Indicators of compromise, scraped from URLHaus links and other sources
Recent (daily) IOCs can be found here: https://github.com/ProIntegritate/IOCs-Daily
For maximum compatibility (Forensics, SIEM, Threathunting platforms) the following formats are supported:
- MD5
- SHA1
- SHA256
- FUZZYHash
- File ID (Type)
- Filesize
V2 addition: (Added on 2020-01-07)
- Yara compatible Richhash (1)
The RichHash field will be show as:
- rh: MD5_HASH = File contained a RichHash, it was successfully decoded using the XOR key.
- nh: MD5_HASH = File did not contain a RichHash, but the area 0x80 to 0xff was hashed with and presented instead.
- - = This was not an Windows executable PE file and no data was produced.
NOTE: From 2020-Jan-07 Richhashes are compatible with YARA rules (pe.rich_signature.clear_data), before that they used ANOTHER format which wasn't compatible and could only be used for pivoting within the data.
V3 addition: (Added on 2020-02-01)
- Metahash (2) Hash of FileversionInfo strings
The Metahash is a product of concatenating the following FileVersionInfo strings (as is, no separators):
- CompanyName
- FileDescription
- InternalName
- LegalCopyright
- LegalTrademarks
- OriginalFilename
- ProductName
Shown as:
- mh: MD5_HASH = File contains FileVersionInfo (at least one string)
- - = Contains absolutely no FileVersionInfo strings.
Like Richhash, Metahash can and has been quite useful to pivot on unknown malware samples and corellate between samples over time.
NOTE 1: A very low amount (single digit) of these files are legitimate non mallicious files, like PuTTY which is by itself harmless and a legitemate tool, but sometimes tools are abused and become part of a malware campaign, if you find a legit tool and nobody know why it is there, you should investigate.
NOTE 2: The new files are called iocs_V3_yyyy-mm-dd, V3 denoting that the new fields and format are in use