, the platform also provides a structured way for sharing YARA rules with the community. This real time feed provides a notification whenever:

  • A new file gets uploaded to YARAify;

  • A scan (task) is completed.

File additions

This message gets triggered when a new file gets uploaded to YARAify.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "f283dd3a-63e5-4aac-bd0e-10d933791111"
    "type": "file_addition",
    "md5_hash": "920a857ea802abc379f3a36dfb990264",
    "sha256_hash": "2f530fa495e9677aca321d617fc1a80a2afb8857675afc0acd7af42a9107e475",
    "sha1_hash": "ed870c7ce9b8d632a7fb70c2db0f14830bc49466",
    "sha3_384_hash": "a40aae2bdf7489f8823e78dc3fad46cc8be36340d5c88bfb2e26d1dd62eee8b137a743e9928ac9c0c2cf4c93830f5e74",
    "mime_type": "application/x-dosexec",
    "file_size": 16777216,
    "imphash": null,
    "ssdeep": "49152:O4aKwHmG0sWKK2KCuRlk67MELVknHLE/UJk7puNW32OrshDh0rXUadxYoHCh5yZt:zwOKKbNkzLOnUCpFOLcAuMvFgEWqxs",
    "tlsh": "T104F691A1F744420CE285DBF45C9753E413E8BC058A61CB9BA7E9F20DBE32261FD625B4",
    "telfhash": null,
    "gimphash": null,
    "dhash_icon": null
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘file_addition’.

  • md5_hash is the MD5 hash of the payload received.

  • sha256_hash is the SHA256 hash of the payload received.

  • sha1_hash is the SHA1 hash of the file.

  • sha3_384_hash is the SHA3-384 hash of the file.

  • file_size is the size (in bytes) of the payload received.

  • imphash is the imphash of the payload received.

  • ssdeep is the ssdeep of the payload received.

  • tlsh is the tlsh of the payload received.

  • telfhash is the telfhash of the payload received.

  • gimphash is the gimphash of the file.

  • dhash_icon is the dhash of the file icon.

  • mime_type is the Multipurpose Internet Mail Extensions (MIME) type of the payload received.

gimphash is a proposed method to calculate an imphash equivalent for Go binaries. More information about gimphashis available here: https://github.com/NextronSystems/gimphash

Task results

This message gets triggered when a new scan task is finished on YARAify.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "92e3feac-c4f8-46c4-a221-e3a316c2d1e4"
    "type": "task_result"
    "task_id": "0001e7a0-ff7e-11ec-9250-42010aa4000b",
    "md5_hash": "fc2b98018c3e6b18c57389537e7a439f",
    "sha256_hash": "9fb9c8350d7c7cfc261bc75a0ffe7c6081e57751cfee7cbd4f12a4c58db7ccfb",
    "sha1_hash": "fbfcf4abb3152913d4f5d74b639ad0d3764f8103",
    "sha3_384_hash": "73824476997bdfed31d970aaa6c90f3f8f0090ee40d5beedc672708358bcabdb94d42c2b10c31097b1b15a383aaaffbf",
    "file_name": "input_400000.DEPOSIT INVOICE.exe",
    "clamav_scan": true,
    "unpack": false,
    "unpacked_files_cnt": 0,
    "share_file": true,
    "results": {
        "clamav": [
            "Win.Adware.MultiPlug-2",
            "Win.Adware.MultiPlug-6336421-1",
            "Win.Trojan.Softpulse-433"
        ],
        "yara_static": [
            {
                "rule_name": "RDPWrap",
                "author": "@bartblaze",
                "description": "Test rule",
                "reference": "http://google.com/test",
                "tlp": "WHITE",
                "rule_matching_tlp": null
            },
            ... [more]
       ],
        "yara_unpack": [
            {
                "rule_name": "crime_win64_emotet_unpacked",
                "author": "Rony (r0ny_123)",
                "description": "Test rule",
                "reference": "http://google.com/test",
                "tlp": "WHITE",
                "rule_matching_tlp": null
            },
            ... [more]
        ]
    }
}

Each field has the following format:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always “task_result”.

  • task_id Task ID (UUID4).

  • md5_hash is the MD5 hash of the payload received.

  • sha256_hash is the SHA256 hash of the payload received.

  • sha1_hash is the SHA1 hash of the file.

  • sha3_384_hash is the SHA3-384 hash of the file.

  • file_name is the original file name

  • clamav_scan boolean indicating whether the file has been scanned with ClamAV or not.

  • unpack boolean indicating whether the file has been processed by the Portable Executable (PE) unpacker.

  • unpacked_files_cnt If unpack is True, number of unpacked files collected (if any)

  • share_file boolean indicating whether the user decided to share the sample or not.

  • results.clamav is the matching ClamAV signature.

  • results.yara_static is an array indicating the static YARA rule matching results.

  • results.yara_unpack is the array of the unpacker YARA rule matching results.

Unpacker results

This message gets triggered when a file got unpacked on YARAify.

{
  "uuid": "576987e1-d31f-4d29-99da-25159d9ad8ee",
  "type": "unpacker_results",
  "md5_hash": "c0b29fb1988205013b7723ba6543f416",
  "sha256_hash": "e19b0ba085a6c6f754df5f6f3a2ad8d490eafb62ad14606a943e7de2d0e3e03f",
  "sha1_hash": "232ba158178319926b651783a45cd1a966667f95",
  "sha3_384_hash": "56293c2a25e661d7fbffc8a2b123aa96dabd00ec98d1b1004088573ccc9df9a2d8f48a2eb7d26dde8b9393650456941b",
  "unpacked_file_name": "test.exe",
  "mime_type": "text/plain",
  "file_size": 166,
  "imphash": null,
  "ssdeep": "3:20euRxVNf9eeGoUpdeuHX6YTyI6WqokYN6R/I6QIiADg6TIi00V4GN6S8yVg6dqb:2nuRxV98ZoUtX9yI65okYN6RA6jXg6TW",
  "tlsh": "T18CC048F380E010420460231313EF1E452B5F235C77462623F42C7D808320A3A37A3972",
  "telfhash": null,
  "gimphash": null,
  "dhash_icon": null,
  "parent_file": {
    "md5_hash": "80d2b829aadaf4ef5e27da806a3fce16",
    "sha256_hash": "5f4b796f8ee524790172ed29cc21d32e43d347e3c306781f420d7844e0a776c9",
    "sha1_hash": "f89246976faaf30906f477ed7836bb971c68025c",
    "sha3_384_hash": "be3e577e19eb5279fe6c3ce298737ac942e5a123f7b38e15965e99a4aa2e277ee7fba14e8d7538e336fae6cccd1ad2ba"
  },
  "yara_matches": []
}

Each field has the following format:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always “unpacker_results”.

  • md5_hash is the MD5 hash of the unpacked file

  • sha256_hash is the SHA256 hash of the unpacked file

  • sha1_hash is the SHA1 hash of the unpacked file

  • sha3_384_hash is the SHA3-384 hash of the unpacked file

  • file_name is the file name of the unpacked file

  • file_size is the size in bytes of the unpacked file

  • imphash is the imphash of the unpacked file

  • ssdeep is the ssdeep of the unpacked file

  • tlsh is the TLSH of the unpacked file

  • telfhash is the telfhash name of the unpacked file

  • gimphashis the gimphash of the unpacked file

  • dhash_icon is the dhash of the unpacked file’ icon

  • mime_type is the MIME type of the unpacked file

  • parent_file is the original file (parent) from which this file (child) got unpacked from

  • yara_matches is a list of YARA rules matching this unpacked file

Feodo Tracker

The feed name is feodotracker. Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with specific, major botnets that facilitate attacks, such as ransomware. This real time feed provides a notification whenever:

  • An active botnet C2 is observed;

  • A botnet C2 is removed from Feodo Tracker by the administrator (e.g. because of a false positive).

Observed C2s

This message gets triggered every time an active C2 gets observed by Feodo Tracker.

This message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "526e9912-6103-4503-adf5-5492cc4ec6e8"
    "type": "observed_c2"
    "ip_address": "51.68.145.174",
    "port": 443,
    "protocol": "TCP",
    "malware_malpedia": "win.bumblebee",
    "as_number": 16276,
    "as_name": "OVH",
    "country": "FR",
    "first_seen": 1657474960,
    "last_checked": 1660824130,
    "last_online": 1660824130
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘observed_c2’.

  • ip_address is the IPv4 or IPv6 address of the botnet C2.

  • port is the port of the botnet C2.

  • protocol is the protocol the botnet C2 uses.

  • malware_malpedia is the malware family associated with this botnet C2 (using the Malpedia naming scheme).

  • as_number is the Autonomous System (AS) number associated with the botnet C2 (ip_address).

  • as_name is the AS name associated with the botnet C2.

  • country is the geo-located country of the botnet C2 (two-letter country code).

  • first_seen is the Unix timestamp when this botnet C2 has been observed for the first time.

  • last_checked is the Unix timestamp when this botnet C2 has been (re-)validated by Feodo Tracker last time.

  • last_online is the Unix timestamp when this botnet C2 has been seen active (online) for the last time.

C2 removal

This message gets triggered every time a botnet C2 gets removed from Feodo Tracker by the admin (e.g. because of a false positive).

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "526e9912-6103-4503-adf5-5492cc4ec6e8"
    "type": "c2_removal"
    "ip_address": "51.68.145.174",
    "port": 443,
    "protocol": "TCP",
    "malware_malpedia": "win.bumblebee",
    "removal_note": "Removed by admin"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type defines the type of message. It’s always ‘c2_removal’.

  • ip_addressis the IPv4 of the botnet C2.

  • port is the port of the botnet C2.

  • protocol is the protocol the botnet C2 uses.

  • malware_malpedia is the malware family associated with this botnet C2 (using the Malpedia naming scheme).

  • removal_note contains the reason why the botnet C2 has been removed.

Sandnet

The feed name is sandnet. Sandnet is a sandbox operated by abuse.ch. It detonates suspicious files in a controlled, virtual environment and collects signals during malware execution. This real time feed provides notification whenever:

  • A new file is observed by Sandnet (prior pre-classification engine, file might be legit);

  • A new sandbox report is available (post classification engine);

  • A file got unpacked by Sandnet;

  • The metadata of a sandbox report changes (e.g. malware);

  • A YARA rule matches a static file;

  • A YARA rule matches a dumped (suspicious) progress during malware execution in the sandbox;

  • A YARA rule matches an unpacked file;

  • An SSL certificate is observed during malware execution;

  • A JA3 fingerprint gets calculated during malware execution;

  • A JA3s fingerprint gets calculated during malware execution;

  • An IDS alert is triggered during malware execution;

  • A DNS resolution is observed during malware execution;

  • An HTTP connection is observed during malware execution;

  • A TCP or UDP connection is observed during malware execution.

All the data are cross-correlated through the md5 hash. This is the field that should be used to link an observation to the original sample file.

New files

This message gets triggered every time a new file is observed by Sandnet (pre-classification engine).

Please note that a new file can be legitimate or can contain malware; at this stage of the processing, it’s not yet known if the file is malicious or not.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "bd6c2aa3-6c96-491c-9880-6bee304757eb",
    "type": "file_addition"
    "md5_hash": "7ec6e3a0f52702fa460e8923abd74439",
    "sha256_hash": "a469b0c6b8ebcf56cd89868736d2f4c37102bbb0b319f63898c30026cb4751fe",
    "filesize": 1364522,
    "file_ext": "exe",
    "imphash": "6f27c6ffd985a2a73508e5dc692561f1",
    "ssdeep": "24576:f382om3Cg/iDfPc/7tNETop2FmYaS0LtVOmvjkiSs9OfccyM4NQd4gOa:fXgTK7th2jaSYtgySWNI4gx",
    "tlsh": "C7553323F3D2E473F65E32321B51A381B6FDEEB495B54282C2A54E07AB30AD05653B47",
    "dhash_icon": "d0d0c0e0e0f0b2b0"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. Value is “file_addition”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • filesize is the file size in bytes.

  • file_ext is the guessed file extension (or ‘null’).

  • imphash is the imphash of the file.

  • ssdeep is the ssdeep of the file.

  • tlsh is the tlsh of the file.

  • dhash_icon is the dhash of the file’s icon.

New reports

This message gets triggered every time a new sandbox report from Sandnet is available (post-classification engine).

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "ee815707-4bec-4d37-a829-0579a01c2612",
    "type": "report_addition"
    "md5_hash": "1808bbd08170485ffd1e0b0c408f4360",
    "sha256_hash": "0d26a40b7509da792bfd82a4420f7068a6ebc8c7382f924356a556976de81555",
    "malware": "AgentTesla",
    "tcp": {
        "hosts": 1,
        "ok": 1,
        "bad": 0
    },
    "udp": {
        "hosts": 0,
        "ok": 0
    },
    "http": {
        "hosts": 0,
        "get": 0,
        "post": 0
    },
    "https": {
        "hosts": 1,
        "ok": 1,
        "bad": 0
    },
    "dns": {
        "hosts": 1,
        "a": 1,
        "mx": 0,
        "txt": 0
    },
    "ids_events": 0,
    "tags": [
        "powershell",
        "persistence:registry",
        "ch_cookiestealer",
        "ff_cookiestealer",
        "tb_cookiestealer",
        "Telegram"
    ]
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. Always “report_addition”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name triggering this connection.

  • tcp.hosts is the number of distinct Transmission Control Protocol (TCP) hosts (IPv4 addresses) contacted by the detonating malware.

  • tcp.ok is the number of distinct successful TCP connections initiated by the detonating malware.

  • tcp.bad is the number of distinct unsuccessful TCP connections initiated by the detonating malware.

  • udp.hosts is the number of distinct User Datagram Protocol (UDP) hosts (IPv4 addresses) contacted by the detonating malware.

  • udp.ok is the number of distinct UDP connections initiated by the detonating malware.

  • http.hosts is the number of distinct HTTP hosts (HTTP host header) contacted by the detonating malware.

  • http.get is the number of HTTP GET requests initiated by the detonating malware.

  • http.post is the number of HTTP POST requests initiated by the detonating malware.

  • https.hosts is the number of distinct HTTPs hosts (destination IPv4 addresses) contacted by the detonating malware.

  • https.ok is the number of successful HTTPs connections initiated by the detonating malware.

  • http.bad is the number of unsuccessful HTTPs connections initiated by the detonating malware.

  • dns.hosts is the number of distinct DNS hosts (DNS names) queried by the detonating malware.

  • dns.a is the number of distinct DNS A records queried by the detonating malware.

  • dns.mx is the number of distinct DNS MX records queried by the detonating malware.

  • dns.txt is the number of distinct DNS TXT records queried by the detonating malware.

  • ids_events is the number of distinct events generated by the network Intrusion Detection System (IDS).

  • tags is an array consisting of the list of tags associated with this malware detonation.

Unpacked files

Most malware samples are packed using a packer. Sandnet tries to unpack such samples. This message gets triggered every time an unpacked file is observed by Sandnet.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "ee815707-4bec-4d37-a829-0579a01c2612",
    "type": "unpacked_addition"
    "md5_hash": "7ec6e3a0f52702fa460e8923abd74439",
    "sha256_hash": "a469b0c6b8ebcf56cd89868736d2f4c37102bbb0b319f63898c30026cb4751fe",
    "parent_md5_hash": "10aa0a05adef59cf8a0e982d2b726419",
    "parent_malware": "AgentTesla",
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message which is always “unpacked_addition”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • parent_md5_hash is the MD5 hash of the parent file (usually the packet file).

  • parent_malware is the malware of the parent file (usually the packet file).

New procdumps

This message gets triggered every time a new process dump is observed by Sandnet. Process dumps are generated during malware execution (dumping of suspicious processes).

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "7119bd62-ee69-4ff2-8ae7-e289ee26653a",
    "type": "procdump_addition"
    "md5_hash": "f910c5fdeb72b46c96144decb2963c3c",
    "sha256_hash": "07426741c709e153e19eb4dbb0b461344446ce4f30983884ea7357ff282985a4",
    "parent_md5_hash": "20389af005d4760c8521278325e77ae1",
    "parent_malware": "RedLineStealer",
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “procdump_addition”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • parent_md5_hash is the MD5 hash of the parent file (usually the packet file).

  • parent_malware is the malware of the parent file (usually the packet file).

Report changes

This message gets triggered every time the metadata for a sandbox report changes (e.g. when the malware family changes).

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "67b7986c-0a3e-4f6f-811d-5da3b05279e3",
    "type": "report_change"
    "md5_hash": "3b084221a74184e18fb609cf3b96b589",
    "sha256_hash": "6a244198510958e8699f44394947fbe58aed00b47710ab8d85bb094dfdfcb4af",
    "field": "malware",
    "value": "Formbook",
    "action": "change"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “report_change”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • field is the affected field where the change occurred.

  • value is the new value of the affected field.

  • action shows what is the type of event that triggered this message (add, remove, change).

Observed YARA matches on static files

This message gets triggered every time a YARA rule matches on a static file.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "e6be9b63-443f-428a-b71d-81ec1307c880",
    "type": "observed_static_yara"
    "md5_hash": "0857a4a9fc6a9bf3e95753c0d07de7a1",
    "sha256_hash": "18171768e82f92e884878426b838836319c5ab344d0df96a8d3460a4b7ecc497",
    "malware": "RecordBreaker",
    "static_yara": {
    "rule_name": "RaccoonV2",
    "author": "@_FirehaK <[email protected]>",
    "description": "This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.",
    "reference": "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/",
    "tlp": "WHITE"
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_static_yara”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name.

  • static_yara.rule_name is the YARA rule name.

  • static_yara.author is the author of the YARA rule.

  • static_yara.description contains the description of the YARA rule (set by the author).

  • static_yara.reference contains a reference of the YARA rule (set by the author).

  • static_yara.tlp is the Traffic Light Protocol (TLP) of the YARA rule (set by the author).

Observed YARA matches on process dumps

This message gets triggered every time a YARA rule matches on a dumped process from malware detonation.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "6a4a0c6c-733a-4e78-9412-71e5c85a1c63",
    "type": "observed_procdump_yara"
    "md5_hash": "417af326c733d6b38ab2cdc02c634272",
    "sha256_hash": "be98295ac2751f7292254c7e7e8024c8bc1d1bfe721218785724b86c408e53eb",
    "malware": "Dridex",
    "procdump_yara": {
        "rule_name": "DridexLoader",
        "author": "kevoreilly",
        "description": "Dridex v4 dropper C2 parsing function",
        "reference": null,
        "tlp": "WHITE"
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_procdump_yara”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name.

  • procdump_yara.rule_name is the YARA rule name.

  • procdump_yara.author is the author of the YARA rule.

  • procdump_yara.description contains the description of the YARA rule (set by the author).

  • procdump_yara.reference has a reference of the YARA rule (set by the author).

  • procdump_yara.tlp is the TLP of the YARA rule (set by the author).

Observed YARA matches on unpacked files

This message gets triggered every time a YARA rule matches on an unpacked malware sample.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "6a4a0c6c-733a-4e78-9412-71e5c85a1c63",
    "type": "observed_unpack_yara"
    "md5_hash": "4445dd03ad622d2ac30219398822caca",
    "sha256_hash": "f0f3c0a8992a0f0351dbaee9f5f7cb987bb0bdfedbeb5d5d6c14e13cad633716",
    "malware": "RedLineStealer",
    "unpacked_md5_hash": "e0de2e060fb87720d594e49caf006bc0",
    "procdump_yara": {
        "rule_name": "win_xfilesstealer_auto",
        "author": "Felix Bilstein - yara-signator at cocacoding dot com",
        "description": "Detects win.xfilesstealer.",
        "reference": null,
        "tlp": "WHITE"
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_unpack_yara”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name.

  • unpacked_md5_hash is the MD5 hash of the unpacked file.

  • procdump_yara.rule_name is the YARA rule name.

  • procdump_yara.author is the author of the YARA rule.

  • procdump_yara.description contains the description of the YARA rule (set by the author).

  • procdump_yara.reference contains the reference of the YARA rule (set by the author).

  • procdump_yara.tlp is the TLP of the YARA rule (set by the author).

Observed SSL certificates

This message gets triggered every time an SSL certificate is observed using malware detonation.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "d8239b7e-af71-4321-b231-dc5f6b58f24b",
    "type": "observed_ssl"
    "md5_hash": "59e0e64389ee0258bba61827a26df8de",
    "sha256_hash": "1244dfb6b3b2c4e54f6b4a60f01d19b0666029e8313adffaf2e301c2631b51d9",
    "malware": "CoinMiner",
    "sha1_fingerprint": "d02a9bbae24269cacec74fb8f4317a8c064cc336",
    "subject_cn": "eiso-france.com",
    "subject": "CN=eiso-france.com",
    "issuerdn_cn": "R3",
    "issuerdn": "C=US, O=Let's Encrypt, CN=R3",
    "issuer_org": "Let's Encrypt",
    "first_seen": 1659509611,
    "connection": {
        "src_port": 49774,
        "dst_ip_address": "87.98.154.146",
        "dst_port": 443,
        "tls_version": "TLS 1.2"
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_ssl”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name triggering this connection.

  • sha1_fingerprint the SHA1 checksum of the SSL certificate.

  • subject_cn is the parsed subject “CN” (common name) value of the SSL certificate.

  • subject is the raw (unparsed) subject of the certificate.

  • issuerdn_cn is the parsed issuer “CN” (common name) value of the SSL certificate.

  • issuerdn is the raw (unparsed) issuer of the cert.

  • issuer_org is the parsed issuer “O” (Organization) value of the SSL certificate.

  • first_seen is the Unix timestamp when the SSL certificate has been observed for the first time.

  • connection.src_port is the source port (TCP) from where the connection originates from.

  • connection.dst_ip_address is the destination IPv4 address to which the connection was made.

  • connection.dst_port is the destination port (TCP) to which the connection was made on the remote host (dst_ip_address).

  • tls_version is the TLS version of the SSL connection.

Observed JA3 fingerprints

JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence. More information about JA3 is available here: https://github.com/salesforce/ja3

This message gets triggered every time a JA3 fingerprint gets calculated on an SSL connection initiated by a detonating malware.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "d8239b7e-af71-4321-b231-dc5f6b58f24b",
    "type": "observed_ja3"
    "md5_hash": "6ed857b3cb60a782a22185d5caed543d",
    "sha256_hash": "952bb48c90610d873b24fd89a7e7a90f57db0a81891dcd8284390b2699a9de83",
    "malware": "a310Logger",
    "ja3_fingerprint": "3b5074b1b5d032e5620f69f9f700ff0e",
    "first_seen": 1511354566,
    "connection": {
        "dst_ip_address": "99.83.231.61",
        "dst_port": 443
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_ja3”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name triggering this connection.

  • ja3_fingerprint is the JA3 fingerprint of the SSL connection.

  • first_seen is the Unix timestamp when the JA3 fingerprint has been observed for the first time.

  • connection.dst_ip_address is the destination IPv4 address to which the connection was made.

  • connection.dst_port is the destination port (TCP) to which the connection was made on the remote host (dst_ip_address).

Observed JA3s fingerprints

JA3 is used for fingerprinting a TLS client, and JA3s is its counterpart for servers. This method was found to be useful for identifying not only malware clients and servers, but also web API clients and browsers. More information about JA3s is available here: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/

This message gets triggered every time a JA3s fingerprint gets calculated on an SSL connection initiated by a detonating malware.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "84800cea-67d8-457a-bf2b-af30fe263d9d",
    "type": "observed_ja3s"
    "md5_hash": "6e8f735b3c356bc8b847989167baf8c4",
    "sha256_hash": "246458b65696ce3486d38437c12195dfa18b9ac9b1c55cfa6a27142f8698bed3",
    "malware": "Smoke Loader",
    "ja3s_fingerprint": "ec633c737ffac9de2561152ade674fe6",
    "first_seen": 1631870476,
    "connection": {
        "src_ip_address": "157.240.247.35",
        "src_port": 443
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_ja3s”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name triggering this connection.

  • ja3s_fingerprint is the JA3s fingerprint of the SSL connection.

  • first_seen is the Unix timestamp when the JA3s fingerprint has been observed for the first time.

  • connection.dst_ip_address is the destination IPv4 address to which the connection was made.

  • connection.dst_port is the destination port (TCP) to which the connection was made on the remote host (dst_ip_address).

Observed IDS alerts

This message gets triggered every time an alert from the network Intrusion Detection System (IDS) gets observed on network connections initiated by detonating malware.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "f3e37493-60aa-4c52-9ffb-b89404799889",
    "type": "observed_ids_alerts"
    "md5_hash": "6cc93623733e2470bf6517c2ed26760e",
    "sha256_hash": "d8444213ae90d863e1ffe60e0d1fadd626debfe0395e83c4135df1394afd2797",
    "malware": "Formbook",
    "sid": 5012267,
    "alert_msg": "ACH Formbook CnC HTTP GET request",
    "connection": {
        "src_ip_address": null,
        "src_port": 49749,
        "dst_ip_address": "44.227.76.166",
        "dst_port": 80
        "protocol": "TCP"
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_ids_alerts”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name triggering this connection.

  • sid is the unique ID of the matching IDS rule.

  • alert_msg is the context of the IDS alert (alert message).

  • connection.src_ip is the source IPv4 address of the server from which the IDS alert triggered.

  • connection.src_port is the source port (TCP) from which the IDS alert triggered.

  • connection.dst_ip_address is the destination IPv4 address to which the IDS alert triggered.

  • connection.dst_port is the destination port (TCP) to which the IDS alert triggered.

  • connection.protocol is the protocol.

Observed DNS resolutions

This message gets triggered every time a DNS resolution is observed initiated by detonating malware.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "f3e37493-60aa-4c52-9ffb-b89404799889",
    "type": "observed_dns_resolution"
    "md5_hash": "6d2b10173e48ecf5f88f58f271e67ae6",
    "sha256_hash": "4e14acecd68eba74374d5e5941a8f798fe469aa73d096f2972d9cbdb7768ef16",
    "malware": "Blackmoon",
    "dns": {
        "name": "d.nxxxn.ga",
        "type": "A",
        "resource": "91.208.246.16",
        "status": "NOERROR",
        "nameserver_ip_address": null
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_dns_resolution”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name triggering this connection.

  • dns.name is the requested DNS host.

  • dns.type is the requested DNS resource type.

  • dns.resource is the DNS query result (resource of the DNS response).

  • dns.status is the status of the DNS query.

  • dns.name_server_ip_address is the IPv4 address of the DNS server used (in case a different DNS server was used than the system default).

Observed HTTP connections

This message gets triggered every time a HTTP connection is observed initiated by detonating malware. Please note that HTTPs connections are not covered.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "f3e37493-60aa-4c52-9ffb-b89404799889",
    "type": "observed_http_connection"
    "md5_hash": "d24150b85bcd4606f427ca8a79863ae1",
    "sha256_hash": "e4381294339eab5d25bf8a4e6ab5d68652236e66164a26b599e555da4ac4a63d",
    "malware": "RecordBreaker",
    "http_connection": {
        "host_header": "193.56.146.177",
        "method": "GET",
        "url": "/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll",
        "referer": null,
        "status_code": 200,
        "content_type": "application/x-dosexec",
        "filename": null,
        "request_size": 0,
        "response_size": 954545
    },
    "connection": {
        "dst_ip_address": "193.56.146.177",
        "dst_port": 80
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_http_connection”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name triggering this connection.

  • http_connection.host_header is the HTTP host header.

  • http_connection.method is the HTTP method.

  • http_connection.url is the HTTP URL (URI).

  • http_connection.referer is the HTTP referer.

  • http_connection.status_code is the HTTP status code returned by the server.

  • http_connection.content_type is the HTTP content type returned by the server.

  • http_connection.filename is the HTTP disposition filename returned by the server.

  • http_connection.request_size is the HTTP request size (HTTP request body) in bytes.

  • http_connection.response_size is the HTTP response size (HTTP response body) in bytes.

  • connection.dst_ip_address is the Destination IPv4 address to which the HTTP connection was made.

  • connection.dst_port is the Destination port (TCP) to which the HTTP connection was made.

Observed network connections

This message gets triggered every time a network connection attempt (TCP or UDP) is observed during detonating malware.

The message has the following format:

{
    "_idx": 123456,
    "_ts": 12345678,
    "uuid": "78d4e778-2c21-46de-a815-349133a075c2",
    "type": "observed_network_connection"
    "md5_hash": "623407787623886d1d6f864b8e0339f7",
    "sha256_hash": "395cef182b4c888f78afde60c4bdcd87768ab658453cd868122151f846fbeb4a",
    "malware": "RedLineStealer",
    "connection": {
        "dst_ip_address": "193.233.20.28",
        "dst_port": 4125,
        "protocol": "TCP",
        "service": null,
        "connection_state": "RSTO",
        "bytes_sent": 4403706,
        "bytes_received": 6131,
        "as_number": 202973,
        "as_name": "Partner LLC"
    }
}

Each field has the following content:

  • _idx is an integer representing the incremental number of the message.

  • _ts is the Unix timestamp, indicating when the message was received by the real time infrastructure.

  • uuid is an internal, unique identifier for the message. This is the property that should be used to dedupe the incoming flows where necessary.

  • type is the type of this message. The value is always “observed_network_connection”.

  • md5_hash is the MD5 hash of the file.

  • sha256_hash is the SHA256 hash of the file.

  • malware is the malware family name triggering this connection.

  • connection.dst_ip_address is the destination IPv4 address to which the HTTP connection was made.

  • connection.dst_port is the destination port (TCP) to which the connection was made.

  • protocol is the protocol used (TCP or UDP).

  • service the service identified to be associated with this connection

  • connection_state is the status of the connection.

  • bytes_sent is the number of bytes sent to the remote host.

  • bytes_received is the number of bytes received from the remote host.

  • as_number is the Autonomous System (AS) number of the remote host (dst_ip_address).

  • as_name is the AS name of the remote host (dst_ip_address).

The table below documents the possible values of connection_state and their meaning:

Connection state Meaning
S0 Connection attempt seen, no reply
S1 Connection established, not terminate (0 byte counts)
SF Normal established & termination (>0 byte counts)
REJ Connection attempt rejected
S2 Established, ORIG attempts close, no reply from RESP
S3 Established, RESP attempts close, no reply from ORIG
RSTO Established, ORIG aborted (RST)
RSTR Established, RESP aborted (RST)
RSTOS ORIG sent SYN then RST; no RESP SYN-ACK
RSTRH RESP sent SYN-ACK then RST; no ORIG SYN
SH ORIG sent SYN then FIN; no RESP SYN-ACK ("half-open")
SHR RESP sent SYN-ACK then FIN; no ORIG SYN
OTH No SYN, not closed. Midstream traffic. Partial connection

ChangeLog

Updates made on 18 July 2023

Overview:

  • New event types made available via MalwareBazaar and YARAify

  • New fields made available via MalwareBazaar, ThreatFox, and YARAify

  • Fields names updated for three fields within YARAify

New event type available

Event type Name RT Feed
YARA matches MalwareBazaar
Code Signing Certificate Blocklist (CSCB) additions MalwareBazaar
Unpacker results YARAify

New fields available

Field name Under event type RT Feed
origin_country File additions MalwareBazaar
delivery_method File additions MalwareBazaar
_idx YARA matches (new event type) MalwareBazaar
_ts YARA matches (new event type) MalwareBazaar
uuid YARA matches (new event type) MalwareBazaar
type YARA matches (new event type) MalwareBazaar
md5_hash YARA matches (new event type) MalwareBazaar
sha256_hash YARA matches (new event type) MalwareBazaar
sha1_hash YARA matches (new event type) MalwareBazaar
sha3_384_hash YARA matches (new event type) MalwareBazaar
yara.rule_name YARA matches (new event type) MalwareBazaar
yara.author YARA matches (new event type) MalwareBazaar
yara.description YARA matches (new event type) MalwareBazaar
yara.reference YARA matches (new event type) MalwareBazaar
yara.tlp YARA matches (new event type) MalwareBazaar
_idx Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
_ts Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
uuid Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
type Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
subject_cn Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
issuer_cn Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
algorithm Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
valid_from Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
valid_to Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
serial_number Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
thumbprint_algorithm Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
thumbprint Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
bl_reason Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
malware_samples Code Signing Certificate Blocklist (CSCB) additions (new event type) MalwareBazaar
malware_printable IOC additions ThreatFox
malware_alias IOC additions ThreatFox
reward IOC additions ThreatFox
reference IOC additions ThreatFox
_idx Unpacker results (new event type) YARAify
_ts Unpacker results (new event type) YARAify
uuid Unpacker results (new event type) YARAify
type Unpacker results (new event type) YARAify
md5_hash Unpacker results (new event type) YARAify
sha256_hash Unpacker results (new event type) YARAify
sha1_hash Unpacker results (new event type) YARAify
sha3_384_hash Unpacker results (new event type) YARAify
file_name Unpacker results (new event type) YARAify
file_size Unpacker results (new event type) YARAify
imphash Unpacker results (new event type) YARAify
ssdeep Unpacker results (new event type) YARAify
tlsh Unpacker results (new event type) YARAify
telfhash Unpacker results (new event type) YARAify
gimphash Unpacker results (new event type) YARAify
dhash_icon Unpacker results (new event type) YARAify
mime_type Unpacker results (new event type) YARAify
parent_file Unpacker results (new event type) YARAify
yara_matches Unpacker results (new event type) YARAify
description Unpacker results (new event type) YARAify
reference Unpacker results (new event type) YARAify
results.yara_static.description Unpacker results (new event type) YARAify
results.yara_static.reference Unpacker results (new event type) YARAify
results.yara_unpack.description Unpacker results (new event type) YARAify
results.yara_unpack.reference Unpacker results (new event type) YARAify

Field name changes

New field name Old field name Under event type RT Feed
results.clamav result.clamav Unpacker results YARAify
results.yara_static result.static Unpacker results YARAify
results.yara_unpack result.unpack Unpacker results YARAify