Using Python to unearth a goldmine of threat intelligence from leaked chat logs
Author: Thomas Roccia |@fr0gger_
Introduction¶
Dealing with a great amount of data can be time consuming, thus using Python can be very powerful to help analysts sort information and extract the most relevant data for their investigation. The open-source tools library, MSTICpy, for example, is a tool dedicated to threat intelligence. It aims to help threat analysts acquire, enrich, analyze, and visualize data. In this notebook, we will explore the data in depth using Python. We will dissect the available information and learn more about their process and operation. Eventually, we will see how we can take advantage of the available information to pivot and hunt for additional context and threat intelligence using the MSTICpy library.
This notebook will allow analysts to reuse the code and continue to search for the extracted information on their own. Additionally, it offers an out-of-the-box methodology for analyzing chat logs, extracting indicators of compromise, and improving threat intelligence and defense process using Python.
What is the goal of this Notebook?¶
Through this notebook, we will explore the Conti Jabber leaks and provide a workflow of analysis using Python.
The notebook is composed of the following parts:
- The first part of this notebook will provide details of the available data as well as how to transform them for using it with Python and for Interpretation.
- The second part will provide details about the Jabber logs as well as some visualization.
- The third part will be dedicated to threat intelligence, extracting relevant IOCs and pivoting with the extracted data.
Configuration¶
To use this notebook several library must be installed here is the list of the module, you can install them using pip.
- pandas
- msticpy
- bokeh
- pyvis
- matplotlib
- treelib
- textsearch
- ipywidgets
- GoogleTranslator
Exploring the Jabber Logs¶
Compiling and translating the data¶
The leaked chat logs are written in the Russian language, requiring the data to be translated to English for analysis. We adopted the translation methodology published here..
Since raw Jabber logs are saved using a file per day, they will need to be compiled in one JSON file so they can easily be manipulated with Python.
cat *.json | jq -cr > ../merged.json
Once the data is merged, they can be translated using the deep translator library.
In [ ]:
# Code borrowed and adapted from @azobec
import json
from deep_translator import GoogleTranslator
# Creating the list
chatList = []
# opening the file merged.json
with open('merged2.json', encoding="utf8") as f:
for jsonObj in f:
logs = json.loads(jsonObj)
chatList.append(logs)
# Creating and adding the translated logs into translated_log.json.
with open('translated_log3.json', 'a+', encoding="utf8") as outfile:
outfile.write("[")
for line in chatList:
try:
translation = GoogleTranslator(source='auto', target='en').translate(line["body"])
line["LANG-EN"] = translation
# When a translation is not possible we handle the error and write a message
except Exception as e:
line["LANG-EN"] = "Error during Translation"
outfile.write(json.dumps(line, ensure_ascii = False).encode('utf8').decode())
outfile.write(",")
outfile.write("]")
After the logs are translated and loaded into a new file, it’s then possible to load the data into a dataframe for manipulation and exploration.
Loading the translated logs into a dataframe¶
In [1]:
# Loading the data in a dataframe
import codecs
import pandas as pd
from IPython.display import Image
df = pd.read_json(codecs.open('translated_Log2.json', 'r', 'utf-8'))
In [2]:
# Print some information about the loaded dataframe
df.head()
Out[2]:
| ts | from | to | body | LANG-EN | |
|---|---|---|---|---|---|
| 0 | 2021-01-29T00:06:46.929363 | mango@q3mcco35auwcstmt.onion | stern@q3mcco35auwcstmt.onion | про битки не забудь, кош выше, я спать) | don't forget about cue balls, kosh is higher, ... |
| 1 | 2021-01-29T04:04:39.308133 | mango@q3mcco35auwcstmt.onion | stern@q3mcco35auwcstmt.onion | привет | Hey |
| 2 | 2021-01-29T04:04:43.474243 | mango@q3mcco35auwcstmt.onion | stern@q3mcco35auwcstmt.onion | битков не хватит на все.. | bits are not enough for everything .. |
| 3 | 2021-01-29T04:32:02.648304 | price@q3mcco35auwcstmt.onion | green@q3mcco35auwcstmt.onion | привет!!! | Hey!!! |
| 4 | 2021-01-29T04:32:16.858754 | price@q3mcco35auwcstmt.onion | green@q3mcco35auwcstmt.onion | опять прокладки сменились??? нет связи! | have the pads changed again? no connection! |
Slang translation¶
Russian slang words not properly translated by the automated process can be translated by creating a dictionary. A dictionary off a list proposed here was used in this case to correctly translate the slang:
In [3]:
# Creating a dictionnary with the translated slang words
slang = {"Hell": "AD", "YES": "DA", "wheelbarrow": "host", "cars": "hosts", "cue balls": "bitcoin", "credits":"credentials", "vmik":"WMIC", "grid":"network", "facial expressions":"mimikatz", "firework":"firewall", "whining":"SQL", "school":"SQL", "balls":"shares", "zithers":"Citrix", "food":"FUD", "silkcode":"shellcode", "kosh":"cash", "toad":"jabber", "booze":"Emotet", "the trick or trick": "Trickbot", "BC":"BazarBackdoor", "backpack":"Ryuk", "lock":"ransomware"}
# Replacing the words in the translated column
df['LANG-EN'] = df['LANG-EN'].replace(slang, regex=True)
df['LANG-EN'].head(10)
Out[3]:
0 don't forget about bitcoin, cash is higher, I'... 1 Hey 2 bits are not enough for everything .. 3 Hey!!! 4 have the pads changed again? no connection! 5 Hey 6 hello sn today I'm waiting for cash and the am... 7 Hey 8 bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv - 0... 9 moment Name: LANG-EN, dtype: object
Analyzing the chat activity timeline¶
In [4]:
# Static graph, you can double click on the graphic to get more details
df['ts'] = pd.to_datetime(df['ts']).dt.date
df['ts'] = pd.to_datetime(df['ts'])
# Sorting the data by datetime
data = df.groupby(df['ts'])['from'].count()
data.plot(kind='bar',figsize=(100,10),legend=True, title="Number of discussion per day")
Out[4]:
<AxesSubplot:title={'center':'Number of discussion per day'}, xlabel='ts'>
In [5]:
# Dynamic graph using Bokeh
import pandas_bokeh
from bokeh.models import ColumnDataSource, HoverTool
from bokeh.plotting import figure, show
df['ts'] = pd.to_datetime(df['ts']).dt.date
df['ts'] = pd.to_datetime(df['ts'])
pandas_bokeh.output_notebook()
pd.set_option('plotting.backend', 'pandas_bokeh')
# Filter the result to manipulate only timestamp and number of discussion per day
data2 = pd.DataFrame(df.groupby(df['ts'])['from'].count().reset_index())
In [6]:
# Loading the filtered dataset into ColumnDataSource
source = ColumnDataSource(data2)
# Creating the figure with the size
p = figure(x_axis_type='datetime', plot_width=900, plot_height=500)
# Adding the hover tools
p.add_tools(HoverTool(tooltips=[('Date', '@ts{%F}'), ('Nb of discussion','@from{int}')],
formatters={'@ts':'datetime'}, mode='mouse'))
# Legend
p.title.text ='Activity discussion per day'
p.xaxis.axis_label = 'Date'
p.yaxis.axis_label = 'Number of discussion'
# diagram
p.line(x='ts', y='from', line_width=2, color='#851503', source=source)
# print the diagram
show(p)
Searching in the logs¶
Reading all the leak can be a bit time consuming so it could be interesting to build a simple search engine to search for specific occurence of a string into the chat logs. That way we can filter to specific data of interest such as bitcoin, usernames, malware name, exploit, CVE... to name a few.
In [7]:
# Import lib
import ipywidgets as widgets
from textsearch import TextSearch
from IPython.display import display
pd.set_option('display.max_colwidth', None)
#configure widget
keyword = widgets.Text(
value='',
placeholder='Enter your search',
description='Search:',
disabled=False
)
display(keyword)
# Configure click button
button = widgets.Button(description="search", icon='check') # (FontAwesome names without the `fa-` prefix))
display(button)
output = widgets.Output()
# Searching for the input word
@output.capture()
def userInput(b):
# store the search result in a list
result = []
print("[+] Searching the chat for occurence of: " + keyword.value)
# look for the string into the translated column
for i in df['LANG-EN']:
ts = TextSearch(case="ignore", returns="match")
words = keyword.value
ts.add(words)
# store the result into the list
if ts.findall(str(i)):
result.append(i)
# Filter and print the result
result = list(dict.fromkeys(result))
print('\n'.join(map(str, result)))
# get the input word
button.on_click(userInput)
display(output)
Analyzing the level of user activity¶
When analyzing chat logs, identifying the number of users and analyzing the most active ones can provide insight into the size of the group and roles of users within it. Using Python, the list of users can be extracted and saved in a text file.
In [8]:
# Extracting all the users
userfrom = df['from']
userto = df['to']
# Dropping duplicate and concatenate dataframe
user = pd.concat([userfrom.drop_duplicates(), userto.drop_duplicates()], ignore_index=True)
user = user.drop_duplicates()
# Save userlist to txt for additional hunting
user.to_csv(r'IOC\userlist.txt', header=None, index=None, sep='\t', mode='a')
In [9]:
# Static graphic
%matplotlib inline
df.groupby('from').count().ts.sort_values(ascending=False).iloc[:50].plot.barh(figsize=(15,10), title="Most active users")
Out[9]:
Figure(
id = '1218', …)
above = [],
align = 'start',
aspect_ratio = None,
aspect_scale = 1,
background = None,
background_fill_alpha = 1.0,
background_fill_color = '#ffffff',
below = [LinearAxis(id='1229', ...)],
border_fill_alpha = 1.0,
border_fill_color = '#ffffff',
center = [Grid(id='1232', ...), Grid(id='1236', ...), Legend(id='1269', ...)],
css_classes = [],
disabled = False,
extra_x_ranges = {},
extra_x_scales = {},
extra_y_ranges = {},
extra_y_scales = {},
frame_height = None,
frame_width = None,
height = 10,
height_policy = 'auto',
hidpi = True,
inner_height = 0,
inner_width = 0,
js_event_callbacks = {},
js_property_callbacks = {},
left = [LinearAxis(id='1233', ...)],
lod_factor = 10,
lod_interval = 300,
lod_threshold = 2000,
lod_timeout = 500,
margin = (0, 0, 0, 0),
match_aspect = False,
max_height = None,
max_width = None,
min_border = 5,
min_border_bottom = None,
min_border_left = None,
min_border_right = None,
min_border_top = None,
min_height = None,
min_width = None,
name = None,
outer_height = 0,
outer_width = 0,
outline_line_alpha = 1.0,
outline_line_cap = 'butt',
outline_line_color = '#e5e5e5',
outline_line_dash = [],
outline_line_dash_offset = 0,
outline_line_join = 'bevel',
outline_line_width = 1,
output_backend = 'webgl',
renderers = [GlyphRenderer(id='1258', ...)],
reset_policy = 'standard',
right = [],
sizing_mode = 'fixed',
subscribed_events = [],
syncable = True,
tags = [],
title = Title(id='1219', ...),
title_location = 'above',
toolbar = Toolbar(id='1244', ...),
toolbar_location = 'right',
toolbar_sticky = True,
visible = True,
width = 15,
width_policy = 'auto',
x_range = DataRange1d(id='1221', ...),
x_scale = LinearScale(id='1225', ...),
y_range = DataRange1d(id='1223', ...),
y_scale = LinearScale(id='1227', ...))
In [10]:
# Filtering and extracting the 10 most active users
user = pd.DataFrame(df.groupby('from').count().ts.sort_values(ascending=False).reset_index())
user.columns = user.columns.str.replace('ts', 'count')
user.head(10)
Out[10]:
| from | count | |
|---|---|---|
| 0 | defender@q3mcco35auwcstmt.onion | 8246 |
| 1 | stern@q3mcco35auwcstmt.onion | 4323 |
| 2 | driver@q3mcco35auwcstmt.onion | 3968 |
| 3 | bio@q3mcco35auwcstmt.onion | 3196 |
| 4 | mango@q3mcco35auwcstmt.onion | 3194 |
| 5 | ttrr@conference.q3mcco35auwcstmt.onion | 3122 |
| 6 | veron@q3mcco35auwcstmt.onion | 2955 |
| 7 | hof@q3mcco35auwcstmt.onion | 2389 |
| 8 | bentley@q3mcco35auwcstmt.onion | 1810 |
| 9 | bloodrush@q3mcco35auwcstmt.onion | 1798 |
Mapping the users’ connections¶
In [11]:
# Transforming the data, the weight corresponding to the number of message send between 2 users.
df_weight = df.groupby(["from", "to"], as_index=False).count()
df_weight = df_weight.drop(['body','LANG-EN'], axis = 1)
df_weight.columns = df_weight.columns.str.replace('ts', 'weight')
df_weight.head(5)
Out[11]:
| from | to | weight | |
|---|---|---|---|
| 0 | admin@expiro-team.biz | qwerty@q3mcco35auwcstmt.onion | 1 |
| 1 | admin@q3mcco35auwcstmt.onion | demon@q3mcco35auwcstmt.onion | 10 |
| 2 | admin@q3mcco35auwcstmt.onion | wind@q3mcco35auwcstmt.onion | 1 |
| 3 | admin@q3mcco35auwcstmt.onion | zevs@q3mcco35auwcstmt.onion | 6 |
| 4 | admintest@q3mcco35auwcstmt.onion | revers@q3mcco35auwcstmt.onion | 15 |
In [14]:
# Importing the pyvis lib
from pyvis.network import Network
# Configuring the graph option
conti_net = Network(height='800px', width='100%', bgcolor='#222222', font_color='white', notebook = True)
# set the physics layout of the network, here we used the barnes hut
conti_net.barnes_hut()
conti_data = df_weight
# Split the data
sources = conti_data['from']
targets = conti_data['to']
weights = conti_data['weight']
edge_data = zip(sources, targets, weights)
# Browsing the data to construct the network graph
for e in edge_data:
src = e[0]
dst = e[1]
w = e[2]
conti_net.add_node(src, src, title=src)
conti_net.add_node(dst, dst, title=dst)
conti_net.add_edge(src, dst, value=w*10)
neighbor_map = conti_net.get_adj_list()
# add user data to node hover data
for node in conti_net.nodes:
node['title'] += ' <br> - Discussion with:<br>' + '<br>'.join(neighbor_map[node['id']])
node['value'] = len(neighbor_map[node['id']])
conti_net.show('conti_leak.html')
Out[14]:
Using MSTICPy to extract and analyze IOCs¶
Besides processing chat logs to analyze user activity and connections, Python can also be used to extract and analyze threat intelligence. This section shows how the MSTICPy library can be used to extract IOCs and how it can be used for additional threat hunting and intelligence.
Loading MSTICpy¶
In [15]:
# Imports and configuration
from IPython.display import display, HTML
from msticpy.sectools import IoCExtract
import matplotlib.pyplot as plt
import sys
import warnings
from msticpy import init_notebook
init_notebook(namespace=globals());
pd.set_option('display.max_rows', 500)
pd.set_option('display.max_columns', 50)
pd.set_option('display.max_colwidth', 100)
Starting Notebook initialization...
msticpy version installed: 1.7.5 latest published: 1.8.1
A newer version of msticpy - 1.8.1 is available.
Upgrade with 'pip install --upgrade msticpy'
A newer version of msticpy - 1.8.1 is available.
Upgrade with 'pip install --upgrade msticpy'
Processing imports....
Imported: pd (pandas), IPython.get_ipython, IPython.display.display, IPython.display.HTML, IPython.display.Markdown, widgets (ipywidgets), pathlib.Path, plt (matplotlib.pyplot), matplotlib.MatplotlibDeprecationWarning, np (numpy), sns (seaborn), msticpy, msticpy.data.QueryProvider, msticpy.nbtools.foliummap.FoliumMap, msticpy.common.utility.md, msticpy.common.utility.md_warn, msticpy.common.wsconfig.WorkspaceConfig, msticpy.datamodel.pivot.Pivot, msticpy.datamodel.entities, msticpy.nbtools.nbmagics, msticpy.vis.mp_pandas_plot
Checking configuration....
The following configuration errors were found:
-----------------------------------------------
Missing or empty 'Workspaces' key in 'AzureSentinel' section
No warnings found.
No valid configuration for Microsoft Sentinel found.
Azure CLI credentials not detected. (see Caching credentials with Azure CLI)
Setting notebook options....
This product includes GeoLite2 data created by MaxMind, available from
https://www.maxmind.com.
This library uses services provided by ipstack.
https://ipstack.com
Notebook setup completed with some warnings.
One or more configuration items were missing or set incorrectly.
Please run the Getting Started Guide for Azure Sentinel ML Notebooks notebook. and the msticpy configuration guide.
This notebook may still run but with reduced functionality.
Notebook initialization complete
Extracting IOCs¶
MSTICPy is a Python library used for threat investigation and threat hunting. The library can connect to several threat intelligence providers, as well as Microsoft tools like Microsoft Sentinel. It can be used to query logs and to enrich data. It’s particularly convenient for analyzing IOCs and adding more threat contextualization.
In [16]:
# We clean the dataframe to remove None value
df['LANG-EN'] = df['LANG-EN'].fillna('').apply(str)
# Initiate the IOC extractor
ioc_extractor = IoCExtract()
ioc_df = ioc_extractor.extract(data = df, columns = ['LANG-EN'])
display(HTML("<h4>IoC patterns found in chat logs.</h4>"))
display(ioc_df.head(10))
IoC patterns found in chat logs.
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 0 | dns | qaz.im | 23 | https://qaz.im/load/Tb6rNh/dYkYy2 |
| 1 | url | https://qaz.im/load/Tb6rNh/dYkYy2 | 23 | https://qaz.im/load/Tb6rNh/dYkYy2 |
| 2 | dns | qaz.im | 25 | https://qaz.im/load/hzkQTQ/BTa6Ze |
| 3 | url | https://qaz.im/load/hzkQTQ/BTa6Ze | 25 | https://qaz.im/load/hzkQTQ/BTa6Ze |
| 4 | dns | qaz.im | 29 | https://qaz.im/load/Tb6rNh/dYkYy2 |
| 5 | url | https://qaz.im/load/Tb6rNh/dYkYy2 | 29 | https://qaz.im/load/Tb6rNh/dYkYy2 |
| 6 | dns | qaz.im | 52 | https://qaz.im/load/hzkQTQ/BTa6Ze |
| 7 | url | https://qaz.im/load/hzkQTQ/BTa6Ze | 52 | https://qaz.im/load/hzkQTQ/BTa6Ze |
| 8 | ipv6 | 09:54:30 | 54 | [09:54:30] <22> throw it right away. until March 1, whatever. and then you waste it on trifles a... |
| 9 | ipv6 | 09:55:17 | 54 | [09:54:30] <22> throw it right away. until March 1, whatever. and then you waste it on trifles a... |
In [17]:
# Extracting BTC addresses
# Adding the regex
extractor = IoCExtract()
extractor.add_ioc_type(ioc_type='btc', ioc_regex='^(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})$')
# Check that it added ok
print(extractor.ioc_types['btc'])
# Use it in our data set and create a new df
btc_df = ioc_extractor.extract(data=df, columns=['LANG-EN']).query('IoCType == \'btc\'')
display(HTML("<h4>BTC addresses found in chat logs.</h4>"))
display(btc_df.head(10))
IoCPattern(ioc_type='btc', comp_regex=re.compile('^(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})$', re.IGNORECASE|re.MULTILINE|re.VERBOSE), priority=0, group=None)
BTC addresses found in chat logs.
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 152 | btc | bc1q3efl4m2jcr6gk32usxnfyrxh294sr8plmpe3ye | 806 | bc1q3efl4m2jcr6gk32usxnfyrxh294sr8plmpe3ye |
| 213 | btc | 1MxtwUpH4cWAz4en4kqVNzAdx5gpk9etUC | 1131 | hello, the bitcoins are over, in total 6 new servers, two vpn subscriptions, an ipvanish subscri... |
| 214 | btc | 1MxtwUpH4cWAz4en4kqVNzAdx5gpk9etUC | 1136 | hello, the bitcoins are over, in total 6 new servers, two vpn subscriptions, an ipvanish subscri... |
| 296 | btc | bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 | 1606 | bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 |
| 297 | btc | 17mc4Qm7ka9jhQEUB5LTxP3gW3tsDYUJGQ | 1608 | hello, the cue ball is over, in total 8 new servers, two vpn subscriptions, and 18 renewals have... |
| 307 | btc | bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 | 1617 | bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 |
| 308 | btc | 17mc4Qm7ka9jhQEUB5LTxP3gW3tsDYUJGQ | 1619 | hello, the cue ball is over, in total 8 new servers, two vpn subscriptions, and 18 renewals have... |
| 329 | btc | bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv | 1669 | bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv |
| 330 | btc | 172KVKhMqL5CU1HN884RbArzu5DDL5hwE3 | 1680 | 172KVKhMqL5CU1HN884RbArzu5DDL5hwE3\n\n0.01523011 |
| 335 | btc | bc1qc39qwc3nl2eyh2cu4ct6tyh9zqzp9ye993c0y2 | 1716 | bc1qc39qwc3nl2eyh2cu4ct6tyh9zqzp9ye993c0y2 |
In [18]:
display(HTML("<h4>Merging, filtering and sorting</h4>"))
# Merging dataframe
ioc_df = pd.concat([ioc_df, btc_df], axis=0).drop_duplicates(subset='Observable').reset_index(drop=True)
#ioc_df = ioc_df.drop_duplicates(subset='Observable', inplace=True)
# Removing IPV6 rows because they are false positive
ioc_df = ioc_df[ioc_df["IoCType"].str.contains("ipv6") == False]
ioc_df
Merging, filtering and sorting
Out[18]:
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 0 | dns | qaz.im | 23 | https://qaz.im/load/Tb6rNh/dYkYy2 |
| 1 | url | https://qaz.im/load/Tb6rNh/dYkYy2 | 23 | https://qaz.im/load/Tb6rNh/dYkYy2 |
| 2 | url | https://qaz.im/load/hzkQTQ/BTa6Ze | 25 | https://qaz.im/load/hzkQTQ/BTa6Ze |
| 6 | url | https://qaz.im/load/3EZGA7/4SEstA | 103 | https://qaz.im/load/3EZGA7/4SEstA |
| 21 | ipv4 | 54.183.140.39 | 228 | yep, they all worked\nexcept\nbot\n54.183.140.39 |
| ... | ... | ... | ... | ... |
| 4241 | btc | 1G5LWXMN42ueD2eWvm4zMrhXGihghHDgMq | 59405 | 1G5LWXMN42ueD2eWvm4zMrhXGihghHDgMq\nAmount $1000 |
| 4242 | btc | bc1qr8fw0xj28emurqhu8k7gj4llzgnxf4dejhl04h | 59913 | hello, I turned to the defender to clarify the situation with the salary, he replied that now it... |
| 4243 | btc | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 60385 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 |
| 4244 | btc | 33hiG13GTHTV2G8aZxzBJHBPBpDNevcK2B | 60542 | 33hiG13GTHTV2G8aZxzBJHBPBpDNevcK2B |
| 4245 | btc | 3351LRF9NrFH5v2CMZWsCv66tv5UAjX5Gn | 60559 | 3351LRF9NrFH5v2CMZWsCv66tv5UAjX5Gn |
2227 rows × 4 columns
In [19]:
# Save IOC to CSV
ioc_df.to_csv("IOC\\full_ioc.csv")
# Overview of the IOC in the dataset
ioc_df["IoCType"].value_counts()
Out[19]:
url 1137 dns 474 ipv4 317 btc 175 md5_hash 106 sha256_hash 16 sha1_hash 2 Name: IoCType, dtype: int64
Cleaning the extracted IOCs¶
In [20]:
ioc_df = ioc_df[ioc_df["Observable"].str.contains("privnote.com")==False ]
ioc_df = ioc_df[ioc_df["Observable"].str.contains("qaz.im")==False ]
In [21]:
ioc_df
Out[21]:
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 21 | ipv4 | 54.183.140.39 | 228 | yep, they all worked\nexcept\nbot\n54.183.140.39 |
| 24 | dns | 2Fwwwapps.ups.com | 335 | 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F... |
| 25 | dns | hura.me | 335 | 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F... |
| 26 | url | https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2Ftrack%3FHTMLtrackVer... | 335 | 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F... |
| 27 | url | https://hura.me/no-ref.php?url=http://wwwapps.ups.com/WebTracking/track?HTMLtrackVersion=5.0&loc... | 335 | 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F... |
| ... | ... | ... | ... | ... |
| 4241 | btc | 1G5LWXMN42ueD2eWvm4zMrhXGihghHDgMq | 59405 | 1G5LWXMN42ueD2eWvm4zMrhXGihghHDgMq\nAmount $1000 |
| 4242 | btc | bc1qr8fw0xj28emurqhu8k7gj4llzgnxf4dejhl04h | 59913 | hello, I turned to the defender to clarify the situation with the salary, he replied that now it... |
| 4243 | btc | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 60385 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 |
| 4244 | btc | 33hiG13GTHTV2G8aZxzBJHBPBpDNevcK2B | 60542 | 33hiG13GTHTV2G8aZxzBJHBPBpDNevcK2B |
| 4245 | btc | 3351LRF9NrFH5v2CMZWsCv66tv5UAjX5Gn | 60559 | 3351LRF9NrFH5v2CMZWsCv66tv5UAjX5Gn |
1760 rows × 4 columns
IP Addresses Intelligence¶
In [22]:
df_ip = ioc_df.loc[ioc_df["IoCType"] == "ipv4"]
df_ip['IoCType'].count()
Out[22]:
317
In [23]:
# load all configured providers
ti_lookup = TILookup(providers = ["VirusTotal", "GreyNoise", "OTX"])
ti_lookup.provider_status
Out[23]:
['GreyNoise - GreyNoise Lookup. (primary)', 'OTX - AlientVault OTX Lookup. (primary)', 'VirusTotal - VirusTotal Lookup. (primary)']
In [24]:
# Don't forget to reload the providers once you specified the api key in the config file.
ti_lookup.reload_providers()
Settings reloaded. Use reload_providers to update settings for loaded providers.
In [25]:
ip_intel = ti_lookup.lookup_iocs(data = df_ip["Observable"])
ip_intel.head(10)
Out[25]:
| Ioc | IocType | SafeIoc | QuerySubtype | Provider | Result | Severity | Details | RawResult | Reference | Status | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 54.183.140.39 | ipv4 | 54.183.140.39 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/54.183.140.39 | 404 |
| 1 | 5.139.220.204 | ipv4 | 5.139.220.204 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/5.139.220.204 | 404 |
| 2 | 138.124.180.94 | ipv4 | 138.124.180.94 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/138.124.180.94 | 404 |
| 3 | 45.14.226.47 | ipv4 | 45.14.226.47 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/45.14.226.47 | 404 |
| 4 | 193.203.203.101 | ipv4 | 193.203.203.101 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/193.203.203.101 | 404 |
| 5 | 173.163.176.177 | ipv4 | 173.163.176.177 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/173.163.176.177 | 404 |
| 6 | 75.151.48.49 | ipv4 | 75.151.48.49 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/75.151.48.49 | 404 |
| 7 | 71.105.126.26 | ipv4 | 71.105.126.26 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/71.105.126.26 | 404 |
| 8 | 96.70.44.17 | ipv4 | 96.70.44.17 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/96.70.44.17 | 404 |
| 9 | 96.93.217.253 | ipv4 | 96.93.217.253 | None | GreyNoise | False | information | Not found. | <Response [404 Not Found]> | https://api.greynoise.io/v3/community/96.93.217.253 | 404 |
In [26]:
# Saving the IP into a csv file.
ip_intel.to_csv("IOC\\ipintel.csv")
In [27]:
# Removing the ip with severity == information
ip_intel = ip_intel[ip_intel["Severity"].str.contains("information")==False ]
In [28]:
# You can also make a request for a single IP.
result = ti_lookup.lookup_ioc(observable="203.76.105.227")
ti_lookup.result_to_df(result).T
Out[28]:
| GreyNoise | OTX | VirusTotal | |
|---|---|---|---|
| Ioc | 203.76.105.227 | 203.76.105.227 | 203.76.105.227 |
| IocType | ipv4 | ipv4 | ipv4 |
| QuerySubtype | None | None | None |
| Provider | GreyNoise | OTX | VirusTotal |
| Result | False | True | True |
| Severity | information | high | information |
| Details | Not found. | {'pulse_count': 3, 'names': ['IoC Ransomware CONTI', 'Conti Ransomware | CISA', 'Conti Ransomwar... | {'verbose_msg': 'IP address in dataset', 'response_code': 1, 'positives': 0, 'detected_urls': []... |
| RawResult | <Response [404 Not Found]> | {'whois': 'http://whois.domaintools.com/203.76.105.227', 'reputation': 0, 'indicator': '203.76.1... | {'asn': 23688, 'undetected_urls': [], 'undetected_downloaded_samples': [{'date': '2021-05-25 16:... |
| Reference | https://api.greynoise.io/v3/community/203.76.105.227 | https://otx.alienvault.com/api/v1/indicators/IPv4/203.76.105.227/general | https://www.virustotal.com/vtapi/v2/ip-address/report |
| Status | 404 | 0 | 0 |
Browsing the result¶
In [29]:
from msticpy.nbtools.ti_browser import browse_results
ip_intel = pd.read_csv("IOC\\ipintel.csv")
ti_selector = browse_results(data = ip_intel, height="200px")
ti_selector
103.101.104.229
Type: 'ipv4', Provider: OTX, severity: high
Details
Reference:
https://otx.alienvault.com/api/v1/indicators/IPv4/103.101.104.229/generalRaw Results
Raw results from provider...
("{'whois': 'http://whois.domaintools.com/103.101.104.229', 'reputation': 0, "
"'indicator': '103.101.104.229', 'type': 'IPv4', 'type_title': 'IPv4', "
"'base_indicator': {'id': 3011530694, 'indicator': '103.101.104.229', 'type': "
"'IPv4', 'title': '', 'description': '', 'content': '', 'access_type': "
"'public', 'access_reason': ''}, 'pulse_info': {'count': 50, 'pulses': "
"[{'id': '614e0dc583aa90bf2dd4ec91', 'name': 'Network IOCs', 'description': "
"'Network-based IOCs', 'modified': '2022-05-12T00:04:24.089000', 'created': "
"'2021-09-24T17:41:25.461000', 'tags': ['msi file', 'tuesday', 'malspam "
"email', 'headers', 'anna paula', 'utf8', 'currc3adculo', 'from email', "
"'associated', 'zip archive'], 'references': "
"['2021-09-21-Curriculo-IOCs.txt'], 'public': 1, 'adversary': '', "
"'targeted_countries': [], 'malware_families': [], 'attack_ids': [], "
"'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 87, "
"'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, "
"'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, "
"'follower_count': 0, 'vote': 0, 'author': {'username': 'cnoscsoc@att.com', "
"'id': '81627', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'domain': 3314, 'hostname': 610, 'URL': 16, 'email': 1, 'IPv4': 1893}, "
"'indicator_count': 5834, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 102, 'modified_text': '13 minutes ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '627b45f5c02acb8a3eaee0db', "
"'name': 'feodotracker-0-20220511', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-11T05:13:25.029000', 'created': "
"'2022-05-11T05:13:25.029000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'IPv4': 2977}, 'indicator_count': 2977, 'is_author': False, "
"'is_subscribing': None, 'subscriber_count': 340, 'modified_text': '19 hours "
"ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
"'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
"'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
"'627220e0f24ae0a0864f5a9c', 'name': 'feodotracker-0-20220504', "
"'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-11T00:02:13.446000', 'created': "
"'2022-05-04T06:44:48.234000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '1 day ago ', 'is_modified': True, "
"'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6279ee8ce28a19e0aaf5353c', "
"'name': 'feodotracker-0-20220510', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-10T04:48:12.315000', 'created': "
"'2022-05-10T04:48:12.315000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 5, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'IPv4': 2977}, 'indicator_count': 2977, 'is_author': False, "
"'is_subscribing': None, 'subscriber_count': 340, 'modified_text': '1 day ago "
"', 'is_modified': False, 'groups': [], 'in_group': False, "
"'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
"'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
"'6270d430bf9c2d34f0f370e3', 'name': 'feodotracker-0-20220503', "
"'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-10T00:02:48.350000', 'created': "
"'2022-05-03T07:05:20.872000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '2 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6278f04cce1a4c290610a27e', "
"'name': 'feodotracker-0-20220509', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-09T10:43:24.661000', 'created': "
"'2022-05-09T10:43:24.661000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'IPv4': 2977}, 'indicator_count': 2977, 'is_author': False, "
"'is_subscribing': None, 'subscriber_count': 339, 'modified_text': '2 days "
"ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
"'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
"'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
"'626f7ad3d15c591e25689db0', 'name': 'feodotracker-0-20220502', "
"'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-09T00:00:19.127000', 'created': "
"'2022-05-02T06:31:47.984000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '3 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '626ee671ecd2054b5f340414', "
"'name': 'feodotracker-0-20220501', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-08T00:03:14.586000', 'created': "
"'2022-05-01T19:58:41.206000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '4 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '627611c2149b9e5c3de4a4a2', "
"'name': 'feodotracker-0-20220507', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-07T06:29:22.630000', 'created': "
"'2022-05-07T06:29:22.630000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'IPv4': 2974}, 'indicator_count': 2974, 'is_author': False, "
"'is_subscribing': None, 'subscriber_count': 339, 'modified_text': '4 days "
"ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
"'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
"'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
"'626ccbd12c593dc8f62f452a', 'name': 'feodotracker-0-20220430', "
"'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-07T00:03:18.570000', 'created': "
"'2022-04-30T05:40:33.936000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '5 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6274f3ff64c4e483c4259859', "
"'name': 'feodotracker-0-20220506', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-06T10:10:07.620000', 'created': "
"'2022-05-06T10:10:07.620000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'IPv4': 2973}, 'indicator_count': 2973, 'is_author': False, "
"'is_subscribing': None, 'subscriber_count': 339, 'modified_text': '5 days "
"ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
"'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
"'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
"'626b83311b4d4fa0370ade43', 'name': 'feodotracker-0-20220429', "
"'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-06T00:03:41.989000', 'created': "
"'2022-04-29T06:18:25.182000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '6 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '626a0e35c35f2f018f5ff6b2', "
"'name': 'feodotracker-0-20220428', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-05T00:01:02.977000', 'created': "
"'2022-04-28T03:47:01.193000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '7 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6268e0c9a4d3824a4433a4e1', "
"'name': 'feodotracker-0-20220427', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-04T00:05:07.263000', 'created': "
"'2022-04-27T06:20:57.338000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '8 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6267902ba01c16e11b513360', "
"'name': 'feodotracker-0-20220426', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-03T00:01:26.398000', 'created': "
"'2022-04-26T06:24:43.961000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '9 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '62664beab3e7e1f843d4ed7f', "
"'name': 'feodotracker-0-20220425', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-02T00:00:42.176000', 'created': "
"'2022-04-25T07:21:14.984000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '10 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6264df9ed4858e43a43aee5d', "
"'name': 'feodotracker-0-20220424', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-05-01T00:02:33.075000', 'created': "
"'2022-04-24T05:26:54.855000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '11 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '62623dde3f37fb753d715f80', "
"'name': 'feodotracker-0-20220422', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-29T00:05:19.794000', 'created': "
"'2022-04-22T05:32:14.297000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '13 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '625f95960531c82bac8ad4fb', "
"'name': 'feodotracker-0-20220420', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-27T00:03:12.448000', 'created': "
"'2022-04-20T05:09:42.428000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '15 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '625e3a21f48c0e3dd7fbfbb4', "
"'name': 'feodotracker-0-20220419', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-26T00:01:30.700000', 'created': "
"'2022-04-19T04:27:13.116000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '16 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '625d934f029f45492a6edc19', "
"'name': 'feodotracker-0-20220418', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-25T00:00:49.923000', 'created': "
"'2022-04-18T16:35:27.393000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '17 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '625bb92c0e105f8c0537b1b2', "
"'name': 'feodotracker-0-20220417', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-24T00:01:15.470000', 'created': "
"'2022-04-17T06:52:28.817000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '18 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '62637949a39428085f129938', "
"'name': 'resteex_blacklist_(ipset|hash:ip)_20220423_LVL0', 'description': "
"'', 'modified': '2022-04-23T03:58:01.062000', 'created': "
"'2022-04-23T03:58:01.062000', 'tags': [], 'references': "
"['blacklist_ip.backup'], 'public': 1, 'adversary': '', 'targeted_countries': "
"[], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': "
"'green', 'cloned_from': None, 'export_count': 10, 'upvotes_count': 0, "
"'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': "
"'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, "
"'vote': 0, 'author': {'username': 'resteex0', 'id': '175858', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'IPv4': 63022, 'URL': 1429}, 'indicator_count': 64451, 'is_author': False, "
"'is_subscribing': None, 'subscriber_count': 23, 'modified_text': '18 days "
"ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
"'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
"'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
"'6258f4c92dafeb4c4d2df77e', 'name': 'feodotracker-0-20220415', "
"'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-22T00:03:50.614000', 'created': "
"'2022-04-15T04:30:01.275000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '20 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '626186a215fc527fe850e655', "
"'name': 'IoC Ransomware CONTI', 'description': 'IoC related with Ransomware "
'CONTI. \\nRelated to the security event that occurred in Costa Rica on April '
"20, 2022', 'modified': '2022-04-21T16:30:26.680000', 'created': "
"'2022-04-21T16:30:26.680000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 7, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'soc_columbus', 'id': '2084', 'avatar_url': "
"'/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_804adb6fc4.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'FileHash-SHA1': 8, 'IPv4': 423, 'URL': 3, 'domain': 55, 'hostname': 2}, "
"'indicator_count': 491, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 139, 'modified_text': '20 days ago ', 'is_modified': "
"False, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 1}, {'id': '625698919820c39fcc32e838', "
"'name': 'feodotracker-0-20220413', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-20T00:02:21.571000', 'created': "
"'2022-04-13T09:32:01.671000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '22 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '62550f0309fdf2231d0b9642', "
"'name': 'feodotracker-0-20220412', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-19T00:01:05.210000', 'created': "
"'2022-04-12T05:32:51.853000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '23 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6252630e40240989d59c3173', "
"'name': 'feodotracker-0-20220410', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-17T00:01:27.728000', 'created': "
"'2022-04-10T04:54:38.069000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '25 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6252672b086133e496b3dce4', "
"'name': 'feodotracker-0-20220410', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-17T00:01:27.728000', 'created': "
"'2022-04-10T05:12:11.861000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '25 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6251565b64f47ac1b7e6ec07', "
"'name': 'feodotracker-0-20220409', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-16T00:04:53.479000', 'created': "
"'2022-04-09T09:48:11.334000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '26 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '624e61bd1ce9fb5b0e6334df', "
"'name': 'feodotracker-0-20220407', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-14T00:01:40.805000', 'created': "
"'2022-04-07T03:59:57.344000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 11, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '28 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '624d36cef231bdea72ac18e5', "
"'name': 'feodotracker-0-20220406', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-13T00:01:48.292000', 'created': "
"'2022-04-06T06:44:30.129000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 6, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '29 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '624bdd422428575554ddd772', "
"'name': 'feodotracker-0-20220405', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-12T00:02:34.248000', 'created': "
"'2022-04-05T06:10:10.204000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 341, 'modified_text': '30 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '624adf0a9ea1216235242137', "
"'name': 'feodotracker-0-20220404', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-11T00:04:29.819000', 'created': "
"'2022-04-04T12:05:30.840000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 342, 'modified_text': '31 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '62290bead9aa05af6158671f', "
"'name': 'Conti Ransomware | CISA', 'description': '', 'modified': "
"'2022-04-10T00:02:49.890000', 'created': '2022-03-09T20:19:54.752000', "
"'tags': ['uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', "
"'computer security', 'u. s. computer emergency readiness', 'cyber risks', "
"'conti', 'technique title', 'id use', 'trickbot', 'remote desktop', "
"'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'cobalt strike', "
"'icedid', 'zloader', 'service'], 'references': "
"['https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A.stix.xml', "
"'https://www.cisa.gov/uscert/ncas/alerts/aa21-265a', "
"'https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/'], "
"'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': "
"[], 'attack_ids': [{'id': 'T1016', 'name': 'System Network Configuration "
"Discovery', 'display_name': 'T1016 - System Network Configuration "
"Discovery'}, {'id': 'T1021', 'name': 'Remote Services', 'display_name': "
"'T1021 - Remote Services'}, {'id': 'T1021.002', 'name': 'SMB/Windows Admin "
"Shares', 'display_name': 'T1021.002 - SMB/Windows Admin Shares'}, {'id': "
"'T1027', 'name': 'Obfuscated Files or Information', 'display_name': 'T1027 - "
"Obfuscated Files or Information'}, {'id': 'T1049', 'name': 'System Network "
"Connections Discovery', 'display_name': 'T1049 - System Network Connections "
"Discovery'}, {'id': 'T1055', 'name': 'Process Injection', 'display_name': "
"'T1055 - Process Injection'}, {'id': 'T1057', 'name': 'Process Discovery', "
"'display_name': 'T1057 - Process Discovery'}, {'id': 'T1059', 'name': "
"'Command and Scripting Interpreter', 'display_name': 'T1059 - Command and "
"Scripting Interpreter'}, {'id': 'T1059.003', 'name': 'Windows Command "
"Shell', 'display_name': 'T1059.003 - Windows Command Shell'}, {'id': "
"'T1078', 'name': 'Valid Accounts', 'display_name': 'T1078 - Valid "
"Accounts'}, {'id': 'T1080', 'name': 'Taint Shared Content', 'display_name': "
"'T1080 - Taint Shared Content'}, {'id': 'T1083', 'name': 'File and Directory "
"Discovery', 'display_name': 'T1083 - File and Directory Discovery'}, {'id': "
"'T1106', 'name': 'Native API', 'display_name': 'T1106 - Native API'}, {'id': "
"'T1110', 'name': 'Brute Force', 'display_name': 'T1110 - Brute Force'}, "
"{'id': 'T1133', 'name': 'External Remote Services', 'display_name': 'T1133 - "
"External Remote Services'}, {'id': 'T1135', 'name': 'Network Share "
"Discovery', 'display_name': 'T1135 - Network Share Discovery'}, {'id': "
"'T1140', 'name': 'Deobfuscate/Decode Files or Information', 'display_name': "
"'T1140 - Deobfuscate/Decode Files or Information'}, {'id': 'T1486', 'name': "
"'Data Encrypted for Impact', 'display_name': 'T1486 - Data Encrypted for "
"Impact'}, {'id': 'T1489', 'name': 'Service Stop', 'display_name': 'T1489 - "
"Service Stop'}, {'id': 'T1490', 'name': 'Inhibit System Recovery', "
"'display_name': 'T1490 - Inhibit System Recovery'}, {'id': 'T1558', 'name': "
"'Steal or Forge Kerberos Tickets', 'display_name': 'T1558 - Steal or Forge "
"Kerberos Tickets'}, {'id': 'T1558.003', 'name': 'Kerberoasting', "
"'display_name': 'T1558.003 - Kerberoasting'}, {'id': 'T1566', 'name': "
"'Phishing', 'display_name': 'T1566 - Phishing'}, {'id': 'T1566.001', 'name': "
"'Spearphishing Attachment', 'display_name': 'T1566.001 - Spearphishing "
"Attachment'}, {'id': 'T1566.002', 'name': 'Spearphishing Link', "
"'display_name': 'T1566.002 - Spearphishing Link'}], 'industries': [], 'TLP': "
"'white', 'cloned_from': None, 'export_count': 16, 'upvotes_count': 0, "
"'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': "
"'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, "
"'vote': 0, 'author': {'username': 'VertekLabs', 'id': '168455', "
"'avatar_url': "
"'/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'CVE': 2, 'domain': 98, 'BitcoinAddress': 202, 'FileHash-MD5': 24, "
"'FileHash-SHA1': 24, 'FileHash-SHA256': 72}, 'indicator_count': 422, "
"'is_author': False, 'is_subscribing': None, 'subscriber_count': 85, "
"'modified_text': '32 days ago ', 'is_modified': True, 'groups': [], "
"'in_group': False, 'threat_hunter_scannable': True, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '62494787cf39b823ff8f7afe', "
"'name': 'feodotracker-0-20220403', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-10T00:02:49.890000', 'created': "
"'2022-04-03T07:06:47.463000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 341, 'modified_text': '32 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6229d84f86d99550fa73e1fa', "
"'name': 'Conti Ransomware IOC', 'description': '', 'modified': "
"'2022-04-09T00:00:32.009000', 'created': '2022-03-10T10:51:59.898000', "
"'tags': ['span', 'path', 'header dropdown', 'link', 'script', 'product', "
"'explore', 'footer', 'github', 'button', 'template', 'meta', 'form', 'team', "
"'enterprise', 'contact', 'code', 'copy', 'reload', 'body', 'star', 'open', "
"'desktop', 'main'], 'references': "
"['https://github.com/whichbuffer/Conti-Ransomware-IOC/blob/main/Conti%20IOC.txt'], "
"'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': "
"[], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 8, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'bluewatcher', 'id': '174522', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
"{'URL': 8, 'FileHash-MD5': 5, 'FileHash-SHA1': 1, 'FileHash-SHA256': 52, "
"'domain': 111, 'email': 169}, 'indicator_count': 346, 'is_author': False, "
"'is_subscribing': None, 'subscriber_count': 47, 'modified_text': '33 days "
"ago ', 'is_modified': True, 'groups': [], 'in_group': False, "
"'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
"'related_indicator_type': 'IPv4', 'related_indicator_is_active': 0}, {'id': "
"'6248002ceb67f57c92e0cf57', 'name': 'feodotracker-0-20220402', "
"'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-09T00:00:32.009000', 'created': "
"'2022-04-02T07:50:04.421000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '33 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '624804aac57a56b6d6f439ff', "
"'name': 'feodotracker-0-20220402', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-09T00:00:32.009000', 'created': "
"'2022-04-02T08:09:14.305000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '33 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6246a992168dfa61b62e0743', "
"'name': 'feodotracker-0-20220401', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-08T00:05:40.239000', 'created': "
"'2022-04-01T07:28:18.183000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '34 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '624557c656e4f6be5ee26782', "
"'name': 'feodotracker-0-20220331', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-07T00:04:02.553000', 'created': "
"'2022-03-31T07:27:02.349000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '35 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6243f3a2785e5607272c8999', "
"'name': 'feodotracker-0-20220330', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-06T00:02:16.312000', 'created': "
"'2022-03-30T06:07:30.478000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 2, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 343, 'modified_text': '36 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6242af0eb5b55b34f2281d71', "
"'name': 'feodotracker-0-20220329', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-05T00:01:21.136000', 'created': "
"'2022-03-29T07:02:38.114000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 341, 'modified_text': '37 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '624155ab63c04888ff86f565', "
"'name': 'feodotracker-0-20220328', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-04T00:01:44.993000', 'created': "
"'2022-03-28T06:28:59.582000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 2, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 341, 'modified_text': '38 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6240085db6c53cbc0ab1b4eb', "
"'name': 'feodotracker-0-20220327', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-03T00:00:55.161000', 'created': "
"'2022-03-27T06:46:53.652000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '39 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '623efad4d76871ab1edad105', "
"'name': 'feodotracker-0-20220326', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-04-02T00:04:50.405000', 'created': "
"'2022-03-26T11:36:52.602000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '40 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '623afb5ef6276fc9b737b2c9', "
"'name': 'feodotracker-0-20220323', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-03-30T00:00:10.458000', 'created': "
"'2022-03-23T10:50:06.252000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '43 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6239ff37cda86ba9dabbe1cc', "
"'name': 'feodotracker-0-20220322', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-03-29T00:03:34.773000', 'created': "
"'2022-03-22T16:54:15.293000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '44 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '62382a0b212a53ecbb03abf5', "
"'name': 'feodotracker-0-20220321', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-03-28T00:01:22.803000', 'created': "
"'2022-03-21T07:32:27.129000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 340, 'modified_text': '45 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}, {'id': '6236a7e441bade8a29c72d3f', "
"'name': 'feodotracker-0-20220320', 'description': 'Data from "
"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
"'modified': '2022-03-27T00:00:39.057000', 'created': "
"'2022-03-20T04:04:52.565000', 'tags': [], 'references': [], 'public': 1, "
"'adversary': '', 'targeted_countries': [], 'malware_families': [], "
"'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
"'export_count': 4, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
"0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
"'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
"'ZENDataGE', 'id': '94417', 'avatar_url': "
"'https://otx.alienvault.com/assets/images/default-avatar.png', "
"'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
"'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
"'subscriber_count': 339, 'modified_text': '46 days ago ', 'is_modified': "
"True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
"'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
"'related_indicator_is_active': 0}], 'references': "
"['https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/', "
"'2021-09-21-Curriculo-IOCs.txt', "
"'https://github.com/whichbuffer/Conti-Ransomware-IOC/blob/main/Conti%20IOC.txt', "
"'https://www.cisa.gov/uscert/ncas/alerts/aa21-265a', 'blacklist_ip.backup', "
"'https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A.stix.xml'], "
"'related': {'alienvault': {'adversary': [], 'malware_families': [], "
"'industries': []}, 'other': {'adversary': [], 'malware_families': [], "
"'industries': []}}}, 'false_positive': [], 'validation': [], 'asn': 'AS55699 "
"pt. cemerlang multimedia', 'city_data': True, 'city': 'Bandung', 'region': "
"'JB', 'continent_code': 'AS', 'country_code3': 'IDN', 'country_code2': 'ID', "
"'subdivision': 'JB', 'latitude': -6.9217, 'postal_code': None, 'longitude': "
"107.6071, 'accuracy_radius': 1, 'country_code': 'ID', 'country_name': "
"'Indonesia', 'dma_code': 0, 'charset': 0, 'area_code': 0, 'flag_url': "
"'/assets/images/flags/id.png', 'flag_title': 'Indonesia', 'sections': "
"['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', "
"'nids_list', 'http_scans']}")
Type: 'ipv4', Provider: VirusTotal, severity: high
Details
Reference:
https://www.virustotal.com/vtapi/v2/ip-address/reportRaw Results
Raw results from provider...
("{'asn': 55699, 'undetected_urls': [], 'undetected_downloaded_samples': "
"[{'date': '2020-08-11 18:53:02', 'positives': 0, 'total': 76, 'sha256': "
"'121b87095769137ba3fe1d689efe8af43088ab95d1c9cf5669188fde2e9d5fab'}, "
"{'date': '2021-05-25 16:43:33', 'positives': 0, 'total': 74, 'sha256': "
"'78342a0905a72ce44da083dcb5d23b8ea0c16992ba2a82eece97e033d76ba3d3'}, "
"{'date': '2021-02-17 11:39:22', 'positives': 0, 'total': 73, 'sha256': "
"'0649170d63ef807fcca55a7e225518cda7310e15f559ad29882ebd421cf1d757'}], "
"'detected_downloaded_samples': [], 'response_code': 1, 'as_owner': 'PT. "
"Cemerlang Multimedia', 'detected_referrer_samples': [], 'verbose_msg': 'IP "
"address in dataset', 'country': 'ID', 'undetected_referrer_samples': "
"[{'date': '2022-04-04 09:13:29', 'positives': 0, 'total': 73, 'sha256': "
"'66afc65465caf9f41dd93812284419cba60cb4d3d608d6b77f37842de7a5f5a3'}], "
"'detected_urls': [{'url': 'https://103.101.104.229/', 'positives': 3, "
"'total': 92, 'scan_date': '2022-05-03 15:12:47'}, {'url': "
"'http://103.101.104.229:443/', 'positives': 3, 'total': 93, 'scan_date': "
"'2022-04-08 06:02:57'}, {'url': 'http://103.101.104.229/', 'positives': 6, "
"'total': 93, 'scan_date': '2022-01-04 04:47:05'}, {'url': "
"'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.BBC33AC9D1F14F9D3B2D30F78F7E2337/5/file', "
"'positives': 11, 'total': 91, 'scan_date': '2021-10-08 18:40:17'}, {'url': "
"'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.BBC33AC9D1F14F9D3B2D30F78F7E2337/5/file/', "
"'positives': 11, 'total': 91, 'scan_date': '2021-10-08 18:00:01'}, {'url': "
"'https://103.101.104.229/sat1/FJLSEDAUV_W617601.DCE7336137D8E3B3B80B3BACBB3613B9/5/file', "
"'positives': 10, 'total': 90, 'scan_date': '2021-09-03 23:10:06'}, {'url': "
"'https://103.101.104.229/sat1/FJLSEDAUV_W617601.DCE7336137D8E3B3B80B3BACBB3613B9/5/file/', "
"'positives': 10, 'total': 90, 'scan_date': '2021-09-03 22:44:25'}, {'url': "
"'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.B383523BCAF4474453EBB9379CF35FC2/5/file', "
"'positives': 10, 'total': 90, 'scan_date': '2021-09-02 07:10:06'}, {'url': "
"'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.B383523BCAF4474453EBB9379CF35FC2/5/file/', "
"'positives': 10, 'total': 90, 'scan_date': '2021-09-02 06:43:31'}, {'url': "
"'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.0379BB767548B14B97BF79F8BB75F087/5/file', "
"'positives': 8, 'total': 88, 'scan_date': '2021-06-21 04:20:10'}, {'url': "
"'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.0379BB767548B14B97BF79F8BB75F087/5/file/', "
"'positives': 7, 'total': 88, 'scan_date': '2021-06-21 03:59:55'}], "
"'detected_communicating_samples': [{'date': '2021-09-01 02:13:54', "
"'positives': 50, 'total': 74, 'sha256': "
"'dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e'}, "
"{'date': '2021-06-20 12:51:53', 'positives': 48, 'total': 75, 'sha256': "
"'be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad'}], "
"'undetected_communicating_samples': [], 'resolutions': []}")
Creating a Map with the IP addresses¶
In [30]:
# Getting the geo result for one ip
msticpy.settings.refresh_config()
iplocation = GeoLiteLookup()
loc_result, ip_entity = iplocation.lookup_ip(ip_address = '203.76.105.227')
display(ip_entity[0])
Latest local Maxmind City Database present is older than 30 days. Attempting to download new database to C:\Users\thomasroccia\.msticpy Downloading and extracting GeoLite DB archive from MaxMind.... Extraction complete. Local Maxmind city DB: C:\Users\thomasroccia\.msticpy\GeoLite2-City.mmdb.19544.tar.gz
ipaddress
{ 'Address': '203.76.105.227','Location': { 'City': 'Dhaka',
'CountryCode': 'BD',
'CountryName': 'Bangladesh',
'Latitude': 23.7908,
'Longitude': 90.4109,
'State': 'Dhaka Division',
'TimeGenerated': datetime.datetime(2022, 5, 12, 0, 22, 45, 503996),
'Type': 'geolocation'},
'TimeGenerated': datetime.datetime(2022, 5, 12, 0, 22, 45, 503996),
'Type': 'ipaddress'}
In [31]:
# Creating the map using the folium module
iploc = []
for ip in ip_intel["Ioc"]:
loc_result, ip_entity = iplocation.lookup_ip(ip_address = ip)
iploc += ip_entity
folium_map = FoliumMap(zoom_start = 2)
folium_map.add_ip_cluster(ip_entities = iploc, color = 'red')
folium_map.center_map()
folium_map
Out[31]:
Make this Notebook Trusted to load map: File -> Trust Notebook
URL Intelligence¶
In [32]:
# Filtering URL
url_intel = ioc_df.loc[(ioc_df['IoCType'] == "url")]
url_intel
Out[32]:
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 26 | url | https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2Ftrack%3FHTMLtrackVer... | 335 | 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F... |
| 27 | url | https://hura.me/no-ref.php?url=http://wwwapps.ups.com/WebTracking/track?HTMLtrackVersion=5.0&loc... | 335 | 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F... |
| 41 | url | https://dyncheck.com/scan/id/fbcb147447b24f5c583f710fafc5b214#collapse_info | 514 | +] Written in Jscript can be used as .js or .vbs\n[+] Small size (14 KB ~)\n[+] Support for all ... |
| 42 | url | https://dyncheck.com/scan/id/84b7fe1b0f95031d2e5eaedf9fa2dbe2#collapse_info | 514 | +] Written in Jscript can be used as .js or .vbs\n[+] Small size (14 KB ~)\n[+] Support for all ... |
| 46 | url | https://prnt.sc/wh26pt | 516 | Panel:\n\nhttps://prnt.sc/wh26qd\nhttps://prnt.sc/wh26rb\nhttps://prnt.sc/wh26pt |
| ... | ... | ... | ... | ... |
| 3984 | url | https://temp.sh/HXmZA/СникzarBackdoorок | 60165 | https://temp.sh/HXmZA/%D0%A1%D0%BD%D0%B8%D0%BazarBackdoor%D0%BE%D0%BA%20%D1%8D%D0%BA%D1%80%D0%B0... |
| 4027 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/f3... | 60643 | Hey ! how come they decipher Fail ZGQB3V6qmIWHLAwDH4dw4ijjACAknqMO2vvVBERGCICHODV86ciJyer49HHhAb... |
| 4029 | url | https://continews.click/uImgrfqk_WARNING | 60646 | https://continews.click/uImgrfqk_WARNING |
| 4030 | url | https://send.exploit.in/download/8bcac089623fcf96/#Kr27VSxYFrdmUHELZDJF1w | 60658 | https://send.exploit.in/download/8bcac089623fcf96/#Kr27VSxYFrdmUHELZDJF1w |
| 4032 | url | https://www.angelantoni.com | 60682 | https://www.angelantoni.com - here is their website |
672 rows × 4 columns
In [33]:
# Saving to csv file
url_intel.to_csv("IOC\\urlintel.csv")
In [34]:
# Sorting the value
url_intel.sort_values('Observable', ascending = True)
Out[34]:
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 1811 | url | file://157.230.60.143/download.jpg | 21267 | [07/27/2021 19:01:56] <rozteka> https://www.ired.team/offensive-security/initial-access/netntlmv... |
| 3875 | url | ftp://5.183.95.6/uploads/Team_D/ | 58179 | ADo, can you crypt ftp://5.183.95.6/uploads/Team_D/ |
| 233 | url | ftp://himemsys:antiDen4ik@ | 3118 | kramer> rdp rdp://SERVER-AGM\ella:!QA@WS#ED4rfv@5.141.22.50\n\nftp://himemsys:antiDen4ik@@188.93... |
| 2148 | url | http://(IP)/TAG/TEST_W639600.1234A242341C6D1A25B3F315D688968E/84/ | 29277 | На запрос вида \ncurl -X POST -F 'data=dXNlcg==|IE||||1240428288|1240428288|dXNlcg==|IE|demdex.n... |
| 1380 | url | http://109.230.199.73/209.dll | 15237 | http://109.230.199.73/209.dll\nhttp://109.230.199.73/209x64.exe |
| ... | ... | ... | ... | ... |
| 1241 | url | https://www.zoominfo.com/c/xerox-corporation/194101651 | 12123 | Доброе утро бро , заразили xerox \nи ticket master https://www.zoominfo.com/c/ticketmaster-enter... |
| 1880 | url | https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion | 21800 | https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion\nganesh: fp6fqpVxlrYsorC5... |
| 1255 | url | https://xzu6o2ni3hplvpmx.onion | 12638 | for HORSE\nrobotbander@jabb.im\n4815162342@jabb.im\nsheppard@jabber.ru\nsectorzero@jabb.im\n\n\n... |
| 1355 | url | https://yadi.sk/d/ySGgFr0ksqAp3Q | 14870 | [09:41:53] <mango> https://yadi.sk/d/ySGgFr0ksqAp3Q - examples of web artist's work |
| 1859 | url | https://youtu.be/9gLHycT1RzU | 21705 | https://youtu.be/9gLHycT1RzU |
672 rows × 4 columns
Extracting url containing specific extension¶
In [35]:
# It could be interesting to filter to dll, jpg, exe, onion
url_intel[url_intel['Observable'].str.contains(".exe|.dll|.jpg|.zip|.7z|.rar|.png")]
Out[35]:
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 221 | url | https://help4windows.com/windows_7_shell32_dll.shtml | 3064 | https://help4windows.com/windows_7_shell32_dll.shtml |
| 373 | url | https://oividaluxuosa.com/ke/miami.dll | 5275 | https://oividaluxuosa.com/ke/miami.dll , 3k copies with some neutral names so that the def does ... |
| 564 | url | https://privatlab.com/s/v/nRl7zbAAjltBeLbRqrax | 6661 | Check if it works\nhttps://privatlab.com/s/v/nRl7zbAAjltBeLbRqrax\n123123 |
| 600 | url | https://emploimed.com/netr.dll | 7147 | 1st link https://emploimed.com/netr.dll |
| 602 | url | https://www.ottenbourg.com/chester.dll | 7149 | 2nd link https://www.ottenbourg.com/chester.dll |
| 728 | url | https://anonfiles.com/Hai0P8t1uc/Dolfs_rar | 7742 | https://anonfiles.com/Hai0P8t1uc/Dolfs_rar\npass - AF2gAS2ggd |
| 778 | url | https://atlantisprojects.ca/cheryasd.dll | 8169 | https://atlantisprojects.ca/cheryasd.dll |
| 783 | url | https://parkisolutions.com/nerugin.dll | 8197 | https://parkisolutions.com/nerugin.dll |
| 942 | url | http://109.230.199.73/k.exe | 9765 | <off> http://109.230.199.73/k.exe\n[13.05.2021 08:33:36] <off> http://109.230.199.73/k.dll\n[13.... |
| 943 | url | http://109.230.199.73/k.dll | 9765 | <off> http://109.230.199.73/k.exe\n[13.05.2021 08:33:36] <off> http://109.230.199.73/k.dll\n[13.... |
| 1211 | url | http://ozpve456vdzplanabllomqi6lfx67nlrrthquvcsrfxv7z3jreurmfqd.onion | 11755 | http://ozpve456vdzplanabllomqi6lfx67nlrrthquvcsrfxv7z3jreurmfqd.onion\nadmin\n[{/.)B4xcE3v=fd6 |
| 1293 | url | http://i.prntscr.com/qMqzmSbHSS_QdlEUONrHZw.png | 13636 | http://i.prntscr.com/qMqzmSbHSS_QdlEUONrHZw.png |
| 1380 | url | http://109.230.199.73/209.dll | 15237 | http://109.230.199.73/209.dll\nhttp://109.230.199.73/209x64.exe |
| 1381 | url | http://109.230.199.73/209x64.exe | 15237 | http://109.230.199.73/209.dll\nhttp://109.230.199.73/209x64.exe |
| 1674 | url | https://bradiolum.top/aprel.dll | 19733 | now again on the command dll flies error\nhttps://bradiolum.top/aprel.dll\n\nhttps://auk64p35qeb... |
| 1811 | url | file://157.230.60.143/download.jpg | 21267 | [07/27/2021 19:01:56] <rozteka> https://www.ired.team/offensive-security/initial-access/netntlmv... |
| 2452 | url | http://31.14.*0.220/230*17*.dll,StartW | 33028 | http://31.14.*0.220/230*17*.dll,StartW |
| 2495 | url | https://temp.sh/fJXCc/1.rar | 33474 | Готово. \n[20:42:06] <bentley> pass: kJHDF273yubfjsbdf973uiwhgjsnkgb3oiygbhjsbdgkjhb \n[20:42:13... |
| 2502 | url | http://bergmeitli.ch/2.dll | 33631 | altmann-dias.com/1.dll\nhttp://bergmeitli.ch/2.dll |
| 2509 | url | http://195.149.87.59/2_https_x64.dll | 33801 | http://195.149.87.59/1_http_x64.dll\nhttp://195.149.87.59/2_https_x64.dll\n\nStartW |
| 2510 | url | http://195.149.87.59/1_http_x64.dll | 33801 | http://195.149.87.59/1_http_x64.dll\nhttp://195.149.87.59/2_https_x64.dll\n\nStartW |
| 2601 | url | https://temp.sh/jDpqP/1.rar | 36060 | https://temp.sh/jDpqP/1.rar |
| 2767 | url | https://temp.sh/copeR/tmp.zip | 39915 | ADo, can I have a new crypt, please, the last build is already burning with something https://te... |
| 2843 | url | https://temp.sh/bctPM/f3cfb349.7z | 41688 | https://temp.sh/bctPM/f3cfb349.7z |
| 2863 | url | http://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad.onion/private/168xavj5/M5kuzP_sa... | 42663 | http://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad.onion/private/168xavj5/M5kuzP_sa... |
| 3074 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x86-1637769956-T12B123Z_32-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3075 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769859-T0B1Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3076 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770072-T12B123Z_64-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3077 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769920-T12B123Z_64-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3078 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770087-T0B123Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3079 | url | https://root@195.149.87.59/var/www/html/pe_https_111_x64-1637770298-T0B123Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3080 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x86-1637769886-T12B1Z_32-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3081 | url | http://root@195.149.87.59/var/www/html/pe_http_111_x64-1637770246-T0Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3082 | url | http://root@195.149.87.59/var/www/html/pe_http_111_x64-1637770240-T0B123Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3083 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769933-T0B123Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3084 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770080-T12B1Z_32-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3085 | url | http://root@195.149.87.59/var/www/html/pe_http_111_x64-1637770256-T0B1Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3086 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3087 | url | https://root@195.149.87.59/var/www/html/pe_https_111_x64-1637770347-T0Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3088 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770051-T0B1Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3089 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x86-1637769971-T0B123Z_32-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3090 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770033-T12B1Z_64-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3091 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770126-T0B123Z_32-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3092 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770066-T12Z_32-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3093 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770112-T12B123Z_32-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3094 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769815-T12Z_64-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3095 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770017-T12Z_64-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3096 | url | http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769837-T12B1Z_64-cr.dll | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3097 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770089-T0Z_32-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3098 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770099-T0B1Z_32-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3099 | url | https://root@195.149.87.59/var/www/html/pe_https_111_x64-1637770356-T0B1Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3100 | url | https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770042-T0Z_64-cr.exe | 48140 | 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe... |
| 3129 | url | http://198.244.193.210/images/wolf.png | 48567 | http://198.244.193.210/images/wolf.png |
| 3133 | url | https://temp.sh/FwsSg/1.rar | 48950 | https://temp.sh/FwsSg/1.rar |
| 3134 | url | https://195.149.87.59/bec_https_555_x86-1638188794-T12B123Z_32-cr.dll | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3135 | url | http://195.149.87.59/bec_http_111_x86-1638187422-T0B123Z_32-cr.exe | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3136 | url | https://195.149.87.59/bec_https_111_x64-1638188186-T0B123Z_64-cr.exe | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3137 | url | https://195.149.87.59/bec_https_111_x64-1638188048-T12B123Z_64-cr.dll | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3138 | url | http://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3139 | url | http://195.149.87.59/bec_http_555_x64-1638187557-T12B123Z_64-cr.dll | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3140 | url | https://195.149.87.59/bec_https_111_x86-1638188296-T12B123Z_32-cr.dll | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3141 | url | https://195.149.87.59/bec_https_111_x86-1638188430-T0B123Z_32-cr.exe | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3142 | url | http://195.149.87.59/bec_http_111_x86-1638187295-T12B123Z_32-cr.dll | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3143 | url | http://195.149.87.59/bec_http_111_x64-1638187173-T0B123Z_64-cr.exe | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3144 | url | https://195.149.87.59/bec_https_555_x64-1638188681-T0B123Z_64-cr.exe | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3145 | url | https://195.149.87.59/bec_https_555_x64-1638188562-T12B123Z_64-cr.dll | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3146 | url | http://195.149.87.59/bec_http_555_x64-1638187720-T0B23Z_64-cr.exe | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3147 | url | http://195.149.87.59/bec_http_555_x86-1638187956-T0B23Z_32-cr.exe | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3148 | url | http://195.149.87.59/bec_http_111_x64-1638187035-T12B123Z_64-cr.dll | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3149 | url | https://195.149.87.59/bec_https_555_x86-1638188919-T0B123Z_32-cr.exe | 48952 | 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b... |
| 3412 | url | https://i.imgur.com/aEnyme5.png | 52565 | https://i.imgur.com/aEnyme5.png |
| 3439 | url | https://shell.com/path/?dll | 52759 | on the topic of hosting appinstaller + appxbundle + dll files nearby - I managed to do it last n... |
| 3443 | url | https://some/some/1.dll | 52898 | - if we write in .appinstaller\n Uri="https://srcdatastorage.z13.web.core.windows.net/jaj... |
| 3444 | url | https://srcdatastorage.z13.web.core.windows.net/jajnedhneb.appxbundle?param1=https://some/some/1... | 52898 | - if we write in .appinstaller\n Uri="https://srcdatastorage.z13.web.core.windows.net/jaj... |
| 3467 | url | https://shell.com/file.appinstaller&activationUri=custom-params:?data=https://host.com/1.dll | 53153 | ms-appinstaller:?source=https://shell.com/file.appinstaller&activationUri=custom-params:?data=ht... |
| 3468 | url | https://host.com/1.dll | 53156 | &activationUri=custom-params:?data=https://host.com/1.dll |
| 3477 | url | https://shell.com/file.appinstaller&activationUri=custom-params:?data=https://host2.com/file.dll | 53373 | everything works for me)\n\nin short, the scheme is as follows:\nin html land in this link:\n <a... |
| 3519 | url | https://privatlab.com/s/v/EJawrarkp6Iwxd2AzBgb | 54653 | https://privatlab.com/s/v/EJawrarkp6Iwxd2AzBgb |
| 3659 | url | https://temp.sh/ueksm/222.7z | 56679 | https://temp.sh/ueksm/222.7z |
| 3983 | url | https://temp.sh/HXmZA/%D0%A1%D0%BD%D0%B8%D0%BazarBackdoor%D0%BE%D0%BA%20%D1%8D%D0%BA%D1%80%D0%B0... | 60165 | https://temp.sh/HXmZA/%D0%A1%D0%BD%D0%B8%D0%BazarBackdoor%D0%BE%D0%BA%20%D1%8D%D0%BA%D1%80%D0%B0... |
Extracting onion domains¶
In [37]:
url_intel[url_intel['Observable'].str.contains(".onion")]
Out[37]:
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 287 | url | https://43oxsnqlub6aydymkwpn3agaaj7u2qexx4vwybgrwug46c6yldhuheid.onion/crpanel/ | 4306 | https://43oxsnqlub6aydymkwpn3agaaj7u2qexx4vwybgrwug46c6yldhuheid.onion/crpanel/ |
| 741 | url | https://dnog7cgicmkrvugrfxexo34gikjbr54sd5skxj4r42aj4tuy2hjsw6qd.onion | 7860 | Ready to access the admin panel (storage)\n[19:09:18] <bentley> https://dnog7cgicmkrvugrfxexo34g... |
| 936 | url | http://epyclq65gskclmpu.onion:1337 | 9751 | http://epyclq65gskclmpu.onion:1337 - our file cleaner. will be on the SIA bransomwarechain |
| 1211 | url | http://ozpve456vdzplanabllomqi6lfx67nlrrthquvcsrfxv7z3jreurmfqd.onion | 11755 | http://ozpve456vdzplanabllomqi6lfx67nlrrthquvcsrfxv7z3jreurmfqd.onion\nadmin\n[{/.)B4xcE3v=fd6 |
| 1218 | url | http://crdclub4wraumez4.onion/ | 11827 | a cow was sold http://korovka32xc3t5cg.onion support@korovka.name and a card like http://crdclub... |
| 1219 | url | http://korovka32xc3t5cg.onion | 11827 | a cow was sold http://korovka32xc3t5cg.onion support@korovka.name and a card like http://crdclub... |
| 1255 | url | https://xzu6o2ni3hplvpmx.onion | 12638 | for HORSE\nrobotbander@jabb.im\n4815162342@jabb.im\nsheppard@jabber.ru\nsectorzero@jabb.im\n\n\n... |
| 1321 | url | http://i5rxdyozq7uyotqtmcj4hxq7modmxklejqysurqsf5ixhzw444jynvyd.onion/adminjx1p8zu25dr4ae7o.php?... | 14250 | http://i5rxdyozq7uyotqtmcj4hxq7modmxklejqysurqsf5ixhzw444jynvyd.onion/adminjx1p8zu25dr4ae7o.php?... |
| 1675 | url | https://auk64p35qebertdsh576avhnswxdprft3kpmvsm5sixxof6bsbgryxqd.onion/logpost/more_ex/D1F299F1B... | 19733 | now again on the command dll flies error\nhttps://bradiolum.top/aprel.dll\n\nhttps://auk64p35qeb... |
| 1880 | url | https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion | 21800 | https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion\nganesh: fp6fqpVxlrYsorC5... |
| 1954 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/ | 23069 | Here is the Tor for now http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/ |
| 2136 | url | http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/50513/ | 28827 | http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/50513/ |
| 2137 | url | http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/55956/ | 28828 | http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/55956/ |
| 2157 | url | https://mb5fbvx72fbod2hkirfecc5nh7lwq6ke7xocn7j2u7raiwbytvevpbad.onion/begemot/dero.git | 29668 | [core]\nrepositoryformatversion=0\nfilemode=true\nbar = false\nlogallrefupdates=true\n[branch "m... |
| 2158 | url | https://mb5fbvx72fbod2hkirfecc5nh7lwq6ke7xocn7j2u7raiwbytvevpbad.onion/begemot/dero.git/» | 29669 | (base) begemot@big-comp:~/erl/dero/.git$ git push\nfatal: «https://mb5fbvx72fbod2hkirfecc5nh7lwq... |
| 2353 | url | http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/56486/ | 32626 | http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/56486/ |
| 2354 | url | http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/56793/ | 32627 | http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/56793/ |
| 2621 | url | https://ojdglzhrquash4igbx6e6wlthe3si4biabcpfopiw33uohvaufjgipad.onion | 36952 | https://ojdglzhrquash4igbx6e6wlthe3si4biabcpfopiw33uohvaufjgipad.onion |
| 2794 | url | https://6yp2jljwgdxmwy4uxfaxbkjgm2txlxxb5akxn43cyaz3cjo2gqd65yid.onion | 40183 | jups 111111\nhttps://6yp2jljwgdxmwy4uxfaxbkjgm2txlxxb5akxn43cyaz3cjo2gqd65yid.onion |
| 2863 | url | http://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad.onion/private/168xavj5/M5kuzP_sa... | 42663 | http://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad.onion/private/168xavj5/M5kuzP_sa... |
| 2866 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/6z3vSKVI_DEWEtech | 42840 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/6z3vSKVI_DEWEtech |
| 2867 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/gWu2p5H1_TTC | 42850 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/gWu2p5H1_TTC |
| 2878 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/Xa3Uo9Gk_KISTERS | 43520 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/Xa3Uo9Gk_KISTERS |
| 2908 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/QIpblFS3_Harness_IP | 44194 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/QIpblFS3_Harness_IP |
| 2926 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/ilUCk6R9_FRONTIER_SOFTWARE | 44954 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/ilUCk6R9_FRONTIER_SOFTWARE |
| 2993 | url | http://czb6edlp7gsar4u5crxccldjkjn36p35fro7c7gck7wjumcrzq4efgid.onion/zeh7dkwfdxw99tdk/ | 46844 | http://czb6edlp7gsar4u5crxccldjkjn36p35fro7c7gck7wjumcrzq4efgid.onion/zeh7dkwfdxw99tdk/ |
| 3010 | url | http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ | 47381 | http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ |
| 3030 | url | http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/support/fb5b77a7313635e3bc... | 47685 | <mango> <porovozik> I have a question about this mesh bro\nhttp://continewsnv5otx5kaoje7krkto2qb... |
| 3031 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/fFM9yCUN_Hutt | 47685 | <mango> <porovozik> I have a question about this mesh bro\nhttp://continewsnv5otx5kaoje7krkto2qb... |
| 3073 | url | https://m5px4n6r2jruhun3g2bp2uhj7d7w37dqglp34uvn5uhbz5n2tticgyad.onion/ | 48135 | https://m5px4n6r2jruhun3g2bp2uhj7d7w37dqglp34uvn5uhbz5n2tticgyad.onion/ |
| 3104 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/9301xDIc_TRI-COUNTY_ELECTR... | 48167 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/9301xDIc_TRI-COUNTY_ELECTR... |
| 3105 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/9ekt1FhM_RLD_Associates | 48168 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/9ekt1FhM_RLD_Associates |
| 3108 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/S8NBp5rV_BSCR | 48172 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/S8NBp5rV_BSCR |
| 3110 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/beNVUGLs_Spencer_Gifts_LLC | 48213 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/beNVUGLs_Spencer_Gifts_LLC... |
| 3121 | url | http://czb6edlp7gsar4u5crxccldjkjn36p35fro7c7gck7wjumcrzq4efgid.onion/zeh7dkwfdxw99tdk/#/chat/55... | 48513 | http://czb6edlp7gsar4u5crxccldjkjn36p35fro7c7gck7wjumcrzq4efgid.onion/zeh7dkwfdxw99tdk/#/chat/55... |
| 3153 | url | http://crypmix4m5iunofa25mpmiihdb56oaqg57tvrebqatc6otn3w65qhlid.onion/ | 49123 | http://crypmix4m5iunofa25mpmiihdb56oaqg57tvrebqatc6otn3w65qhlid.onion/ |
| 3309 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/ | 51836 | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/ |
| 3325 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chatList | 52154 | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chatList |
| 3456 | url | http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/NJv9nz4fcgefhEIiAcajtSgi4E... | 52993 | (01:29:20) cybergangster@q3mcco35auwcstmt.onion/1410513075163984878338200: ADo\n(01:29:38) cyber... |
| 3482 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/wqKecF1B_The_Briad_Group | 53652 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/wqKecF1B_The_Briad_Group |
| 3483 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/e3... | 53699 | eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav... |
| 3484 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/c3... | 53699 | eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav... |
| 3485 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/b6... | 53699 | eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav... |
| 3486 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/f8... | 53699 | eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav... |
| 3487 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/b5... | 53699 | eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav... |
| 3495 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/GV8PuAI7_LAVI | 53828 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/GV8PuAI7_LAVI |
| 3510 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/gQ1ZfJba_Shutterfly_Inc | 54466 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/gQ1ZfJba_Shutterfly_Inc |
| 3608 | url | http://22q6iu4dmoex3xv5vdiceqzc2bkrc6262cak5ylp3vwauqw3zaxpuyad.onion/zeh7dkwfdxw99tdk/ | 56064 | http://22q6iu4dmoex3xv5vdiceqzc2bkrc6262cak5ylp3vwauqw3zaxpuyad.onion/zeh7dkwfdxw99tdk/ |
| 3609 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/zTnGsBmj_Acuity_Brands | 56135 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/zTnGsBmj_Acuity_Brands |
| 3612 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/4OlU3tF0_Minto_Group | 56324 | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/4OlU3tF0_Minto_Group |
| 3619 | url | http://pj3n6aix4l5lqoorwu5qbolmhwpqyabwpifdvn2w5qiznlqqayzmegid.onion/note/1U1kjIG12IiVvlWmhLlDX... | 56494 | http://pj3n6aix4l5lqoorwu5qbolmhwpqyabwpifdvn2w5qiznlqqayzmegid.onion/note/1U1kjIG12IiVvlWmhLlDX... |
| 3671 | url | http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/vOjdyhnt7ADeB867Pg5e1ANOWX... | 56924 | http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/vOjdyhnt7ADeB867Pg5e1ANOWX... |
| 3672 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk | 56948 | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk |
| 3683 | url | https://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/ | 57015 | https://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/ |
| 3887 | url | https://6k2zmzhc2wjs3u7rjykzuas2mtsd3w7va3alafnkzfiehmq2g3jrlmqd.onion/ | 58308 | https://6k2zmzhc2wjs3u7rjykzuas2mtsd3w7va3alafnkzfiehmq2g3jrlmqd.onion/ |
| 3888 | url | https://6k2zmzhc2wjs3u7rjykzuas2mtsd3w7va3alafnkzfiehmq2g3jrlmqd.onion/note/1aPrgVchSA1Ay1TWQmnx... | 58309 | https://6k2zmzhc2wjs3u7rjykzuas2mtsd3w7va3alafnkzfiehmq2g3jrlmqd.onion/note/1aPrgVchSA1Ay1TWQmnx... |
| 3925 | url | http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/PygiWNjS_Financial_Horizon... | 58649 | ADo Financial Horizons Group! We are Conti Group. We want to inform that your company local netw... |
| 4027 | url | http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/f3... | 60643 | Hey ! how come they decipher Fail ZGQB3V6qmIWHLAwDH4dw4ijjACAknqMO2vvVBERGCICHODV86ciJyer49HHhAb... |
Extracting Prnt¶
In [39]:
url_intel[url_intel['Observable'].str.contains("prntscr.com|prnt.sc")]
Out[39]:
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 46 | url | https://prnt.sc/wh26pt | 516 | Panel:\n\nhttps://prnt.sc/wh26qd\nhttps://prnt.sc/wh26rb\nhttps://prnt.sc/wh26pt |
| 47 | url | https://prnt.sc/wh26rb | 516 | Panel:\n\nhttps://prnt.sc/wh26qd\nhttps://prnt.sc/wh26rb\nhttps://prnt.sc/wh26pt |
| 48 | url | https://prnt.sc/wh26qd | 516 | Panel:\n\nhttps://prnt.sc/wh26qd\nhttps://prnt.sc/wh26rb\nhttps://prnt.sc/wh26pt |
| 243 | url | https://prnt.sc/10ni7xz | 3370 | https://prnt.sc/10ni7xz broa what is it? |
| 535 | url | https://prnt.sc/11cdg8c | 6368 | https://prnt.sc/11cdg8c |
| 555 | url | https://prnt.sc/11h59lg | 6578 | now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad... |
| 556 | url | https://prnt.sc/11h4zwh | 6578 | now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad... |
| 557 | url | https://prnt.sc/11h4w3v | 6578 | now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad... |
| 558 | url | https://prnt.sc/11h5bqx-gmail | 6578 | now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad... |
| 559 | url | https://prnt.sc/11h58ex | 6578 | now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad... |
| 1293 | url | http://i.prntscr.com/qMqzmSbHSS_QdlEUONrHZw.png | 13636 | http://i.prntscr.com/qMqzmSbHSS_QdlEUONrHZw.png |
| 1465 | url | https://prnt.sc/16x133m | 15672 | https://prnt.sc/16x133m |
| 1545 | url | https://prnt.sc/180y0u9 | 16788 | https://prnt.sc/180y0u9\n\nand this is in PM I communicate with the encoder\nhttps://prnt.sc/180... |
| 1546 | url | https://prnt.sc/180y5tl | 16788 | https://prnt.sc/180y0u9\n\nand this is in PM I communicate with the encoder\nhttps://prnt.sc/180... |
| 1547 | url | https://prnt.sc/180y8tl | 16788 | https://prnt.sc/180y0u9\n\nand this is in PM I communicate with the encoder\nhttps://prnt.sc/180... |
| 1662 | url | https://prnt.sc/1b5gj8j | 19588 | + file stealer\nhttps://prnt.sc/1b5gj8j\nlike this\nHe drag and drop works\nGenerating an execut... |
| 2183 | url | https://prnt.sc/1ri6dev | 30371 | https://prnt.sc/1ri6dev |
| 3981 | url | https://prnt.sc/26xz312 | 60138 | hello\nDinov threw off mmme yesterday but I did not start\n https://prnt.sc/26xz312\n\nlook - I ... |
Bitcoin Tracking¶
In [40]:
btc_intel = ioc_df.loc[(ioc_df['IoCType'] == "btc")]
btc_intel.head(10)
Out[40]:
| IoCType | Observable | SourceIndex | Input | |
|---|---|---|---|---|
| 4071 | btc | bc1q3efl4m2jcr6gk32usxnfyrxh294sr8plmpe3ye | 806 | bc1q3efl4m2jcr6gk32usxnfyrxh294sr8plmpe3ye |
| 4072 | btc | 1MxtwUpH4cWAz4en4kqVNzAdx5gpk9etUC | 1131 | hello, the bitcoins are over, in total 6 new servers, two vpn subscriptions, an ipvanish subscri... |
| 4073 | btc | bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 | 1606 | bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 |
| 4074 | btc | 17mc4Qm7ka9jhQEUB5LTxP3gW3tsDYUJGQ | 1608 | hello, the cue ball is over, in total 8 new servers, two vpn subscriptions, and 18 renewals have... |
| 4075 | btc | bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv | 1669 | bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv |
| 4076 | btc | 172KVKhMqL5CU1HN884RbArzu5DDL5hwE3 | 1680 | 172KVKhMqL5CU1HN884RbArzu5DDL5hwE3\n\n0.01523011 |
| 4077 | btc | bc1qc39qwc3nl2eyh2cu4ct6tyh9zqzp9ye993c0y2 | 1716 | bc1qc39qwc3nl2eyh2cu4ct6tyh9zqzp9ye993c0y2 |
| 4078 | btc | 1LLRL4vZajTtpjuBh5VpBD8zUg73CHUsq3 | 1772 | 1LLRL4vZajTtpjuBh5VpBD8zUg73CHUsq3 |
| 4079 | btc | 1Q6SsW88b94a4P3Rxtfr4pRxvhqqJAWvEc | 2868 | hello, cue ball is over, in total there are two av licenses, three new servers, three vpn subscr... |
| 4080 | btc | 12YQDqmq3t6bCKPKMRWFmqrju4UMXbcqvF | 4561 | hello, the beats are over, in total 4 new servers, 3 vpn subscriptions, ipvaninsh subscription a... |
In [41]:
# Visualizing transaction for a single BTC address
your_btc_address = 'bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6' # Genesis Block
transactions_url = 'https://blockchain.info/rawaddr/' + your_btc_address
df_btc = pd.read_json(transactions_url)
df_btc
Out[41]:
| hash160 | address | n_tx | n_unredeemed | total_received | total_sent | final_balance | txs | |
|---|---|---|---|---|---|---|---|---|
| 0 | 31b2fe08ed09d4fdcffe051d1ea8452544801703 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 8 | 0 | 229800000 | 229800000 | 0 | {'hash': '2b4c26e565d0be930ae6e817b703b1aa6ba731da7ba4705e81c2bb5d7ecfb967', 'ver': 1, 'vin_sz':... |
| 1 | 31b2fe08ed09d4fdcffe051d1ea8452544801703 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 8 | 0 | 229800000 | 229800000 | 0 | {'hash': '336e8d542047377aa13fb73e41a8e59cf5feba9b2b646547a04cdb2a57472eed', 'ver': 1, 'vin_sz':... |
| 2 | 31b2fe08ed09d4fdcffe051d1ea8452544801703 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 8 | 0 | 229800000 | 229800000 | 0 | {'hash': 'e5954c3d0552fa10abf9a9639ea3949ef154dccbe5fbecdd6e1afd34fb9dfd60', 'ver': 2, 'vin_sz':... |
| 3 | 31b2fe08ed09d4fdcffe051d1ea8452544801703 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 8 | 0 | 229800000 | 229800000 | 0 | {'hash': 'a6409ef7e1e99baad3ec7ae1063be56820f870db79da91244d82eac79ff922b5', 'ver': 2, 'vin_sz':... |
| 4 | 31b2fe08ed09d4fdcffe051d1ea8452544801703 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 8 | 0 | 229800000 | 229800000 | 0 | {'hash': 'bde120466b01e79ac3874033655a91aac0f0753ffaa8b2ebe804663d160418d5', 'ver': 1, 'vin_sz':... |
| 5 | 31b2fe08ed09d4fdcffe051d1ea8452544801703 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 8 | 0 | 229800000 | 229800000 | 0 | {'hash': '60c05b7fc440a8c321510866a32d6bc29c78686b22283d5ef0ffc97cd4a91912', 'ver': 2, 'vin_sz':... |
| 6 | 31b2fe08ed09d4fdcffe051d1ea8452544801703 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 8 | 0 | 229800000 | 229800000 | 0 | {'hash': 'ed559bc70719af3706623a3db2ed921c3e5dce84b2ec61a201cfb0181e85393a', 'ver': 1, 'vin_sz':... |
| 7 | 31b2fe08ed09d4fdcffe051d1ea8452544801703 | bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 | 8 | 0 | 229800000 | 229800000 | 0 | {'hash': '74066e28cfed92b06ead14059fcab65e825a302cc036096a31869bf5e8b8a1c0', 'ver': 2, 'vin_sz':... |
Pivoting through the IOCs using VirusTotal¶
Loading Modules¶
In [44]:
# Loading the VT API key
from msticpy.common.provider_settings import get_provider_settings
from msticpy.sectools.vtlookupv3 import VTLookupV3, VTEntityType
import nest_asyncio
vt_key = get_provider_settings("TIProviders")["VirusTotal"].args["AuthKey"]
# Instantiate vt_lookup object
vt_lookup = VTLookupV3(vt_key)
nest_asyncio.apply()
Extracting information from an IP¶
In [45]:
# Instantiate vt_lookup object
IP = "109.230.199.73"
ip_relation = vt_lookup.lookup_ioc_relationships(observable = IP, vt_type = 'ip_address', relationship = 'downloaded_files')
ip_relation
Out[45]:
| index | target_type | target | source | source_type | relationship_type | |
|---|---|---|---|---|---|---|
| 0 | 0 | file | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | 109.230.199.73 | ip_address | downloaded_files |
| 1 | 1 | file | 889e89b7c88b217f02e2b8ee54f7ee142aeb3fd60a1bd002482664a1dc8ba4ae | 109.230.199.73 | ip_address | downloaded_files |
| 2 | 2 | file | a738cf48df8b168e783a8728baac0d208298361a696ef219de01faeba030316f | 109.230.199.73 | ip_address | downloaded_files |
| 3 | 3 | file | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | 109.230.199.73 | ip_address | downloaded_files |
| 4 | 4 | file | d2c9f693a2080c6382a0a29d74a1b5cb13a1deeb5dbe7ff1427a669ddf66f59e | 109.230.199.73 | ip_address | downloaded_files |
| 5 | 5 | file | 37ce6b6f7a4026a69784ee202283bb4d9f13651b84cb1abaec0ca4f359514a0b | 109.230.199.73 | ip_address | downloaded_files |
| 6 | 6 | file | a4dc4dd1ddb449490d236dd1cbf087fbdf7f923616a9948bf32b28eff03e57c9 | 109.230.199.73 | ip_address | downloaded_files |
| 7 | 7 | file | 61ca39fe6ad7c054484810ba7ca1f292efab2399a5607f42006d088302f07efc | 109.230.199.73 | ip_address | downloaded_files |
| 8 | 8 | file | fe52c23ae690d0dcf2bda89c7ed75f798d2d94beaabed014de5b76159f336f5e | 109.230.199.73 | ip_address | downloaded_files |
| 9 | 9 | file | 83e285b9347fd74af8cb9c1962f584191325a98b50b2a6df6738aacd0c8054db | 109.230.199.73 | ip_address | downloaded_files |
| 10 | 10 | file | 1bad6b8cf97131fceab8543e81f7757195fbb1d36b376ee994ad1cf17699c464 | 109.230.199.73 | ip_address | downloaded_files |
Obtaining more details about a specific hash¶
In [46]:
hash_details = vt_lookup.get_object("cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58", "file")
hash_details
Out[46]:
| id | type | type_description | tlsh | vhash | trid | creation_date | names | last_modification_date | type_tag | capabilities_tags | size | authentihash | times_submitted | last_submission_date | meaningful_name | downloadable | sha256 | type_extension | tags | crowdsourced_ids_results | last_analysis_date | unique_sources | first_submission_date | sha1 | ... | last_analysis_results.Fortinet.method | last_analysis_results.Fortinet.engine_update | last_analysis_results.AVG.category | last_analysis_results.AVG.engine_name | last_analysis_results.AVG.engine_version | last_analysis_results.AVG.result | last_analysis_results.AVG.method | last_analysis_results.AVG.engine_update | last_analysis_results.Cybereason.category | last_analysis_results.Cybereason.engine_name | last_analysis_results.Cybereason.engine_version | last_analysis_results.Cybereason.result | last_analysis_results.Cybereason.method | last_analysis_results.Cybereason.engine_update | last_analysis_results.Panda.category | last_analysis_results.Panda.engine_name | last_analysis_results.Panda.engine_version | last_analysis_results.Panda.result | last_analysis_results.Panda.method | last_analysis_results.Panda.engine_update | sigma_analysis_stats.high | sigma_analysis_stats.medium | sigma_analysis_stats.critical | sigma_analysis_stats.low | context_attributes | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | Win32 DLL | T110049E14B2A914FBEE6A82B984935611B07174624338DFEF03A4C375DE0E7E15A3EF25 | 115076651d155d15555az43=z55 | [{'file_type': 'Win64 Executable (generic)', 'probability': 48.7}, {'file_type': 'Win16 NE execu... | 2021-06-28 19:55:54+00:00 | [197.dll, iduD2A1.tmp] | 2022-03-10 07:02:37+00:00 | pedll | [] | 181248 | 0d10a35c1bed8d5a4516a2e704d43f10d47ffd2aabd9ce9e04fb3446f62168bf | 1 | 2021-06-28 22:02:34+00:00 | 197.dll | True | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | dll | [assembly, invalid-rich-pe-linker-version, detect-debug-environment, long-sleeps, 64bits, pedll] | [{'rule_category': 'non-standard-protocol', 'alert_severity': 'medium', 'rule_msg': 'DELETED BAD... | 2021-11-11 00:50:52+00:00 | 1 | 2021-06-28 22:02:34+00:00 | ddf0214fbf92240bc60480a37c9c803e3ad06321 | ... | blacklist | 20211110 | malicious | AVG | 21.1.5827.0 | Win64:DropperX-gen [Drp] | blacklist | 20211110 | type-unsupported | Cybereason | 1.2.449 | None | blacklist | 20210330 | malicious | Panda | 4.6.4.2 | Trj/CI.A | blacklist | 20211110 | 0 | 1 | 1 | 0 | None |
1 rows × 538 columns
Get relationship for a specific hash¶
In [47]:
contacted_domain = vt_lookup.lookup_ioc_relationships(observable = "cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58", vt_type = 'file', relationship = 'contacted_domains')
contacted_domain
Out[47]:
| index | target_type | target | source | source_type | relationship_type | |
|---|---|---|---|---|---|---|
| 0 | 0 | domain | 125.21.88.13.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains |
| 1 | 1 | domain | 130.155.190.20.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains |
| 2 | 2 | domain | 137.90.64.13.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains |
| 3 | 3 | domain | 150.32.88.40.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains |
| 4 | 4 | domain | 197.161.181.107.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains |
| 5 | 5 | domain | 83.188.255.52.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains |
| 6 | 6 | domain | zizodream.com | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains |
Get relationship for multiple hashes¶
In [48]:
multiple_result = vt_lookup.lookup_iocs_relationships(ip_relation, relationship = 'contacted_domains')
multiple_result
Out[48]:
| index | target_type | target | source | source_type | relationship_type | id | type | first_submission_date | size | type_description | meaningful_name | last_submission_date | times_submitted | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 0.0 | domain | 125.21.88.13.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 1 | 1.0 | domain | 130.155.190.20.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 2 | 2.0 | domain | 137.90.64.13.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 3 | 3.0 | domain | 150.32.88.40.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 4 | 4.0 | domain | 197.161.181.107.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 5 | 5.0 | domain | 83.188.255.52.in-addr.arpa | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 6 | 6.0 | domain | zizodream.com | cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 0 | 0.0 | domain | krinsop.com | 889e89b7c88b217f02e2b8ee54f7ee142aeb3fd60a1bd002482664a1dc8ba4ae | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 0 | NaN | NaN | NaN | NaN | NaN | NaN | a738cf48df8b168e783a8728baac0d208298361a696ef219de01faeba030316f | file | Not found | Not found | Not found | Not found | Not found | Not found |
| 0 | 0.0 | domain | 1.155.190.20.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 1 | 1.0 | domain | 106.89.54.20.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 2 | 2.0 | domain | 152.68.35.23.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 3 | 3.0 | domain | 226.101.242.52.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 4 | 4.0 | domain | 234.151.42.104.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 5 | 5.0 | domain | 41.69.35.23.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 6 | 6.0 | domain | 48.193.43.104.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 7 | 7.0 | domain | 80.69.35.23.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 8 | 8.0 | domain | 83.188.255.52.in-addr.arpa | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 9 | 9.0 | domain | prda.aadg.msidentity.com | 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 0 | NaN | NaN | NaN | NaN | NaN | NaN | d2c9f693a2080c6382a0a29d74a1b5cb13a1deeb5dbe7ff1427a669ddf66f59e | file | Not found | Not found | Not found | Not found | Not found | Not found |
| 0 | NaN | NaN | NaN | NaN | NaN | NaN | 37ce6b6f7a4026a69784ee202283bb4d9f13651b84cb1abaec0ca4f359514a0b | file | Not found | Not found | Not found | Not found | Not found | Not found |
| 0 | NaN | NaN | NaN | NaN | NaN | NaN | a4dc4dd1ddb449490d236dd1cbf087fbdf7f923616a9948bf32b28eff03e57c9 | file | Not found | Not found | Not found | Not found | Not found | Not found |
| 0 | 0.0 | domain | fanklez.com | 61ca39fe6ad7c054484810ba7ca1f292efab2399a5607f42006d088302f07efc | file | contacted_domains | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
| 0 | NaN | NaN | NaN | NaN | NaN | NaN | fe52c23ae690d0dcf2bda89c7ed75f798d2d94beaabed014de5b76159f336f5e | file | Not found | Not found | Not found | Not found | Not found | Not found |
| 0 | NaN | NaN | NaN | NaN | NaN | NaN | 83e285b9347fd74af8cb9c1962f584191325a98b50b2a6df6738aacd0c8054db | file | Not found | Not found | Not found | Not found | Not found | Not found |
| 0 | NaN | NaN | NaN | NaN | NaN | NaN | 1bad6b8cf97131fceab8543e81f7757195fbb1d36b376ee994ad1cf17699c464 | file | Not found | Not found | Not found | Not found | Not found | Not found |
Conclusion¶
This blog outlines how Python can be used to find valuable threat intelligence from data sets such as chat logs. It also presents details on how processing data using the MSTICPy library can be useful for enriching and hunting within environments, as well as collecting additional threat context. This notebook can be adapted for your own purpose or for other data source.