gitea-mirror/OSINT-Cheat-sheet
1
0
Fork 0
mirror of https://github.com/Jieyab89/OSINT-Cheat-sheet.git synced 2026-06-12 11:01:18 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
2b5a0fdc1d9b2a1905635f3466be11b3b49bcd16
OSINT-Cheat-sheet/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md
T
Jieyab89 9a922e4f08 Add wiki article and Claude OSINT skills
2026-04-18 23:17:54 +07:00

7.7 KiB
Raw Blame History

Malware & IOC Intelligence

Tools sourced from OSINT Cheat Sheet by Jieyab89

Objective

Collect, analyze, and enrich malware samples and Indicators of Compromise (IOCs) from threat intelligence feeds, sandboxes, and dark web-adjacent sources — for detection engineering, incident response, and threat hunting.

1. Malware Sample Repositories

MalwareBazaar (abuse.ch)

https://bazaar.abuse.ch/browse/

# Search by hash, tag, file type, or malware family
https://bazaar.abuse.ch/browse/?q=ransomware
https://bazaar.abuse.ch/browse/?q=tag:emotet

# API — download samples and query intel
curl -X POST "https://mb-api.abuse.ch/api/v1/" \
  -d "query=get_info&hash=HASH_VALUE"

# Python
import requests
resp = requests.post("https://mb-api.abuse.ch/api/v1/",
    data={"query": "get_info", "hash": "SHA256_HERE"})
print(resp.json())

VX-Underground

# From Jieyab89's list
https://vx-underground.org
# Largest public malware sample archive
# Categories: APT samples, ransomware, stealers, botnets
# WARNING: Only download to isolated sandbox — these are live malware

# Also useful for:
# - Malware source code leaks
# - Threat actor communications
# - Historical campaign materials

Malware Traffic Analysis

# From Jieyab89's list
https://www.malware-traffic-analysis.net/2025/index.html
# PCAP files + malware samples from real infections
# Includes: traffic captures, IOCs, malware files
# Excellent for understanding C2 communication patterns

VirusShare (Registration Required)

https://virusshare.com
# Large malware sample collection — requires account

Virus Exchange

# From Jieyab89's list
https://virus.exchange
# Sample sharing platform

2. IOC Feeds

ThreatFox (abuse.ch)

https://threatfox.abuse.ch/browse/

# API — get latest IOCs
curl -X POST "https://threatfox-api.abuse.ch/api/v1/" \
  -d '{"query":"get_iocs","days":1}'

# Search by IOC value
curl -X POST "https://threatfox-api.abuse.ch/api/v1/" \
  -d '{"query":"search_ioc","search_term":"malware.com"}'

# MISP feed format
https://threatfox.abuse.ch/export/misp/

URLhaus (abuse.ch) — Malicious URLs

https://urlhaus.abuse.ch

# API
curl -X POST "https://urlhaus-api.abuse.ch/v1/url/" \
  -d "url=https://suspicious.com/malware.exe"

# Download daily feed
curl "https://urlhaus.abuse.ch/downloads/csv_online/"

# Python query
import requests
resp = requests.post("https://urlhaus-api.abuse.ch/v1/host/",
    data={"host": "suspicious-domain.com"})
print(resp.json())

AlienVault OTX Feeds

https://otx.alienvault.com/api/v1/pulses/subscribed
# Returns all IOCs from pulses you follow

# Specific IOC lookup
curl -X GET "https://otx.alienvault.com/api/v1/indicators/domain/target.com/malware" \
  -H "X-OTX-API-KEY: YOUR_KEY"

curl -X GET "https://otx.alienvault.com/api/v1/indicators/file/HASH/analysis" \
  -H "X-OTX-API-KEY: YOUR_KEY"

Additional IOC Feeds

https://rescure.me/feeds.html                  → Rescure.me curated feeds
https://www.spamhaus.org/drop/drop.txt         → Spamhaus DROP list (BGP blocks)
https://feodotracker.abuse.ch/downloads/       → Feodo botnet C2 IPs
https://sslbl.abuse.ch/blacklist/              → SSL certificate blacklist
https://openphish.com/phishing_feeds.html      → OpenPhish phishing URLs
https://phishstats.info:2096/api/phishing      → PhishStats API

3. Malware Analysis Sandboxes

Safe environments to analyze suspicious files:

Free Online Sandboxes

https://app.any.run                    → Interactive (from Jieyab89's list)
https://www.hybrid-analysis.com        → Free, Falcon Sandbox powered
https://tria.ge/reports/public         → Tria.ge sandbox (from Jieyab89's list)
https://cuckoo.cert.ee                 → Cuckoo sandbox (Jieyab89's list)
https://capesandbox.com                → CAPE sandbox (Jieyab89's list)
https://www.joesandbox.com             → Joe Sandbox (from Jieyab89's list)
https://www.vmray.com                  → VMRay (commercial, limited free)
https://filescan.io                    → Filescan.io (from Jieyab89's list)
https://www.docguard.io                → DocGuard for documents
https://analyze.intezer.com/scan       → Intezer (code similarity analysis)

API-Based Analysis

import requests, time

def submit_to_hybrid_analysis(filepath):
    """Submit a file to Hybrid Analysis"""
    url = "https://www.hybrid-analysis.com/api/v2/submit/file"
    headers = {"api-key": "YOUR_API_KEY", "user-agent": "Falcon Sandbox"}

    with open(filepath, "rb") as f:
        resp = requests.post(url,
            headers=headers,
            files={"file": f},
            data={"environment_id": 100})  # Windows 7 64-bit
    return resp.json()

4. Hash & IOC Enrichment

VirusTotal

# File hash lookup
https://www.virustotal.com/gui/file/SHA256_HASH

# API
curl --request GET \
  --url "https://www.virustotal.com/api/v3/files/SHA256_HASH" \
  --header "x-apikey: YOUR_API_KEY"

# Batch hash check (Python)
import requests

def vt_check_hash(sha256, api_key):
    url = f"https://www.virustotal.com/api/v3/files/{sha256}"
    headers = {"x-apikey": api_key}
    resp = requests.get(url, headers=headers)
    data = resp.json()
    stats = data.get("data", {}).get("attributes", {}).get("last_analysis_stats", {})
    return {
        "malicious": stats.get("malicious", 0),
        "suspicious": stats.get("suspicious", 0),
        "undetected": stats.get("undetected", 0),
        "total": sum(stats.values())
    }

Malware Encyclopedia — Malpedia

https://malpedia.caad.fkie.fraunhofer.de

# Search by malware name
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

# Each entry contains:
# - YARA rules
# - Actor associations
# - Sample hashes
# - Technical references
# - Aliases across vendors

pwnedOrNot

# From Jieyab89's list
https://github.com/thewhiteh4t/pwnedOrNot
# Check if email has leaked and try to get plaintext password

5. YARA Rules

YARA is the standard for malware pattern matching:

YARA Rule Sources

# From Jieyab89's list
https://yaraify.abuse.ch/yarahub/          → Community YARA hub (abuse.ch)
https://github.com/Neo23x0/signature-base  → Neo23x0 signature base
https://valhalla.nextron-systems.com       → Valhalla YARA feed

# Using YARA rules
pip install yara-python

import yara
rules = yara.compile(filepath="rule.yar")
matches = rules.match("suspicious_file.exe")
for match in matches:
    print(f"Rule: {match.rule}, Tags: {match.tags}")

6. C2 Tracking

C2-Tracker

# From Jieyab89's list
https://github.com/montysecurity/C2-Tracker
# Tracks active C2 infrastructure for common RATs and botnets

# Lists are updated regularly:
# - Cobalt Strike C2s
# - Metasploit listeners
# - Brute Ratel C2s
# - Sliver C2s

Feodo Tracker (Emotet/TrickBot/etc.)

https://feodotracker.abuse.ch
# Botnet C2 IP tracker
curl "https://feodotracker.abuse.ch/downloads/ipblocklist.txt"

Tips

  • MalwareBazaar is the best free starting point for any hash lookup
  • any.run provides the most interactive analysis experience for free
  • ThreatFox API is easy to integrate into automated pipelines
  • Valhalla YARA requires subscription but is the highest quality rule set
  • Malpedia links malware → actor → campaign — critical for full context
  • Never analyze malware on your main machine — always use an isolated sandbox
  • Hash pivoting: if a hash is known, check its VirusTotal graph for related infrastructure

Reference: OSINT Cheat Sheet — Researching Cyber Threats, SOC & Threat Hunting sections by Jieyab89

Reference in New Issue View Git Blame Copy Permalink