/IOCs

Indicators of compromise

IOCs

Indicators of compromise, scraped from URLHaus links and other sources

Recent (daily) IOCs can be found here: https://github.com/ProIntegritate/IOCs-Daily

For maximum compatibility (Forensics, SIEM, Threathunting platforms) the following formats are supported:

  • MD5
  • SHA1
  • SHA256
  • FUZZYHash
  • File ID (Type)
  • Filesize

V2 addition: (Added on 2020-01-07)

  • Yara compatible Richhash (1)

The RichHash field will be show as:

  • rh: MD5_HASH = File contained a RichHash, it was successfully decoded using the XOR key.
  • nh: MD5_HASH = File did not contain a RichHash, but the area 0x80 to 0xff was hashed with and presented instead.
  • - = This was not an Windows executable PE file and no data was produced.

NOTE: From 2020-Jan-07 Richhashes are compatible with YARA rules (pe.rich_signature.clear_data), before that they used ANOTHER format which wasn't compatible and could only be used for pivoting within the data.

V3 addition: (Added on 2020-02-01)

  • Metahash (2) Hash of FileversionInfo strings

The Metahash is a product of concatenating the following FileVersionInfo strings (as is, no separators):

  • CompanyName
  • FileDescription
  • InternalName
  • LegalCopyright
  • LegalTrademarks
  • OriginalFilename
  • ProductName

Shown as:

  • mh: MD5_HASH = File contains FileVersionInfo (at least one string)
  • - = Contains absolutely no FileVersionInfo strings.

Like Richhash, Metahash can and has been quite useful to pivot on unknown malware samples and corellate between samples over time.

NOTE 1: A very low amount (single digit) of these files are legitimate non mallicious files, like PuTTY which is by itself harmless and a legitemate tool, but sometimes tools are abused and become part of a malware campaign, if you find a legit tool and nobody know why it is there, you should investigate.

NOTE 2: The new files are called iocs_V3_yyyy-mm-dd, V3 denoting that the new fields and format are in use