{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Malware Bazaar Lookup with MSTICpy\n", "\n", "Author: Thomas Roccia | @fr0gger_\n", "\n", "This notebook demonstrates the usage of the MalwareBazaar module for threat enrichment. \n", "\n", "More details can be found here: https://bazaar.abuse.ch/api/" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [ { "data": { "text/html": [ "\n", "This product includes GeoLite2 data created by MaxMind, available from\n", "https://www.maxmind.com.\n" ], "text/plain": [ "" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "# Import MBLookup from MSTICpy\n", "from msticpy.context.tiproviders.mblookup import MBlookup\n", "\n", "# Use the MBlookup class to get more details about the IOC.\n", "mblookup = MBlookup()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Lookup IOC\n", "The lookup_ioc function can be used to request several element to Malware Bazaar. It doesn't require any API key.\n", "\n", "To use the function you must specify the observable and the Malware Bazaar type.\n", "\n", "The list of type is the following: \n", "\n", "* 'hash': the sha256 hash of your sample (nb: the module does not calculate the hash automatically)\n", "* 'tag': the tag used on Malware Bazaar to retrieve a set of specific sample. You can use the 'limit' (default is 50)\n", "* 'filetype': the type of files you want to retrieve. Limit is 50 by default\n", "* 'clamav': the Clamav Signature that matches the samples you want to retrieve.\n", "* 'imphash': the imphash of files you want to retrieve.\n", "* 'dhash': the icon hash that matches the samples you want to retrieve.\n", "* 'yara': the Yara rule that matches the samples. \n", "* 'tlsh': the tlsh that matches the samples.\n", "* 'telfhash': the Telfhash that matches the samples.\n", "* 'issuerinfo': the certificate issuer that is used in the matching samples. \n", "* 'subjectinfo': the certificate subject that used by the samples. \n", "* 'certifcate': the serial number of the certificate.\n", "* 'gimphash': the go import hash.\n", "\n", "\n", "All that types must be specified in the mb_type variable with your IOC. The return of each will be a Pandas dataframe. The below examples shows how to use the module. \n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Single Hash" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...vendor_intel.Triage.signaturesvendor_intel.Triage.malware_configvendor_intel.ReversingLabs.threat_namevendor_intel.ReversingLabs.statusvendor_intel.ReversingLabs.first_seenvendor_intel.ReversingLabs.scanner_countvendor_intel.ReversingLabs.scanner_matchvendor_intel.ReversingLabs.scanner_percentvendor_intel.Spamhaus_HBLvendor_intel.UnpacMe
07de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85...139b8890e573e4c759e4904902b3ece1b4b8c1fd7a49fc...77543bde72105ae1a28cc71815d9ea89ea162052c40aead7a31d14e05b2ee4a11849eced2020-10-19 09:54:37NoneNew Order POA12990120 From Akweni Group.exe903680application/x-dosexecexe...[{'signature': 'Azorult', 'score': '10'}, {'si...[{'extraction': 'c2', 'family': 'azorult', 'c2...ByteCode-MSIL.Trojan.AgentTeslaMALICIOUS2020-10-19 05:14:13282382.14[{'detection': 'malicious', 'link': 'https://w...[{'sha256_hash': '7de2c1bf58bce09eecc70476747d...
\n", "

1 rows × 55 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85... \n", "\n", " sha3_384_hash \\\n", "0 139b8890e573e4c759e4904902b3ece1b4b8c1fd7a49fc... \n", "\n", " sha1_hash md5_hash \\\n", "0 77543bde72105ae1a28cc71815d9ea89ea162052 c40aead7a31d14e05b2ee4a11849eced \n", "\n", " first_seen last_seen file_name \\\n", "0 2020-10-19 09:54:37 None New Order POA12990120 From Akweni Group.exe \n", "\n", " file_size file_type_mime file_type ... \\\n", "0 903680 application/x-dosexec exe ... \n", "\n", " vendor_intel.Triage.signatures \\\n", "0 [{'signature': 'Azorult', 'score': '10'}, {'si... \n", "\n", " vendor_intel.Triage.malware_config \\\n", "0 [{'extraction': 'c2', 'family': 'azorult', 'c2... \n", "\n", " vendor_intel.ReversingLabs.threat_name vendor_intel.ReversingLabs.status \\\n", "0 ByteCode-MSIL.Trojan.AgentTesla MALICIOUS \n", "\n", " vendor_intel.ReversingLabs.first_seen \\\n", "0 2020-10-19 05:14:13 \n", "\n", " vendor_intel.ReversingLabs.scanner_count \\\n", "0 28 \n", "\n", " vendor_intel.ReversingLabs.scanner_match \\\n", "0 23 \n", "\n", " vendor_intel.ReversingLabs.scanner_percent \\\n", "0 82.14 \n", "\n", " vendor_intel.Spamhaus_HBL \\\n", "0 [{'detection': 'malicious', 'link': 'https://w... \n", "\n", " vendor_intel.UnpacMe \n", "0 [{'sha256_hash': '7de2c1bf58bce09eecc70476747d... \n", "\n", "[1 rows x 55 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable='7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754', mb_type='hash')\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Latest samples that are tagged 'Emotet'" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...telfhashgimphashssdeepdhash_icontagscode_signintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
0994c6b6e6d07592cea62bd2b667c60694e862f17f7e740...3500e84cac6ea8504d98d1c59e27b497f6241cc6943a60...21280cb8d696d79f68e9bb99661d77aaddfa97c151b3e08cb5b18fd46876b4a9bebb0fd02022-08-08 21:20:27NoneSample_62a03e5baa5b3700182f075d.xlsm47898application/vnd.openxmlformats-officedocument....xlsm...NoneNone768:X5WHFKfQzXTmbfRzdDTKufT9nz0LTyY1NiMZFYpvrL...None[Emotet, Heodo, xlsm][][Sanesecurity.Malware.28370.badform.UNOFFICIAL...3621None
1c8a0a8bce7a0ea50386666600c2ce4c90e23adc02b921b...4a055c57c7384f4caaf8f8a804cf0a0a40c448ede47126...586ee85719397ae5548dbd724b92471ff62d509113e5decc722a39965a15f47bc3fabb442022-08-01 19:50:36None13e5decc722a39965a15f47bc3fabb44.exe274472application/x-dosexecexe...NoneNone6144:flqhx0eX9B4DfdnCpObaAzmR1NtJWNmd9yKvj:GP9...1003873d31213f10[Emotet, exe, Heodo][][Win.Dropper.Zeus-7729282-0, Win.Dropper.Zeus-...4331None
216488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4...365fba2160ee6c644daa99aaa92c02f30cfb8d427ff667...c0ff465eb0b6ccc0f3a36bb593ced7453736a7508d925c0da257436438893e6fe7ce2f4f2022-08-01 11:40:55Nonesample348504application/x-dosexecdll...NoneNone3072:KRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2...None[dll, Emotet, Heodo][][Win.Malware.Emotet-9823769-0, Win.Malware.Emo...2511None
3c409ad4f64a1ad925ffbfdb88f57dd9177123364a1875c...42a45407c6132ce00c84add2111d159441acc5b35aa46e...c8a2b0ae061b612f4d4a4cfc4ee3e1f7079b42407301880b88f87cd3a593f7106d5743cc2022-07-23 02:54:09None7301880b88f87cd3a593f7106d5743cc962048application/x-dosexecexe...NoneNone12288:kvyPTUfrN+lSDLV9dRCYFdVlv6jVBv4w8N6zTlvd...None[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed][][SecuriteInfo.com.Emotet-FTY5BBDDAC95C90.16550...3271None
48b5a10f9a8f2b25057442111a01faf021ef7e048eab875...4e9a56bdf35825419667963ec4bd061f0fcc3ce036902d...c6c966e4ba623f9972273de07b842ffbb9a9efce1dd34935a785a419fb552b5086ea682e2022-07-22 11:52:08None1dd34935a785a419fb552b5086ea682e850944application/x-dosexecexe...NoneNone12288:jRCGXj4KVB9abMfyzfqvHWnyPv+LVHT2+2JNdX71...None[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed][][SecuriteInfo.com.Emotet-FTNA218E3B03756.13897...3651None
5fc63829723b725fab3a69bac667f379d300b12d60cba35...1b485e28ea1d8191366379171821e7f1dfa63e9be2a2f2...02cb7bfaa6b00c7900a8d60040fe7d97ea9558d15c7b589a59f315aad49ca49c3481f2a92022-07-22 11:41:562022-07-22 18:20:135c7b589a59f315aad49ca49c3481f2a9433664application/x-dosexecexe...NoneNone12288:jTZfuSuI5OORAL3Onl/+HuVPxskfcg3gA:jTxuI5...None[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed][][Win.Trojan.Emotet-9954177-0]3642None
6caa60b9025dfba07efac6cae5438a8e20d9b7c210a721a...345acaa99928a3ab60ec0e860145372b7c38ce8cef078c...abcbd283801a05390995862f59dcb5310f3d3d885d4728494832d03bbfb75367836fef4e2022-07-22 11:08:272022-07-22 13:00:515d4728494832d03bbfb75367836fef4e691200application/x-dosexecexe...NoneNone12288:pBBKShhc/bQisqkxf3CJS+HQ58B6loNJYlvw9zaa...None[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed][][Win.Trojan.Generic-9950172-0]3312None
7234bc8a9a4d46fc09e882c75900a3af46a21c3bae960a9...50ef437e91839b6551a8c0345d7ed3391d3182204c77d4...fb154557cdd2e98508a420140b2832fa9328fc08d97a7ad99d03d6e71460ea1d070aabc62022-07-22 11:03:132022-07-22 23:09:45d97a7ad99d03d6e71460ea1d070aabc6782848application/x-dosexecexe...NoneNone12288:hJheLDF+GBXYT7Ose6FPmg3T3tG2lqfn3tBzqgf/...b2b2b2b2b268e868[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed][][SecuriteInfo.com.Emotet-FTNF37FD4B3B9A6.17126...3042None
8258bb2b23c6ea7434eb8c965a168e7eb87257f5d3e4c42...9d9b1be066c88fdc6bda62a00369a05d53c4f2bac7cb2a...d880badbb5b3041e401db1000079f4b06bb875d3b2e8a93629044e790dff4d779dcbcd0d2022-07-22 10:49:592022-07-22 13:02:10b2e8a93629044e790dff4d779dcbcd0d751104application/x-dosexecexe...NoneNone12288:QolWKutgKC7t1DtuANCqKLvr+U4rG2a/FviAzPVC...None[Emotet, exe, Heodo, OpenCTI.BR, Sandboxed][][SecuriteInfo.com.Emotet-FTN7E05BA7C938A.25784...2952None
94a688f571024b08f9793559427d8692471f5aa71588289...bfc3326e7ae309fa30b28c6f1b7ef5cdf04d8c78df34dd...0ea68aab3721e509ce0b1bff7e574eda037798be83418a9af56db91ff2c78c4b2b9d62f82022-07-19 23:04:49None83418a9af56db91ff2c78c4b2b9d62f8655360application/x-dosexecdll...NoneNone6144:/6ZMFXzqfoSHr/mvcQYbi2HN8C8BgifO7y7TcuVqr...90cccc4874cccce8[32, dll, Emotet, exe, Heodo, trojan][][Win.Trojan.Generic-9942396-0, Win.Trojan.Gene...2151None
\n", "

10 rows × 25 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 994c6b6e6d07592cea62bd2b667c60694e862f17f7e740... \n", "1 c8a0a8bce7a0ea50386666600c2ce4c90e23adc02b921b... \n", "2 16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4... \n", "3 c409ad4f64a1ad925ffbfdb88f57dd9177123364a1875c... \n", "4 8b5a10f9a8f2b25057442111a01faf021ef7e048eab875... \n", "5 fc63829723b725fab3a69bac667f379d300b12d60cba35... \n", "6 caa60b9025dfba07efac6cae5438a8e20d9b7c210a721a... \n", "7 234bc8a9a4d46fc09e882c75900a3af46a21c3bae960a9... \n", "8 258bb2b23c6ea7434eb8c965a168e7eb87257f5d3e4c42... \n", "9 4a688f571024b08f9793559427d8692471f5aa71588289... \n", "\n", " sha3_384_hash \\\n", "0 3500e84cac6ea8504d98d1c59e27b497f6241cc6943a60... \n", "1 4a055c57c7384f4caaf8f8a804cf0a0a40c448ede47126... \n", "2 365fba2160ee6c644daa99aaa92c02f30cfb8d427ff667... \n", "3 42a45407c6132ce00c84add2111d159441acc5b35aa46e... \n", "4 4e9a56bdf35825419667963ec4bd061f0fcc3ce036902d... \n", "5 1b485e28ea1d8191366379171821e7f1dfa63e9be2a2f2... \n", "6 345acaa99928a3ab60ec0e860145372b7c38ce8cef078c... \n", "7 50ef437e91839b6551a8c0345d7ed3391d3182204c77d4... \n", "8 9d9b1be066c88fdc6bda62a00369a05d53c4f2bac7cb2a... \n", "9 bfc3326e7ae309fa30b28c6f1b7ef5cdf04d8c78df34dd... \n", "\n", " sha1_hash md5_hash \\\n", "0 21280cb8d696d79f68e9bb99661d77aaddfa97c1 51b3e08cb5b18fd46876b4a9bebb0fd0 \n", "1 586ee85719397ae5548dbd724b92471ff62d5091 13e5decc722a39965a15f47bc3fabb44 \n", "2 c0ff465eb0b6ccc0f3a36bb593ced7453736a750 8d925c0da257436438893e6fe7ce2f4f \n", "3 c8a2b0ae061b612f4d4a4cfc4ee3e1f7079b4240 7301880b88f87cd3a593f7106d5743cc \n", "4 c6c966e4ba623f9972273de07b842ffbb9a9efce 1dd34935a785a419fb552b5086ea682e \n", "5 02cb7bfaa6b00c7900a8d60040fe7d97ea9558d1 5c7b589a59f315aad49ca49c3481f2a9 \n", "6 abcbd283801a05390995862f59dcb5310f3d3d88 5d4728494832d03bbfb75367836fef4e \n", "7 fb154557cdd2e98508a420140b2832fa9328fc08 d97a7ad99d03d6e71460ea1d070aabc6 \n", "8 d880badbb5b3041e401db1000079f4b06bb875d3 b2e8a93629044e790dff4d779dcbcd0d \n", "9 0ea68aab3721e509ce0b1bff7e574eda037798be 83418a9af56db91ff2c78c4b2b9d62f8 \n", "\n", " first_seen last_seen \\\n", "0 2022-08-08 21:20:27 None \n", "1 2022-08-01 19:50:36 None \n", "2 2022-08-01 11:40:55 None \n", "3 2022-07-23 02:54:09 None \n", "4 2022-07-22 11:52:08 None \n", "5 2022-07-22 11:41:56 2022-07-22 18:20:13 \n", "6 2022-07-22 11:08:27 2022-07-22 13:00:51 \n", "7 2022-07-22 11:03:13 2022-07-22 23:09:45 \n", "8 2022-07-22 10:49:59 2022-07-22 13:02:10 \n", "9 2022-07-19 23:04:49 None \n", "\n", " file_name file_size \\\n", "0 Sample_62a03e5baa5b3700182f075d.xlsm 47898 \n", "1 13e5decc722a39965a15f47bc3fabb44.exe 274472 \n", "2 sample 348504 \n", "3 7301880b88f87cd3a593f7106d5743cc 962048 \n", "4 1dd34935a785a419fb552b5086ea682e 850944 \n", "5 5c7b589a59f315aad49ca49c3481f2a9 433664 \n", "6 5d4728494832d03bbfb75367836fef4e 691200 \n", "7 d97a7ad99d03d6e71460ea1d070aabc6 782848 \n", "8 b2e8a93629044e790dff4d779dcbcd0d 751104 \n", "9 83418a9af56db91ff2c78c4b2b9d62f8 655360 \n", "\n", " file_type_mime file_type ... telfhash \\\n", "0 application/vnd.openxmlformats-officedocument.... xlsm ... None \n", "1 application/x-dosexec exe ... None \n", "2 application/x-dosexec dll ... None \n", "3 application/x-dosexec exe ... None \n", "4 application/x-dosexec exe ... None \n", "5 application/x-dosexec exe ... None \n", "6 application/x-dosexec exe ... None \n", "7 application/x-dosexec exe ... None \n", "8 application/x-dosexec exe ... None \n", "9 application/x-dosexec dll ... None \n", "\n", " gimphash ssdeep \\\n", "0 None 768:X5WHFKfQzXTmbfRzdDTKufT9nz0LTyY1NiMZFYpvrL... \n", "1 None 6144:flqhx0eX9B4DfdnCpObaAzmR1NtJWNmd9yKvj:GP9... \n", "2 None 3072:KRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2... \n", "3 None 12288:kvyPTUfrN+lSDLV9dRCYFdVlv6jVBv4w8N6zTlvd... \n", "4 None 12288:jRCGXj4KVB9abMfyzfqvHWnyPv+LVHT2+2JNdX71... \n", "5 None 12288:jTZfuSuI5OORAL3Onl/+HuVPxskfcg3gA:jTxuI5... \n", "6 None 12288:pBBKShhc/bQisqkxf3CJS+HQ58B6loNJYlvw9zaa... \n", "7 None 12288:hJheLDF+GBXYT7Ose6FPmg3T3tG2lqfn3tBzqgf/... \n", "8 None 12288:QolWKutgKC7t1DtuANCqKLvr+U4rG2a/FviAzPVC... \n", "9 None 6144:/6ZMFXzqfoSHr/mvcQYbi2HN8C8BgifO7y7TcuVqr... \n", "\n", " dhash_icon tags code_sign \\\n", "0 None [Emotet, Heodo, xlsm] [] \n", "1 1003873d31213f10 [Emotet, exe, Heodo] [] \n", "2 None [dll, Emotet, Heodo] [] \n", "3 None [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed] [] \n", "4 None [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed] [] \n", "5 None [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed] [] \n", "6 None [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed] [] \n", "7 b2b2b2b2b268e868 [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed] [] \n", "8 None [Emotet, exe, Heodo, OpenCTI.BR, Sandboxed] [] \n", "9 90cccc4874cccce8 [32, dll, Emotet, exe, Heodo, trojan] [] \n", "\n", " intelligence.clamav intelligence.downloads \\\n", "0 [Sanesecurity.Malware.28370.badform.UNOFFICIAL... 362 \n", "1 [Win.Dropper.Zeus-7729282-0, Win.Dropper.Zeus-... 433 \n", "2 [Win.Malware.Emotet-9823769-0, Win.Malware.Emo... 251 \n", "3 [SecuriteInfo.com.Emotet-FTY5BBDDAC95C90.16550... 327 \n", "4 [SecuriteInfo.com.Emotet-FTNA218E3B03756.13897... 365 \n", "5 [Win.Trojan.Emotet-9954177-0] 364 \n", "6 [Win.Trojan.Generic-9950172-0] 331 \n", "7 [SecuriteInfo.com.Emotet-FTNF37FD4B3B9A6.17126... 304 \n", "8 [SecuriteInfo.com.Emotet-FTN7E05BA7C938A.25784... 295 \n", "9 [Win.Trojan.Generic-9942396-0, Win.Trojan.Gene... 215 \n", "\n", " intelligence.uploads intelligence.mail \n", "0 1 None \n", "1 1 None \n", "2 1 None \n", "3 1 None \n", "4 1 None \n", "5 2 None \n", "6 2 None \n", "7 2 None \n", "8 2 None \n", "9 1 None \n", "\n", "[10 rows x 25 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable='emotet', mb_type='tag', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get Trickbot samples by signature" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...telfhashgimphashssdeepdhash_icontagscode_signintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
0b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6ef...40acf4c4f672dbc849d4159fd71d4207eacd324b359a76...516c7a538e93f7cf4bff29196511f94e5fbb5a408402ab33eafb84178069f8f490ca604d2022-07-08 09:22:51Nonesefff993.bin377097application/x-dosexecexe...NoneNone6144:jo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0z...None[exe, TrickBot][][Win.Trojan.Razy-7331425-0, Win.Trojan.Trickbo...3691None
1415e04eb340f1b092288cbcc71295a2c95e864fc1bbfcd...d602957f9e390a1b02b86632b7ce7a5a41654eb1d3ab63...d02f452d01660387fd78d40e9f2405c3e38c9668367b6a5c0e0e8ec68ea14a085b1d32b32022-06-23 09:55:132022-06-24 08:59:27solar.php679008application/x-dosexecexe...NoneNone12288:nO4BydKj3ACZfNFEnw6qJxs3UPwgDrZiI0OSnnox...b8a424fcecec6c70[exe, TrickBot][]None3812None
27e8c547fcc86e26b973e4c974da8ee2c4cfe84846e2cdf...c8152131d11565c08615b267a2b103c2a3e3a4de03c406...ac0724c724f8d6e2a54b41b86d99aa189e40dc8117492f7b9906b807cffd30e8a0edd9932022-05-25 12:44:48Nonebnuethogt.bin550424application/x-dosexecexe...NoneNone12288:QyeWT96x+MN2N4Bou8Bw1bFswwGFGvyLOE8uQnUK...72f16979787a726c[exe, TrickBot][]None5021None
3236f4e149402cba69141e6055a113a68f2bd8653936521...8bfe50bdbc0e728854537a7cb921898c5519774a486c96...7cb195e05a78a39cacb0c0d4d4fa23e4c3366785e05d85acc62b2795bfb94a681e64e20f2022-03-21 03:04:08Nonesample2.exe207360application/x-dosexecexe...NoneNone6144:2LMNe5kFT/RK1WoJg4ouLl2pFUBm5iKsTFxcW3Qt0...None[exe, TrickBot][][Win.Dropper.TrickBot-7071016-0, Win.Dropper.T...6361None
4bf374475be396528cdfd21a3eac292bb420e398ba9ee9a...676c8853fb886d2c3b0fa4bffa1b35ef9cc3b619881d2c...20c1b26ddd2ae336f811bf658fbbe24c011b6393958c82aca0066454c7a8062c5b93c3482022-03-14 09:04:032022-03-14 11:23:38Client_documents_access_5506-2425.xlsm164251application/vnd.openxmlformats-officedocument....xlsm...NoneNone3072:UDegPM4xKT72cL5RWU/S//////////25QMUMWhTHH...None[TrickBot, xlsm][][TwinWave.EvilDoc.DOCXSTRGOOD.XMLENTITY.HTTP, ...5782None
5fcde8f225a14fe70009f32c4acfba0407b5fd6b0da5c2f...df687c25df1e6c99177f9422b8c921f25bd24b35205556...c1a72d736eb870684a190bad60d1da7d1292c37b218c5b56132ee73c7a5ad2e5c96c64d42021-12-31 09:34:43None218c5b56132ee73c7a5ad2e5c96c64d4.exe422912application/x-dosexecexe...NoneNone6144:YFn61kciCuR6b15sZwkst8K5YHJHJ4wX4wp16SiVy...e4d0d0f8e4e8d804[exe, top166, TrickBot][][Win.Packed.Generickdz-9929038-0]10321None
61a6bef8525a2b7eded1ea8c92e65cea20a08dc2fff175e...5e52701ea01aec1f13be846809d29634449a2cd6b83f9a...421b355c7b3311961359bea6e886a316e410bbf8da42b3f16999890ffa59a2aa10a334e52021-12-30 07:39:42Noneda42b3f16999890ffa59a2aa10a334e5.exe422400application/x-dosexecexe...NoneNone12288:5F61k9CuRQuCBifx5ABMQ2f6OArPtMZotp:fCuGl...e4d0d0f8e4e8d804[exe, TrickBot][]None9461None
701c69d0acc8734993ba9cbfe9b0da4616bb05041e103af...a3612c1deff78976343e226fbcde7e7f70a396380ab1f0...6010fb83b30adfeba34ac6f302c2c8e865cdc7051e19cdc980488fb82c9245fde3ba28f82021-12-29 12:46:45None1e19cdc980488fb82c9245fde3ba28f8.exe422912application/x-dosexecexe...NoneNone6144:YFn61kciCuRBb15sZwkst8K5YHJHJ4wX4wp16SiVy...e4d0d0f8e4e8d804[exe, top166, TrickBot][]None8131None
85c032f85c0a9a4a551f6c0057ecc78aec6b625df77fcbf...53576688e522d84b6e976c933eab2d7eb74a0930666d40...0cb109a1a37622d8147d11b1b5ffbe858388707be9d4ef1a8d0371d5760cd8a815cf1acd2021-12-29 01:36:34NoneSecuriteInfo.com.W32.AIDetect.malware1.29332.2...422400application/x-dosexecexe...NoneNone12288:5F61k9CuREuCBifx5ABMQ2f6OArPtMZotp:fCuOl...e4d0d0f8e4e8d804[exe, TrickBot][][SecuriteInfo.com.W32.AIDetect.malware1.29332....7511None
9d9ef2723a2d54f8774224b15ad9324598e2213597cf882...5a1a255ed0fb5e476a0954cf0817d24b1eb816ee868493...a47aa744bdcf3523b8957d57a620cc5a48ab2f16e6211b1c55e1f978dfef54d9916ece482021-12-28 21:54:13Nonee6211b1c55e1f978dfef54d9916ece48422400application/x-dosexecexe...NoneNone12288:5F61k9CuRbuCBifx5ABMQ2f6OArPtMZotp:fCuFl...e4d0d0f8e4e8d804[32, exe, TrickBot][]None6801None
\n", "

10 rows × 25 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 b7cbc5e5dc182c8d99809cd64d36734abeb6bfac15e6ef... \n", "1 415e04eb340f1b092288cbcc71295a2c95e864fc1bbfcd... \n", "2 7e8c547fcc86e26b973e4c974da8ee2c4cfe84846e2cdf... \n", "3 236f4e149402cba69141e6055a113a68f2bd8653936521... \n", "4 bf374475be396528cdfd21a3eac292bb420e398ba9ee9a... \n", "5 fcde8f225a14fe70009f32c4acfba0407b5fd6b0da5c2f... \n", "6 1a6bef8525a2b7eded1ea8c92e65cea20a08dc2fff175e... \n", "7 01c69d0acc8734993ba9cbfe9b0da4616bb05041e103af... \n", "8 5c032f85c0a9a4a551f6c0057ecc78aec6b625df77fcbf... \n", "9 d9ef2723a2d54f8774224b15ad9324598e2213597cf882... \n", "\n", " sha3_384_hash \\\n", "0 40acf4c4f672dbc849d4159fd71d4207eacd324b359a76... \n", "1 d602957f9e390a1b02b86632b7ce7a5a41654eb1d3ab63... \n", "2 c8152131d11565c08615b267a2b103c2a3e3a4de03c406... \n", "3 8bfe50bdbc0e728854537a7cb921898c5519774a486c96... \n", "4 676c8853fb886d2c3b0fa4bffa1b35ef9cc3b619881d2c... \n", "5 df687c25df1e6c99177f9422b8c921f25bd24b35205556... \n", "6 5e52701ea01aec1f13be846809d29634449a2cd6b83f9a... \n", "7 a3612c1deff78976343e226fbcde7e7f70a396380ab1f0... \n", "8 53576688e522d84b6e976c933eab2d7eb74a0930666d40... \n", "9 5a1a255ed0fb5e476a0954cf0817d24b1eb816ee868493... \n", "\n", " sha1_hash md5_hash \\\n", "0 516c7a538e93f7cf4bff29196511f94e5fbb5a40 8402ab33eafb84178069f8f490ca604d \n", "1 d02f452d01660387fd78d40e9f2405c3e38c9668 367b6a5c0e0e8ec68ea14a085b1d32b3 \n", "2 ac0724c724f8d6e2a54b41b86d99aa189e40dc81 17492f7b9906b807cffd30e8a0edd993 \n", "3 7cb195e05a78a39cacb0c0d4d4fa23e4c3366785 e05d85acc62b2795bfb94a681e64e20f \n", "4 20c1b26ddd2ae336f811bf658fbbe24c011b6393 958c82aca0066454c7a8062c5b93c348 \n", "5 c1a72d736eb870684a190bad60d1da7d1292c37b 218c5b56132ee73c7a5ad2e5c96c64d4 \n", "6 421b355c7b3311961359bea6e886a316e410bbf8 da42b3f16999890ffa59a2aa10a334e5 \n", "7 6010fb83b30adfeba34ac6f302c2c8e865cdc705 1e19cdc980488fb82c9245fde3ba28f8 \n", "8 0cb109a1a37622d8147d11b1b5ffbe858388707b e9d4ef1a8d0371d5760cd8a815cf1acd \n", "9 a47aa744bdcf3523b8957d57a620cc5a48ab2f16 e6211b1c55e1f978dfef54d9916ece48 \n", "\n", " first_seen last_seen \\\n", "0 2022-07-08 09:22:51 None \n", "1 2022-06-23 09:55:13 2022-06-24 08:59:27 \n", "2 2022-05-25 12:44:48 None \n", "3 2022-03-21 03:04:08 None \n", "4 2022-03-14 09:04:03 2022-03-14 11:23:38 \n", "5 2021-12-31 09:34:43 None \n", "6 2021-12-30 07:39:42 None \n", "7 2021-12-29 12:46:45 None \n", "8 2021-12-29 01:36:34 None \n", "9 2021-12-28 21:54:13 None \n", "\n", " file_name file_size \\\n", "0 sefff993.bin 377097 \n", "1 solar.php 679008 \n", "2 bnuethogt.bin 550424 \n", "3 sample2.exe 207360 \n", "4 Client_documents_access_5506-2425.xlsm 164251 \n", "5 218c5b56132ee73c7a5ad2e5c96c64d4.exe 422912 \n", "6 da42b3f16999890ffa59a2aa10a334e5.exe 422400 \n", "7 1e19cdc980488fb82c9245fde3ba28f8.exe 422912 \n", "8 SecuriteInfo.com.W32.AIDetect.malware1.29332.2... 422400 \n", "9 e6211b1c55e1f978dfef54d9916ece48 422400 \n", "\n", " file_type_mime file_type ... telfhash \\\n", "0 application/x-dosexec exe ... None \n", "1 application/x-dosexec exe ... None \n", "2 application/x-dosexec exe ... None \n", "3 application/x-dosexec exe ... None \n", "4 application/vnd.openxmlformats-officedocument.... xlsm ... None \n", "5 application/x-dosexec exe ... None \n", "6 application/x-dosexec exe ... None \n", "7 application/x-dosexec exe ... None \n", "8 application/x-dosexec exe ... None \n", "9 application/x-dosexec exe ... None \n", "\n", " gimphash ssdeep \\\n", "0 None 6144:jo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0z... \n", "1 None 12288:nO4BydKj3ACZfNFEnw6qJxs3UPwgDrZiI0OSnnox... \n", "2 None 12288:QyeWT96x+MN2N4Bou8Bw1bFswwGFGvyLOE8uQnUK... \n", "3 None 6144:2LMNe5kFT/RK1WoJg4ouLl2pFUBm5iKsTFxcW3Qt0... \n", "4 None 3072:UDegPM4xKT72cL5RWU/S//////////25QMUMWhTHH... \n", "5 None 6144:YFn61kciCuR6b15sZwkst8K5YHJHJ4wX4wp16SiVy... \n", "6 None 12288:5F61k9CuRQuCBifx5ABMQ2f6OArPtMZotp:fCuGl... \n", "7 None 6144:YFn61kciCuRBb15sZwkst8K5YHJHJ4wX4wp16SiVy... \n", "8 None 12288:5F61k9CuREuCBifx5ABMQ2f6OArPtMZotp:fCuOl... \n", "9 None 12288:5F61k9CuRbuCBifx5ABMQ2f6OArPtMZotp:fCuFl... \n", "\n", " dhash_icon tags code_sign \\\n", "0 None [exe, TrickBot] [] \n", "1 b8a424fcecec6c70 [exe, TrickBot] [] \n", "2 72f16979787a726c [exe, TrickBot] [] \n", "3 None [exe, TrickBot] [] \n", "4 None [TrickBot, xlsm] [] \n", "5 e4d0d0f8e4e8d804 [exe, top166, TrickBot] [] \n", "6 e4d0d0f8e4e8d804 [exe, TrickBot] [] \n", "7 e4d0d0f8e4e8d804 [exe, top166, TrickBot] [] \n", "8 e4d0d0f8e4e8d804 [exe, TrickBot] [] \n", "9 e4d0d0f8e4e8d804 [32, exe, TrickBot] [] \n", "\n", " intelligence.clamav intelligence.downloads \\\n", "0 [Win.Trojan.Razy-7331425-0, Win.Trojan.Trickbo... 369 \n", "1 None 381 \n", "2 None 502 \n", "3 [Win.Dropper.TrickBot-7071016-0, Win.Dropper.T... 636 \n", "4 [TwinWave.EvilDoc.DOCXSTRGOOD.XMLENTITY.HTTP, ... 578 \n", "5 [Win.Packed.Generickdz-9929038-0] 1032 \n", "6 None 946 \n", "7 None 813 \n", "8 [SecuriteInfo.com.W32.AIDetect.malware1.29332.... 751 \n", "9 None 680 \n", "\n", " intelligence.uploads intelligence.mail \n", "0 1 None \n", "1 2 None \n", "2 1 None \n", "3 1 None \n", "4 2 None \n", "5 1 None \n", "6 1 None \n", "7 1 None \n", "8 1 None \n", "9 1 None \n", "\n", "[10 rows x 25 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable='trickbot', mb_type='signature', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Latest executable samples (filter by filetype)" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...tlshtelfhashgimphashssdeepdhash_icontagsintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
0ce1e8e57264e84d75ed4960855768418c7a73707d0855d...2945d468176ca3766e5982574652025887cdce34028f4c...7fd429ceb24c476a9b3796fe71961575e7637738fea743ac96b30d64f914d491e802abc12022-08-11 09:22:06NoneCopia di pagamento-3400753232678_001-11.08.202...625664application/x-dosexecexe...T178D4D02025AE7219E039BB7909D7706047F5F622DE1A...NoneNone12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...d4e2c8b4ccc8f2cc[AgentTesla, exe]None1191None
12582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...e03a9f658327fc96d774ae19d714add257a10d882f4a3782d2ab90126ff927026dac50772022-08-11 09:19:47None2f4a3782d2ab90126ff927026dac5077834560application/x-dosexecexe...T18D052344079587BCC9AE167C048142641338EB02B2B6...NoneNone12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...None[32, exe, RemcosRAT, trojan]None1091None
26e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...69bf7182f7cd72ca775be7736b843345efbbdc0eca25cc1a0351513cbb0bb70343b038622022-08-11 09:19:27Noneca25cc1a0351513cbb0bb70343b03862857600application/x-dosexecexe...T10105BEAF7E9C440ECC218B31E84C81B99FA5FDA17912...NoneNone12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...None[32, exe, FormBook, trojan][SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]1011None
39bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...117b1e130cc2f2406b0f38d3b3677e4699f6521457ecac082ee320cf94b2de1a0927a9942022-08-11 09:19:13None57ecac082ee320cf94b2de1a0927a994879616application/x-dosexecexe...T13315BFAFAB9C441FCC228B31E84C81B99FA5FC613922...NoneNone24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...None[32, AgentTesla, exe][SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]1071None
4f2a4cc133dfeca5432bf22c2817aeb8edb434057711727...13ad83f7ec5e622b022a06b80f2afa90272cb6a5d7eb5f...b1eedf6d0b197b0d743e60390864aa279f1f915ab9694513a38e321b8cbfd807367b7e212022-08-11 09:15:26NoneProject sheets.pdf.exe147736application/x-dosexecexe...T116E37B9C325071DFC8ABD0728EA91D74EA2034BB931B...NoneNone3072:rTpc2Du8SknETVtyMl9Rrhr7jmSBe9BeZ/F8xB2dM...d2e8ecb2b2a2b282[exe, Loki]None1221None
5f53a803c52691f8506f33d2719028822db93ae1799d0ba...32b0422e11faafaa49f39f0df7b093cddeb316f5087134...9b2c6fddac6ea6c27a2c5c25d515d389429703c04e416bdf228c332a60a4fc0d8326373f2022-08-11 09:00:33None4e416bdf228c332a60a4fc0d8326373f.exe207360application/x-dosexecexe...T14514CF1677A98A2FE2DE85B8701246468379C2E3D8C3...NoneNone3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPs...None[exe, NanoCore, RAT][Win.Dropper.Nancrat-9869495-0, Win.Dropper.Na...1451None
6ba66c7a46a35c1b38aa76a199ae19a65674786771b153e...5983e487146283ae8c880a5c21b7ef989307d0a0327d59...b340afd00d6feb4da15b9b10446417e51d3f7082e6ae2071837c90e79a7f4c6e8e778f0f2022-08-11 09:00:31Nonee6ae2071837c90e79a7f4c6e8e778f0f.exe923829application/x-dosexecexe...T18F15123962C1827BD1621A314D4BD3B3FD3ABA041B3C...NoneNone24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E...b298acbab2ca7a72[exe, recordbreaker][SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL]1331None
793b24291abe4b2c7d3eebd64168cf86e5b36571bd30645...bc79bfe7cf79004f707014cae678bb19a55a91402cc143...92b194b6c75c6c2e8e693fca7f0c660fbcd70be576755f4c31240a6247689c0ffdc6e6272022-08-11 08:45:49NoneAST_928765425672-09876353B.exe864256application/x-dosexecexe...T18805E79113A9EC11C97DBFF0295939B1C2F275C6A9AC...NoneNone12288:9N+7nP3i1XkYIgj7wPQdh0TLeb9hIv001mWfTd0:...c496b2b8fcccacdc[AgentTesla, exe]None1751None
808375457359c0439dde333b220071987d355b3a2b0aa9f...ca9ceb34ae3cd40cd0767a8d665a8346af419f56fd023b...58133e441cebee95176aba75ef533a99af208758bb2518245e5b20e35c7a22521be3b6fb2022-08-11 08:45:38NoneMV TONIC_CTM REQUEST.exe762368application/x-dosexecexe...T136F4ADAFBA9C440ECC624B31E84C80B95FA5FCA17922...NoneNone12288:xqoKggb2iNdvpc++E4+xp985R+J0vuxrHeBCVLbC...None[exe, Loki][SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]1591None
9f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6...936d638104e56fd4cdbf6f56c1ea63679a02e763eaef01...cd8ddf4094ff130568ace0dfc578500213eb5be4d3c1e94c64ce0e37e03af92f18067ea42022-08-11 08:40:28Noned3c1e94c64ce0e37e03af92f18067ea4.exe922983application/x-dosexecexe...T1AC1512396281827BD1621A31494BD3B7FD3AB7041B3C...NoneNone24576:pAT8QE+kHVNpJc7Y/sDZ0239GhjS9knREHXsW02E...b298acbab2ca7a72[exe, recordbreaker][SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL]1581None
\n", "

10 rows × 24 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 ce1e8e57264e84d75ed4960855768418c7a73707d0855d... \n", "1 2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7... \n", "2 6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88... \n", "3 9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0... \n", "4 f2a4cc133dfeca5432bf22c2817aeb8edb434057711727... \n", "5 f53a803c52691f8506f33d2719028822db93ae1799d0ba... \n", "6 ba66c7a46a35c1b38aa76a199ae19a65674786771b153e... \n", "7 93b24291abe4b2c7d3eebd64168cf86e5b36571bd30645... \n", "8 08375457359c0439dde333b220071987d355b3a2b0aa9f... \n", "9 f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6... \n", "\n", " sha3_384_hash \\\n", "0 2945d468176ca3766e5982574652025887cdce34028f4c... \n", "1 05d09b744be600daf03e2f67bcdc4b81ee317336ee7988... \n", "2 7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd... \n", "3 513b59672d898a92ea8b79a2c015cc79867ed7cac5d271... \n", "4 13ad83f7ec5e622b022a06b80f2afa90272cb6a5d7eb5f... \n", "5 32b0422e11faafaa49f39f0df7b093cddeb316f5087134... \n", "6 5983e487146283ae8c880a5c21b7ef989307d0a0327d59... \n", "7 bc79bfe7cf79004f707014cae678bb19a55a91402cc143... \n", "8 ca9ceb34ae3cd40cd0767a8d665a8346af419f56fd023b... \n", "9 936d638104e56fd4cdbf6f56c1ea63679a02e763eaef01... \n", "\n", " sha1_hash md5_hash \\\n", "0 7fd429ceb24c476a9b3796fe71961575e7637738 fea743ac96b30d64f914d491e802abc1 \n", "1 e03a9f658327fc96d774ae19d714add257a10d88 2f4a3782d2ab90126ff927026dac5077 \n", "2 69bf7182f7cd72ca775be7736b843345efbbdc0e ca25cc1a0351513cbb0bb70343b03862 \n", "3 117b1e130cc2f2406b0f38d3b3677e4699f65214 57ecac082ee320cf94b2de1a0927a994 \n", "4 b1eedf6d0b197b0d743e60390864aa279f1f915a b9694513a38e321b8cbfd807367b7e21 \n", "5 9b2c6fddac6ea6c27a2c5c25d515d389429703c0 4e416bdf228c332a60a4fc0d8326373f \n", "6 b340afd00d6feb4da15b9b10446417e51d3f7082 e6ae2071837c90e79a7f4c6e8e778f0f \n", "7 92b194b6c75c6c2e8e693fca7f0c660fbcd70be5 76755f4c31240a6247689c0ffdc6e627 \n", "8 58133e441cebee95176aba75ef533a99af208758 bb2518245e5b20e35c7a22521be3b6fb \n", "9 cd8ddf4094ff130568ace0dfc578500213eb5be4 d3c1e94c64ce0e37e03af92f18067ea4 \n", "\n", " first_seen last_seen \\\n", "0 2022-08-11 09:22:06 None \n", "1 2022-08-11 09:19:47 None \n", "2 2022-08-11 09:19:27 None \n", "3 2022-08-11 09:19:13 None \n", "4 2022-08-11 09:15:26 None \n", "5 2022-08-11 09:00:33 None \n", "6 2022-08-11 09:00:31 None \n", "7 2022-08-11 08:45:49 None \n", "8 2022-08-11 08:45:38 None \n", "9 2022-08-11 08:40:28 None \n", "\n", " file_name file_size \\\n", "0 Copia di pagamento-3400753232678_001-11.08.202... 625664 \n", "1 2f4a3782d2ab90126ff927026dac5077 834560 \n", "2 ca25cc1a0351513cbb0bb70343b03862 857600 \n", "3 57ecac082ee320cf94b2de1a0927a994 879616 \n", "4 Project sheets.pdf.exe 147736 \n", "5 4e416bdf228c332a60a4fc0d8326373f.exe 207360 \n", "6 e6ae2071837c90e79a7f4c6e8e778f0f.exe 923829 \n", "7 AST_928765425672-09876353B.exe 864256 \n", "8 MV TONIC_CTM REQUEST.exe 762368 \n", "9 d3c1e94c64ce0e37e03af92f18067ea4.exe 922983 \n", "\n", " file_type_mime file_type ... \\\n", "0 application/x-dosexec exe ... \n", "1 application/x-dosexec exe ... \n", "2 application/x-dosexec exe ... \n", "3 application/x-dosexec exe ... \n", "4 application/x-dosexec exe ... \n", "5 application/x-dosexec exe ... \n", "6 application/x-dosexec exe ... \n", "7 application/x-dosexec exe ... \n", "8 application/x-dosexec exe ... \n", "9 application/x-dosexec exe ... \n", "\n", " tlsh telfhash gimphash \\\n", "0 T178D4D02025AE7219E039BB7909D7706047F5F622DE1A... None None \n", "1 T18D052344079587BCC9AE167C048142641338EB02B2B6... None None \n", "2 T10105BEAF7E9C440ECC218B31E84C81B99FA5FDA17912... None None \n", "3 T13315BFAFAB9C441FCC228B31E84C81B99FA5FC613922... None None \n", "4 T116E37B9C325071DFC8ABD0728EA91D74EA2034BB931B... None None \n", "5 T14514CF1677A98A2FE2DE85B8701246468379C2E3D8C3... None None \n", "6 T18F15123962C1827BD1621A314D4BD3B3FD3ABA041B3C... None None \n", "7 T18805E79113A9EC11C97DBFF0295939B1C2F275C6A9AC... None None \n", "8 T136F4ADAFBA9C440ECC624B31E84C80B95FA5FCA17922... None None \n", "9 T1AC1512396281827BD1621A31494BD3B7FD3AB7041B3C... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm... d4e2c8b4ccc8f2cc \n", "1 12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB... None \n", "2 12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX... None \n", "3 24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7... None \n", "4 3072:rTpc2Du8SknETVtyMl9Rrhr7jmSBe9BeZ/F8xB2dM... d2e8ecb2b2a2b282 \n", "5 3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPs... None \n", "6 24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E... b298acbab2ca7a72 \n", "7 12288:9N+7nP3i1XkYIgj7wPQdh0TLeb9hIv001mWfTd0:... c496b2b8fcccacdc \n", "8 12288:xqoKggb2iNdvpc++E4+xp985R+J0vuxrHeBCVLbC... None \n", "9 24576:pAT8QE+kHVNpJc7Y/sDZ0239GhjS9knREHXsW02E... b298acbab2ca7a72 \n", "\n", " tags \\\n", "0 [AgentTesla, exe] \n", "1 [32, exe, RemcosRAT, trojan] \n", "2 [32, exe, FormBook, trojan] \n", "3 [32, AgentTesla, exe] \n", "4 [exe, Loki] \n", "5 [exe, NanoCore, RAT] \n", "6 [exe, recordbreaker] \n", "7 [AgentTesla, exe] \n", "8 [exe, Loki] \n", "9 [exe, recordbreaker] \n", "\n", " intelligence.clamav intelligence.downloads \\\n", "0 None 119 \n", "1 None 109 \n", "2 [SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL] 101 \n", "3 [SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL] 107 \n", "4 None 122 \n", "5 [Win.Dropper.Nancrat-9869495-0, Win.Dropper.Na... 145 \n", "6 [SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL] 133 \n", "7 None 175 \n", "8 [SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL] 159 \n", "9 [SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL] 158 \n", "\n", " intelligence.uploads intelligence.mail \n", "0 1 None \n", "1 1 None \n", "2 1 None \n", "3 1 None \n", "4 1 None \n", "5 1 None \n", "6 1 None \n", "7 1 None \n", "8 1 None \n", "9 1 None \n", "\n", "[10 rows x 24 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable='exe', mb_type='filetype', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Latest samples that matches Clamav signature \"Doc.Downloader.Emotet-7580152-0\"" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...telfhashgimphashssdeepdhash_icontagscode_signintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
0c59dc2c1dfeeb1396f7d5c6dd909f830da34247b35cb86...9c1144395e4002f8dcf5f323846f133f069ac2bc6b5ede...6546af75a7dfbdb3852edd1c248abe97942ce327000abe09d01b60f777eec90fe14c431b2020-03-29 08:17:182020-03-29 08:17:39c59dc2c1dfeeb1396f7d5c6dd909f830da34247b35cb86...208655application/msworddocx...NoneNone3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgP76EOp...None[autoexec, base64, hex, macros, ole][][Doc.Downloader.Emotet-7580152-0, Doc.Download...1012None
110b1ddd91ee8d2da9ef9dfa5953c526b4c139d14dfa659...42851417a263d6f87eab2aec15d3fcb912f1df4dd8fe87...eab6c59c252d1737e2039d6414a7f87b50640abbc2b47e5a02ac0c89e9ed854ae0cd565c2020-03-29 08:16:392020-03-29 08:19:1710b1ddd91ee8d2da9ef9dfa5953c526b4c139d14dfa659...207740application/msworddocx...NoneNone3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgJz6EOp...None[autoexec, base64, hex, macros, ole][][Doc.Downloader.Emotet-7580152-0, Doc.Download...982None
2bdf5c8be5ef48385c71f424c912523c3cfe6ffa0215d08...c1605a7c42f38e2dd474f24c4828c19d58b9a5433b2c05...0fb5d80e11e61ee842a7c1a7d2943a77ecbf42cf08531ac8e995bfc4692cd0591e9857342020-03-24 07:42:412020-03-29 08:18:05bdf5c8be5ef48385c71f424c912523c3cfe6ffa0215d08...207295application/msworddocx...NoneNone3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUggz6EOp...None[autoexec, base64, hex, macros, ole][][Doc.Downloader.Emotet-7580152-0, Doc.Download...903None
3542c29b3dfea261203a5c99b3657016a633a66231a82a9...c54ebe98f5c9d9c800a11dd83622313e871ff72bd6a8ed...8ffeeadd4f843f0070134d65a6b29e2ddbe66bc4d7194984c4e923d1c59233bf0b640bf72020-03-24 07:41:27None542c29b3dfea261203a5c99b3657016a633a66231a82a9...208657application/msworddocx...NoneNone3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgvH6EOp...None[autoexec, base64, Emotet, Heodo, hex, macros,...[][Doc.Downloader.Emotet-7580152-0, Doc.Download...951None
49e0f471dcc7e1f874dc550fa5ea840391bfe33e8576e26...8a24530041c75ede2fe03f2d9c8103314ad65516219750...fe1f0c74137e19db8d893a29afd75f227283593c096000880d75f7f35acf59f533c58b772020-03-24 07:38:052020-03-29 08:13:489e0f471dcc7e1f874dc550fa5ea840391bfe33e8576e26...208471application/msworddocx...NoneNone3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgsz6EOp...None[autoexec, base64, Emotet, Heodo, hex, macros,...[][Doc.Downloader.Emotet-7580152-0, Doc.Download...942None
55a4fc3c23be16cff577a8b9af743cdfc330a1a3a8efea3...cdb35169fb4be823e35b659fd21ebcdcf832125817e886...9a687b92317df18848fd77f179fb34889f4e4a0424f0c3737e9f5b5f37ebd2d97816ed172020-03-23 18:49:102020-03-29 08:19:525a4fc3c23be16cff577a8b9af743cdfc330a1a3a8efea3...208248application/msworddocx...NoneNone3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUg2f6EOp...None[Emotet, Heodo][][Doc.Downloader.Emotet-7580152-0, Doc.Download...753None
66c9abcc36eabca228547b6478a2da6026d8c1874f8ba68...2eb9a63f336aa5518f99ac7aa57bed6905e7c8440e4885...4167167b821b2ac0718c68cfb6482bc58bca9d4199fae99a021d5ef85291293f89c34f9a2020-03-23 16:57:262020-03-23 18:55:476c9abcc36eabca228547b6478a2da6026d8c1874f8ba68...207795application/msworddocx...NoneNone3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgDH6EOp...None[Emotet, Heodo][][Doc.Downloader.Emotet-7580152-0, Doc.Download...742None
\n", "

7 rows × 25 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 c59dc2c1dfeeb1396f7d5c6dd909f830da34247b35cb86... \n", "1 10b1ddd91ee8d2da9ef9dfa5953c526b4c139d14dfa659... \n", "2 bdf5c8be5ef48385c71f424c912523c3cfe6ffa0215d08... \n", "3 542c29b3dfea261203a5c99b3657016a633a66231a82a9... \n", "4 9e0f471dcc7e1f874dc550fa5ea840391bfe33e8576e26... \n", "5 5a4fc3c23be16cff577a8b9af743cdfc330a1a3a8efea3... \n", "6 6c9abcc36eabca228547b6478a2da6026d8c1874f8ba68... \n", "\n", " sha3_384_hash \\\n", "0 9c1144395e4002f8dcf5f323846f133f069ac2bc6b5ede... \n", "1 42851417a263d6f87eab2aec15d3fcb912f1df4dd8fe87... \n", "2 c1605a7c42f38e2dd474f24c4828c19d58b9a5433b2c05... \n", "3 c54ebe98f5c9d9c800a11dd83622313e871ff72bd6a8ed... \n", "4 8a24530041c75ede2fe03f2d9c8103314ad65516219750... \n", "5 cdb35169fb4be823e35b659fd21ebcdcf832125817e886... \n", "6 2eb9a63f336aa5518f99ac7aa57bed6905e7c8440e4885... \n", "\n", " sha1_hash md5_hash \\\n", "0 6546af75a7dfbdb3852edd1c248abe97942ce327 000abe09d01b60f777eec90fe14c431b \n", "1 eab6c59c252d1737e2039d6414a7f87b50640abb c2b47e5a02ac0c89e9ed854ae0cd565c \n", "2 0fb5d80e11e61ee842a7c1a7d2943a77ecbf42cf 08531ac8e995bfc4692cd0591e985734 \n", "3 8ffeeadd4f843f0070134d65a6b29e2ddbe66bc4 d7194984c4e923d1c59233bf0b640bf7 \n", "4 fe1f0c74137e19db8d893a29afd75f227283593c 096000880d75f7f35acf59f533c58b77 \n", "5 9a687b92317df18848fd77f179fb34889f4e4a04 24f0c3737e9f5b5f37ebd2d97816ed17 \n", "6 4167167b821b2ac0718c68cfb6482bc58bca9d41 99fae99a021d5ef85291293f89c34f9a \n", "\n", " first_seen last_seen \\\n", "0 2020-03-29 08:17:18 2020-03-29 08:17:39 \n", "1 2020-03-29 08:16:39 2020-03-29 08:19:17 \n", "2 2020-03-24 07:42:41 2020-03-29 08:18:05 \n", "3 2020-03-24 07:41:27 None \n", "4 2020-03-24 07:38:05 2020-03-29 08:13:48 \n", "5 2020-03-23 18:49:10 2020-03-29 08:19:52 \n", "6 2020-03-23 16:57:26 2020-03-23 18:55:47 \n", "\n", " file_name file_size \\\n", "0 c59dc2c1dfeeb1396f7d5c6dd909f830da34247b35cb86... 208655 \n", "1 10b1ddd91ee8d2da9ef9dfa5953c526b4c139d14dfa659... 207740 \n", "2 bdf5c8be5ef48385c71f424c912523c3cfe6ffa0215d08... 207295 \n", "3 542c29b3dfea261203a5c99b3657016a633a66231a82a9... 208657 \n", "4 9e0f471dcc7e1f874dc550fa5ea840391bfe33e8576e26... 208471 \n", "5 5a4fc3c23be16cff577a8b9af743cdfc330a1a3a8efea3... 208248 \n", "6 6c9abcc36eabca228547b6478a2da6026d8c1874f8ba68... 207795 \n", "\n", " file_type_mime file_type ... telfhash gimphash \\\n", "0 application/msword docx ... None None \n", "1 application/msword docx ... None None \n", "2 application/msword docx ... None None \n", "3 application/msword docx ... None None \n", "4 application/msword docx ... None None \n", "5 application/msword docx ... None None \n", "6 application/msword docx ... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgP76EOp... None \n", "1 3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgJz6EOp... None \n", "2 3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUggz6EOp... None \n", "3 3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgvH6EOp... None \n", "4 3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgsz6EOp... None \n", "5 3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUg2f6EOp... None \n", "6 3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgDH6EOp... None \n", "\n", " tags code_sign \\\n", "0 [autoexec, base64, hex, macros, ole] [] \n", "1 [autoexec, base64, hex, macros, ole] [] \n", "2 [autoexec, base64, hex, macros, ole] [] \n", "3 [autoexec, base64, Emotet, Heodo, hex, macros,... [] \n", "4 [autoexec, base64, Emotet, Heodo, hex, macros,... [] \n", "5 [Emotet, Heodo] [] \n", "6 [Emotet, Heodo] [] \n", "\n", " intelligence.clamav intelligence.downloads \\\n", "0 [Doc.Downloader.Emotet-7580152-0, Doc.Download... 101 \n", "1 [Doc.Downloader.Emotet-7580152-0, Doc.Download... 98 \n", "2 [Doc.Downloader.Emotet-7580152-0, Doc.Download... 90 \n", "3 [Doc.Downloader.Emotet-7580152-0, Doc.Download... 95 \n", "4 [Doc.Downloader.Emotet-7580152-0, Doc.Download... 94 \n", "5 [Doc.Downloader.Emotet-7580152-0, Doc.Download... 75 \n", "6 [Doc.Downloader.Emotet-7580152-0, Doc.Download... 74 \n", "\n", " intelligence.uploads intelligence.mail \n", "0 2 None \n", "1 2 None \n", "2 3 None \n", "3 1 None \n", "4 2 None \n", "5 3 None \n", "6 2 None \n", "\n", "[7 rows x 25 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"Doc.Downloader.Emotet-7580152-0\", mb_type='clamav', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified imphash" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...gimphashssdeepdhash_icontagsintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail.Genericintelligence.mail.ITintelligence.mail.CH
03335f6bcfb168bfad8fe8622f515ffc6e4e3b74c9bab6b...4978e72d546964948d4836970991611f4890f1aaea6181...190122935eafdbf0d1c5b0a7c86cb24c04aee3080d0faa3ffb8ea5d041d2dd24b544d2b12020-07-24 09:18:30NoneFile 2.exe809472application/x-dosexecexe...None12288:zRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLO...None[exe, Loki][PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...711lowNaNNaN
197938446027c2f5c4c5eeebff3b37cb3812da2fe45f092...553a03ed1ba38c7604dfa2a421371b6f3e9e0576f12735...9979b550d2414f1e97d51b44116ae4fb14ea9265943c81115f3e9d31fd1ef58690d46acc2020-07-23 13:49:30Nonecommercial invoice + packing list.exe744960application/x-dosexecexe...None12288:yRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLK...None[AgentTesla, exe][PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...741lowNaNNaN
214a985c4f8b469d858f155c59618c45365a0a7b87a73d9...a59bfde721bd0409e1436c059d1873ec702e7000eab8a7...5ce575f5ef1611f3594675f593c582a9ff6b356fa32ac4f5fba2b7224e68d6ad9bfbc2e02020-07-22 10:58:06NoneShipping Document VESSEL SCHEDULE.exe626688application/x-dosexecexe...None12288:QRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLt...None[exe, Loki][PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...831lowNaNNaN
3612a1123c2ca0a0c3f077aa506b48cfbbeb815c1c026b8...cffb01732f112ad64d2da07c03377f47501d92f75e8e5d...3303e4acce086996bec36fd46ad396e01960820a55aaee46446d832abbad8ed6bde210852020-07-22 10:44:20None1014-07222020.exe730112application/x-dosexecexe...None12288:HRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLp...None[exe, NanoCore, nVpn, RAT][PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...851lowNaNNaN
445b7e7e404b6cd8eaca7798b5977fe17cae6a261e45d6a...076bdaf9a9578bb2ea4cdbc5de2485fc81dd539b9ddda9...6a7b3c48b240e8566aa53d73d75d438856015e0acd0a2bd06bdbf4047a3d4f01227cb5b52020-07-22 10:42:42NoneOrdine n° 2000837220720.exe729088application/x-dosexecexe...None12288:PRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLK...None[AgentTesla, exe][PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...831lowlowNaN
5585dbee4540fb6bf72116be77c1902ef1c1a716a70b491...1a04194b0ad44ddeb25b7d155ce59429fa3eaed4f83547...7ae1b49f968d668faded948c1c674011af4d95a0ec1de4028f8a2f58111370668da35a392020-07-22 10:15:11NoneFactura Adiego.exe829440application/x-dosexecexe...None12288:5RmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqL2...None[exe, NanoCore, nVpn, RAT][PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...871lowNaNNaN
64dd2b414c77ad5e60685dd8afbb92d5bf6e3ed11edfa36...d2c6de54c4357e3df26c370a252c4887b5ab447d02470f...f3dbd99925f98b225ff23a799001495d04097bcebd66883c753dde3a74f14e8b5ff9f1632020-07-22 10:13:47NoneSolicitud de presupuesto 009876.exe737280application/x-dosexecexe...None12288:KRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLJ...None[AgentTesla, exe][PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...821lowNaNNaN
752e864374ebb34727b88f278970946520a53383c0b7e85...f1558f950057bb5cb78df801b8b80ec3670cf0841cd837...acbdf5ae0b8b73d8203f52b1e104205ac39432d62e0754487143853f2791b729f22221462020-07-22 10:11:26NoneProduct Inquiry.exe1161216application/x-dosexecexe...None24576:O0B4U+Qo5Ph4ZWkQ5egqLEYctMqp0l7IQVDtyqkx...None[exe, MassLogger][SecuriteInfo.com.Win32.Herz.B.125.14884.UNOFF...761lowNaNNaN
826e7e2592001dcae03d24805daf839378a61263b2aab7a...f69e210ee6c857145684a95b98f0647538804322d10078...d1fd550d804bf18c3cebfc9e0839d1f4667ff9b7d90a279bbb5237ed268a6d2f1b7ff4352020-07-22 10:10:492020-07-22 14:26:26Shipping Documents.exe726016application/x-dosexecexe...None12288:3RmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLJ...None[AgentTesla, exe][PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa...782lowNaNNaN
90de023c805c4aabdc9dab70f5660298017276e1a14ca05...81c3e6882ad0adbba0e816a99627d4c7b0eb6c341091cc...536dc660173b996bc930e9d6a8e1885af58af1816df4fddd3267ebfec3f7bd6f9101afa02020-07-22 10:10:39NoneIMG-00120200721_0099991.xls.exe1159680application/x-dosexecexe...None24576:u0B4U+Qo5Ph4ZWkQ5egqLk8FH5k4LbIkcYcZpRqQ...None[exe, geo, MassLogger, TUR][SecuriteInfo.com.Win32.Herz.B.125.14884.UNOFF...781lowNaNlow
\n", "

10 rows × 26 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 3335f6bcfb168bfad8fe8622f515ffc6e4e3b74c9bab6b... \n", "1 97938446027c2f5c4c5eeebff3b37cb3812da2fe45f092... \n", "2 14a985c4f8b469d858f155c59618c45365a0a7b87a73d9... \n", "3 612a1123c2ca0a0c3f077aa506b48cfbbeb815c1c026b8... \n", "4 45b7e7e404b6cd8eaca7798b5977fe17cae6a261e45d6a... \n", "5 585dbee4540fb6bf72116be77c1902ef1c1a716a70b491... \n", "6 4dd2b414c77ad5e60685dd8afbb92d5bf6e3ed11edfa36... \n", "7 52e864374ebb34727b88f278970946520a53383c0b7e85... \n", "8 26e7e2592001dcae03d24805daf839378a61263b2aab7a... \n", "9 0de023c805c4aabdc9dab70f5660298017276e1a14ca05... \n", "\n", " sha3_384_hash \\\n", "0 4978e72d546964948d4836970991611f4890f1aaea6181... \n", "1 553a03ed1ba38c7604dfa2a421371b6f3e9e0576f12735... \n", "2 a59bfde721bd0409e1436c059d1873ec702e7000eab8a7... \n", "3 cffb01732f112ad64d2da07c03377f47501d92f75e8e5d... \n", "4 076bdaf9a9578bb2ea4cdbc5de2485fc81dd539b9ddda9... \n", "5 1a04194b0ad44ddeb25b7d155ce59429fa3eaed4f83547... \n", "6 d2c6de54c4357e3df26c370a252c4887b5ab447d02470f... \n", "7 f1558f950057bb5cb78df801b8b80ec3670cf0841cd837... \n", "8 f69e210ee6c857145684a95b98f0647538804322d10078... \n", "9 81c3e6882ad0adbba0e816a99627d4c7b0eb6c341091cc... \n", "\n", " sha1_hash md5_hash \\\n", "0 190122935eafdbf0d1c5b0a7c86cb24c04aee308 0d0faa3ffb8ea5d041d2dd24b544d2b1 \n", "1 9979b550d2414f1e97d51b44116ae4fb14ea9265 943c81115f3e9d31fd1ef58690d46acc \n", "2 5ce575f5ef1611f3594675f593c582a9ff6b356f a32ac4f5fba2b7224e68d6ad9bfbc2e0 \n", "3 3303e4acce086996bec36fd46ad396e01960820a 55aaee46446d832abbad8ed6bde21085 \n", "4 6a7b3c48b240e8566aa53d73d75d438856015e0a cd0a2bd06bdbf4047a3d4f01227cb5b5 \n", "5 7ae1b49f968d668faded948c1c674011af4d95a0 ec1de4028f8a2f58111370668da35a39 \n", "6 f3dbd99925f98b225ff23a799001495d04097bce bd66883c753dde3a74f14e8b5ff9f163 \n", "7 acbdf5ae0b8b73d8203f52b1e104205ac39432d6 2e0754487143853f2791b729f2222146 \n", "8 d1fd550d804bf18c3cebfc9e0839d1f4667ff9b7 d90a279bbb5237ed268a6d2f1b7ff435 \n", "9 536dc660173b996bc930e9d6a8e1885af58af181 6df4fddd3267ebfec3f7bd6f9101afa0 \n", "\n", " first_seen last_seen \\\n", "0 2020-07-24 09:18:30 None \n", "1 2020-07-23 13:49:30 None \n", "2 2020-07-22 10:58:06 None \n", "3 2020-07-22 10:44:20 None \n", "4 2020-07-22 10:42:42 None \n", "5 2020-07-22 10:15:11 None \n", "6 2020-07-22 10:13:47 None \n", "7 2020-07-22 10:11:26 None \n", "8 2020-07-22 10:10:49 2020-07-22 14:26:26 \n", "9 2020-07-22 10:10:39 None \n", "\n", " file_name file_size file_type_mime \\\n", "0 File 2.exe 809472 application/x-dosexec \n", "1 commercial invoice + packing list.exe 744960 application/x-dosexec \n", "2 Shipping Document VESSEL SCHEDULE.exe 626688 application/x-dosexec \n", "3 1014-07222020.exe 730112 application/x-dosexec \n", "4 Ordine n° 2000837220720.exe 729088 application/x-dosexec \n", "5 Factura Adiego.exe 829440 application/x-dosexec \n", "6 Solicitud de presupuesto 009876.exe 737280 application/x-dosexec \n", "7 Product Inquiry.exe 1161216 application/x-dosexec \n", "8 Shipping Documents.exe 726016 application/x-dosexec \n", "9 IMG-00120200721_0099991.xls.exe 1159680 application/x-dosexec \n", "\n", " file_type ... gimphash ssdeep \\\n", "0 exe ... None 12288:zRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLO... \n", "1 exe ... None 12288:yRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLK... \n", "2 exe ... None 12288:QRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLt... \n", "3 exe ... None 12288:HRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLp... \n", "4 exe ... None 12288:PRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLK... \n", "5 exe ... None 12288:5RmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqL2... \n", "6 exe ... None 12288:KRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLJ... \n", "7 exe ... None 24576:O0B4U+Qo5Ph4ZWkQ5egqLEYctMqp0l7IQVDtyqkx... \n", "8 exe ... None 12288:3RmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLJ... \n", "9 exe ... None 24576:u0B4U+Qo5Ph4ZWkQ5egqLk8FH5k4LbIkcYcZpRqQ... \n", "\n", " dhash_icon tags \\\n", "0 None [exe, Loki] \n", "1 None [AgentTesla, exe] \n", "2 None [exe, Loki] \n", "3 None [exe, NanoCore, nVpn, RAT] \n", "4 None [AgentTesla, exe] \n", "5 None [exe, NanoCore, nVpn, RAT] \n", "6 None [AgentTesla, exe] \n", "7 None [exe, MassLogger] \n", "8 None [AgentTesla, exe] \n", "9 None [exe, geo, MassLogger, TUR] \n", "\n", " intelligence.clamav intelligence.downloads \\\n", "0 [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa... 71 \n", "1 [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa... 74 \n", "2 [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa... 83 \n", "3 [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa... 85 \n", "4 [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa... 83 \n", "5 [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa... 87 \n", "6 [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa... 82 \n", "7 [SecuriteInfo.com.Win32.Herz.B.125.14884.UNOFF... 76 \n", "8 [PUA.Win.Adware.Slugin-6803969-0, PUA.Win.Adwa... 78 \n", "9 [SecuriteInfo.com.Win32.Herz.B.125.14884.UNOFF... 78 \n", "\n", " intelligence.uploads intelligence.mail.Generic intelligence.mail.IT \\\n", "0 1 low NaN \n", "1 1 low NaN \n", "2 1 low NaN \n", "3 1 low NaN \n", "4 1 low low \n", "5 1 low NaN \n", "6 1 low NaN \n", "7 1 low NaN \n", "8 2 low NaN \n", "9 1 low NaN \n", "\n", " intelligence.mail.CH \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "4 NaN \n", "5 NaN \n", "6 NaN \n", "7 NaN \n", "8 NaN \n", "9 low \n", "\n", "[10 rows x 26 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"45d579faec0eaf279c0841b2233727cf\", mb_type='imphash', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified icon dhash" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...tlshtelfhashgimphashssdeepdhash_icontagsintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
05c7376642ae772ebc0e2363467174c4f83c111a98b3658...8a4ff9a844323ca6e311b023fd0ddf9f1afa7a63323aa8...318989d3c23db978109546b586d0a0b3e496843ac69936d8205c54b3fa75e79aa3abe2a72021-08-30 12:25:47None5C7376642AE772EBC0E2363467174C4F83C111A98B365.exe477184application/x-dosexecexe...T19AA401127A90C432C4961A344936E7B05BBABD7159B4...NoneNone6144:7VXoa6rJsXSlvYdyBYlQahhyvuAsjSD/HOaj+M/le...48b9b2b0e8c18c90[exe, RaccoonStealer][Win.Dropper.Zusy-9876039-0, Win.Packed.Generi...881None
1f5ce1abb61275e3402f49f48e8094bd2aa038f03845c41...cedb0010f5eed344afdd71e43a65201dbf66b881934daf...9a14d82d40df41a76b2bbc7e6666a6356f847ca4f955a4e61c68b3468602f18ab469c46e2021-07-31 04:15:39Nonef955a4e61c68b3468602f18ab469c46e.exe539136application/x-dosexecexe...T135B4F160FAB0C872C0E4053188E5C5A5262DBC257960...NoneNone6144:zMlg7xejJLjVFT87j9ycfUgso52VnSAUiix0PelGO...48b9b2b0e8c18c90[exe, RaccoonStealer][Win.Malware.Filerepmetagen-9881079-0, Win.Mal...5521None
25b74ce1d96a51a2083e32854851ac5152bca49293c4a59...5c268e08a5be03dab7edb452c4ef32b664cbf174dd1147...ab710e4811d11d68ca5505a0408ebed17760a5b8d5e720a7076622dfbd3609642cac5c032021-07-25 20:55:55Noneab710e4811d11d68ca5505a0408ebed17760a5b8.exe311808application/x-dosexecexe...T12564E011FEB1C832D4550A7148E6C664672DB821FB70...NoneNone6144:EG0NJtV7zMcepWlFYr4TXFQ3Rl41XwcVBPAn:h0NJ...48b9b2b0e8c18c90[exe, RedLineStealer][Win.Packed.Raccoon-9881206-0]1601None
3bf53b4b404f09c51fc30b4e683f5258b8172e0698ec618...b578616eceac5f11bb16752b2fbecadd037e2898ee69e2...4d6304391e16baa517f219ee644b4227fe2b2a65f4ad2cb7d4d6b02b1debf1d41849b71e2021-07-25 16:41:16Nonef4ad2cb7d4d6b02b1debf1d41849b71e.exe504320application/x-dosexecexe...T1C4B41239B2A0C471D81104315CE7CB95AEAE7C3B6A7C...NoneNone6144:Ek9mTKSLL6cUQalEKi4WMhx+/YhZCOc7BlYh8wOES...48b9b2b0e8c18c90[exe, RaccoonStealer][Win.Malware.Generic-9880784-0, Win.Malware.Ge...1631None
46b01154004b3baac2cc7701d8319f4cc7a7ef361e02937...3b2441005a98b394e393db6bb6c869fb1e61e9af0afe88...ad5f75c5f9471a80a42ddd517af33eac080694e6ae428d94143f5ccba46a5f839074eca92021-07-25 11:41:14Noneae428d94143f5ccba46a5f839074eca9.exe504320application/x-dosexecexe...T1A2B40213B680D473C25119310CE3CA79677DA96E1D38...NoneNone12288:aj0qGutOATlQtEo35BFVrfkpZCq//GVn/5c1ypYJ...48b9b2b0e8c18c90[exe, RaccoonStealer][Win.Malware.Generic-9880784-0, Win.Malware.Ge...1711None
54acbafb8a79411abf461bc4ebe4ad1efe4abe663adcd79...d81df14267a306a36649d233e3d07b2166f0345ba26c26...ca764bbc548407d20f0a465aad48879b405658f1200f4423e9f93a1b71a5ef368ba5919f2021-07-25 05:51:352021-07-25 07:03:21200f4423e9f93a1b71a5ef368ba5919f.exe525824application/x-dosexecexe...T1B1B40154FA71EC32C094087444F5E6A1763CA826B955...NoneNone12288:OlahFbdTbwPjfEmNYYsVWQMkFmqiBPAi:OlahFb1...48b9b2b0e8c18c90[exe, RaccoonStealer][SecuriteInfo.com.W32.AIDetect.malware1.2062.2...1412None
6a6b60d3eaf83eb41ef1a22617ce085d5560f0768728a47...4e94ecf58933955276e1a273d03534d3ce9b8c06649f9b...fceff8fecbbe296d2b1fc4ed0dd4cd435704d2594b6f1e1c7508808132fa6da57ba4f7032021-07-24 17:00:56None4b6f1e1c7508808132fa6da57ba4f703.exe504832application/x-dosexecexe...T14AB40264B190C472E0915A315CE3C752AABEBC75AD7D...NoneNone6144:/s1URJ/dBZ9f9pVpu6TPS57m8+/p/228pv17ZtCmK...48b9b2b0e8c18c90[exe, RaccoonStealer][Win.Malware.Generic-9880784-0, Win.Malware.Ge...1271None
7b1e70a6920b93d6df9e7bf189d43378b5e449beedcf65f...4fa22011a026a385024eafeb277110072482c205c2b1fa...a522645953d3992521b8ce13d5136ff8199de7bd1ef23731d98d4f68020f8266876a87462021-07-24 17:00:53None1ef23731d98d4f68020f8266876a8746.exe504832application/x-dosexecexe...T113B41220F261C873D5A416315CE3C7D5AEAFEC3149A8...NoneNone12288:YOC33JJPtpjz8u6dQDyushZ4H2D5ZyEqL:JC33vP...48b9b2b0e8c18c90[exe, RaccoonStealer][Win.Malware.Generic-9880784-0, Win.Malware.Ge...1281None
84bf2dace8a23551a3cd374a14b68cef6185aa18f9148da...15e9c270e925de997a7a8bccd0267f902130801e954d87...fdc030df123e6e6a712cbc960a2e7c63266bf0400b862b9c889d4bdc6f0bac7d702d87532021-07-24 10:59:302021-07-24 11:49:580b862b9c889d4bdc6f0bac7d702d8753805888application/x-dosexecexe...T1F1051260FAB0CC32C4840A7859F6C6A5262DFC667B70...NoneNone24576:reKt4RjnJ+wWEr55fRue+cfxiskJM0BPA:rORdGA...48b9b2b0e8c18c90[32, exe, TeamBot][SecuriteInfo.com.W32.AIDetect.malware2.23336....1452None
93ad13fd7968f9574d2c822e579291c77a0c525991cfb78...f6ccb0d1c911bea5cd76f893fd9ed9b15a5e651d9f2268...4412581e1e3e21494b2e8311e9a3690f684a743c4ef58d8885410f6befd97f5536756ef42021-07-24 07:05:562021-07-24 07:55:344ef58d8885410f6befd97f5536756ef4.exe4625448application/x-dosexecexe...T1FF26338CFAB2C9B3C84504B186DD8328636FE8523C78...NoneNone98304:I+tu+wI9bpk/h60fb5FX6oWhkwQVNN0cMVNr9wu:...48b9b2b0e8c18c90[exe, Glupteba][SecuriteInfo.com.Trojan.GenericKD.46673241.17...2922None
\n", "

10 rows × 24 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 5c7376642ae772ebc0e2363467174c4f83c111a98b3658... \n", "1 f5ce1abb61275e3402f49f48e8094bd2aa038f03845c41... \n", "2 5b74ce1d96a51a2083e32854851ac5152bca49293c4a59... \n", "3 bf53b4b404f09c51fc30b4e683f5258b8172e0698ec618... \n", "4 6b01154004b3baac2cc7701d8319f4cc7a7ef361e02937... \n", "5 4acbafb8a79411abf461bc4ebe4ad1efe4abe663adcd79... \n", "6 a6b60d3eaf83eb41ef1a22617ce085d5560f0768728a47... \n", "7 b1e70a6920b93d6df9e7bf189d43378b5e449beedcf65f... \n", "8 4bf2dace8a23551a3cd374a14b68cef6185aa18f9148da... \n", "9 3ad13fd7968f9574d2c822e579291c77a0c525991cfb78... \n", "\n", " sha3_384_hash \\\n", "0 8a4ff9a844323ca6e311b023fd0ddf9f1afa7a63323aa8... \n", "1 cedb0010f5eed344afdd71e43a65201dbf66b881934daf... \n", "2 5c268e08a5be03dab7edb452c4ef32b664cbf174dd1147... \n", "3 b578616eceac5f11bb16752b2fbecadd037e2898ee69e2... \n", "4 3b2441005a98b394e393db6bb6c869fb1e61e9af0afe88... \n", "5 d81df14267a306a36649d233e3d07b2166f0345ba26c26... \n", "6 4e94ecf58933955276e1a273d03534d3ce9b8c06649f9b... \n", "7 4fa22011a026a385024eafeb277110072482c205c2b1fa... \n", "8 15e9c270e925de997a7a8bccd0267f902130801e954d87... \n", "9 f6ccb0d1c911bea5cd76f893fd9ed9b15a5e651d9f2268... \n", "\n", " sha1_hash md5_hash \\\n", "0 318989d3c23db978109546b586d0a0b3e496843a c69936d8205c54b3fa75e79aa3abe2a7 \n", "1 9a14d82d40df41a76b2bbc7e6666a6356f847ca4 f955a4e61c68b3468602f18ab469c46e \n", "2 ab710e4811d11d68ca5505a0408ebed17760a5b8 d5e720a7076622dfbd3609642cac5c03 \n", "3 4d6304391e16baa517f219ee644b4227fe2b2a65 f4ad2cb7d4d6b02b1debf1d41849b71e \n", "4 ad5f75c5f9471a80a42ddd517af33eac080694e6 ae428d94143f5ccba46a5f839074eca9 \n", "5 ca764bbc548407d20f0a465aad48879b405658f1 200f4423e9f93a1b71a5ef368ba5919f \n", "6 fceff8fecbbe296d2b1fc4ed0dd4cd435704d259 4b6f1e1c7508808132fa6da57ba4f703 \n", "7 a522645953d3992521b8ce13d5136ff8199de7bd 1ef23731d98d4f68020f8266876a8746 \n", "8 fdc030df123e6e6a712cbc960a2e7c63266bf040 0b862b9c889d4bdc6f0bac7d702d8753 \n", "9 4412581e1e3e21494b2e8311e9a3690f684a743c 4ef58d8885410f6befd97f5536756ef4 \n", "\n", " first_seen last_seen \\\n", "0 2021-08-30 12:25:47 None \n", "1 2021-07-31 04:15:39 None \n", "2 2021-07-25 20:55:55 None \n", "3 2021-07-25 16:41:16 None \n", "4 2021-07-25 11:41:14 None \n", "5 2021-07-25 05:51:35 2021-07-25 07:03:21 \n", "6 2021-07-24 17:00:56 None \n", "7 2021-07-24 17:00:53 None \n", "8 2021-07-24 10:59:30 2021-07-24 11:49:58 \n", "9 2021-07-24 07:05:56 2021-07-24 07:55:34 \n", "\n", " file_name file_size \\\n", "0 5C7376642AE772EBC0E2363467174C4F83C111A98B365.exe 477184 \n", "1 f955a4e61c68b3468602f18ab469c46e.exe 539136 \n", "2 ab710e4811d11d68ca5505a0408ebed17760a5b8.exe 311808 \n", "3 f4ad2cb7d4d6b02b1debf1d41849b71e.exe 504320 \n", "4 ae428d94143f5ccba46a5f839074eca9.exe 504320 \n", "5 200f4423e9f93a1b71a5ef368ba5919f.exe 525824 \n", "6 4b6f1e1c7508808132fa6da57ba4f703.exe 504832 \n", "7 1ef23731d98d4f68020f8266876a8746.exe 504832 \n", "8 0b862b9c889d4bdc6f0bac7d702d8753 805888 \n", "9 4ef58d8885410f6befd97f5536756ef4.exe 4625448 \n", "\n", " file_type_mime file_type ... \\\n", "0 application/x-dosexec exe ... \n", "1 application/x-dosexec exe ... \n", "2 application/x-dosexec exe ... \n", "3 application/x-dosexec exe ... \n", "4 application/x-dosexec exe ... \n", "5 application/x-dosexec exe ... \n", "6 application/x-dosexec exe ... \n", "7 application/x-dosexec exe ... \n", "8 application/x-dosexec exe ... \n", "9 application/x-dosexec exe ... \n", "\n", " tlsh telfhash gimphash \\\n", "0 T19AA401127A90C432C4961A344936E7B05BBABD7159B4... None None \n", "1 T135B4F160FAB0C872C0E4053188E5C5A5262DBC257960... None None \n", "2 T12564E011FEB1C832D4550A7148E6C664672DB821FB70... None None \n", "3 T1C4B41239B2A0C471D81104315CE7CB95AEAE7C3B6A7C... None None \n", "4 T1A2B40213B680D473C25119310CE3CA79677DA96E1D38... None None \n", "5 T1B1B40154FA71EC32C094087444F5E6A1763CA826B955... None None \n", "6 T14AB40264B190C472E0915A315CE3C752AABEBC75AD7D... None None \n", "7 T113B41220F261C873D5A416315CE3C7D5AEAFEC3149A8... None None \n", "8 T1F1051260FAB0CC32C4840A7859F6C6A5262DFC667B70... None None \n", "9 T1FF26338CFAB2C9B3C84504B186DD8328636FE8523C78... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 6144:7VXoa6rJsXSlvYdyBYlQahhyvuAsjSD/HOaj+M/le... 48b9b2b0e8c18c90 \n", "1 6144:zMlg7xejJLjVFT87j9ycfUgso52VnSAUiix0PelGO... 48b9b2b0e8c18c90 \n", "2 6144:EG0NJtV7zMcepWlFYr4TXFQ3Rl41XwcVBPAn:h0NJ... 48b9b2b0e8c18c90 \n", "3 6144:Ek9mTKSLL6cUQalEKi4WMhx+/YhZCOc7BlYh8wOES... 48b9b2b0e8c18c90 \n", "4 12288:aj0qGutOATlQtEo35BFVrfkpZCq//GVn/5c1ypYJ... 48b9b2b0e8c18c90 \n", "5 12288:OlahFbdTbwPjfEmNYYsVWQMkFmqiBPAi:OlahFb1... 48b9b2b0e8c18c90 \n", "6 6144:/s1URJ/dBZ9f9pVpu6TPS57m8+/p/228pv17ZtCmK... 48b9b2b0e8c18c90 \n", "7 12288:YOC33JJPtpjz8u6dQDyushZ4H2D5ZyEqL:JC33vP... 48b9b2b0e8c18c90 \n", "8 24576:reKt4RjnJ+wWEr55fRue+cfxiskJM0BPA:rORdGA... 48b9b2b0e8c18c90 \n", "9 98304:I+tu+wI9bpk/h60fb5FX6oWhkwQVNN0cMVNr9wu:... 48b9b2b0e8c18c90 \n", "\n", " tags intelligence.clamav \\\n", "0 [exe, RaccoonStealer] [Win.Dropper.Zusy-9876039-0, Win.Packed.Generi... \n", "1 [exe, RaccoonStealer] [Win.Malware.Filerepmetagen-9881079-0, Win.Mal... \n", "2 [exe, RedLineStealer] [Win.Packed.Raccoon-9881206-0] \n", "3 [exe, RaccoonStealer] [Win.Malware.Generic-9880784-0, Win.Malware.Ge... \n", "4 [exe, RaccoonStealer] [Win.Malware.Generic-9880784-0, Win.Malware.Ge... \n", "5 [exe, RaccoonStealer] [SecuriteInfo.com.W32.AIDetect.malware1.2062.2... \n", "6 [exe, RaccoonStealer] [Win.Malware.Generic-9880784-0, Win.Malware.Ge... \n", "7 [exe, RaccoonStealer] [Win.Malware.Generic-9880784-0, Win.Malware.Ge... \n", "8 [32, exe, TeamBot] [SecuriteInfo.com.W32.AIDetect.malware2.23336.... \n", "9 [exe, Glupteba] [SecuriteInfo.com.Trojan.GenericKD.46673241.17... \n", "\n", " intelligence.downloads intelligence.uploads intelligence.mail \n", "0 88 1 None \n", "1 552 1 None \n", "2 160 1 None \n", "3 163 1 None \n", "4 171 1 None \n", "5 141 2 None \n", "6 127 1 None \n", "7 128 1 None \n", "8 145 2 None \n", "9 292 2 None \n", "\n", "[10 rows x 24 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"48b9b2b0e8c18c90\", mb_type='dhash', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified Yara rule" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...telfhashgimphashssdeepdhash_icontagscode_signintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
02bca2ddb0d37c48969f9ca795248774bc84b2408240e8a...f924724c6186e5f07bc77327ef1a7321b980b32a723c97...c6915d02b759be4a2feb2cfe79bd861dd98d2486b239afc5e3fec697142676c5de84a52a2022-08-10 19:53:02NonecsQDaSnx.exe126976application/x-dosexecexe...NoneNone3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUk...d4a22b2e0792f0f0[exe, remcos, RemcosRAT][][SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...1891None
181cccbe0fe96183f9a3612910a02f5e85479d687b55ac7...5f98b68c5216d0a71e55d472e2b795ffbb04fd8c92c02c...db3095e714bc1de4ee07a8ed41f3a8c5211ce7e364c7bfc9069bbad2837a9fadcc2b55432022-08-10 19:52:37NoneF5AjC83U.exe126976application/x-dosexecexe...NoneNone3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUX...d4a22b2e0792f0f0[exe, remcos, RemcosRAT][][SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...1841None
2a0911f69ebcbc93540e63bf007fcab0bbece1a9f55c780...677dc1d42d01e91314fe205639a73edf083e38553bb540...f35faaa0884f2124d15172e22e889f306a6ab4dc909b5860cad8562a6908b2e043e89da82022-08-10 19:51:51NonerrXcTwCT.exe126976application/x-dosexecexe...NoneNone3072:mpgk9sZwnSD9Pb0CR36oWdHZ8xyicFtsnal5OzqhP...d4a22b2e0792f0f0[exe, remcos, RemcosRAT][][Win.Malware.Rescoms-6598304-0, Win.Trojan.Rem...1771None
3e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e141...15d04e1a1b58d63896d5e7a8424a058a9a3d28c74a4174...efaefb940f47210dd0a3e9483aede0d9d5ce8a52648e9dc18a8bd5dda03ca12f4f2768e72022-08-10 19:51:08NoneRtJT2FrE.exe131072application/x-dosexecexe...NoneNone3072:mhh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUn...d4a22b2e0792f0f0[exe, NetWire, remcos][][SecuriteInfo.com.Trojan.Siggen8.46567.11590.2...1771None
4766ab97dc545207fe08d285356fa47298904585e8f2690...90ffec08c7fa6921c635e5489a83528246956c2afcded5...0073c8b602efaca3c2f676079abc771ad8abaed6ba540e864f3f4afdd2512c6bb91c0b8d2022-08-10 19:48:122022-08-10 19:53:51g6yLQx19.exe131072application/x-dosexecexe...NoneNone3072:nbD9fB6vOkQo7pXTu7i0xHj39kzLQx5/rbyxKyMjO...d4a22b2e0792f0f0[exe, Remcos RAT 3.x, RemcosRAT][][Win.Trojan.Remcos-9752328-1, Win.Trojan.Remco...1804None
598bd9ce6256c71da1189ff7552bc318b6e9e2e89561224...a08db4ff8a043048e33d36a32b5e958ab4b2e27210205e...067bd2264d1fe4a61fa7abd46ba4eb104987e2bbbfa2f087b22e9e188bdb4654ddf17f0a2022-08-10 19:47:49NoneE1Rj5TTL.exe126976application/x-dosexecexe...NoneNone3072:BSUtqGqBzWgp7q8zZYqCxarWjPHDoGnMAFI+zIcoS...d4a22b2e0792f0f0[exe, Remcos RAT 3.x, RemcosRAT][][Win.Malware.Rescoms-6598304-0, Win.Trojan.Rem...1741None
656b9e1a9f0704305007504a26661905930387fc49d0fb0...38e6187ed866f6abe9e3fa98995691d765498718817412...d972b5f0d29ebd6db596c607434bf930ab822d48da88c3cc6dbd042b0971b5951d6fb5f42022-08-10 19:47:262022-08-10 19:49:18f6x8LJCP.exe131072application/x-dosexecexe...NoneNone3072:3bD9fB6vOkQo7pXTu7i0xHj39kzLQx5/rbyxKyMjO...d4a22b2e0792f0f0[exe, Remcos RAT 3.x, RemcosRAT][][Win.Trojan.Remcos-9752328-1, Win.Trojan.Remco...1794None
7629dd4f1db7eec3c7a084575676b48ac035fcc0a3ae9df...8520e6655999cfd773163f19a1a6b4d0eb46097064843c...326d6ffa21b340ee5dd54f11baa4c1fe24c1e6d7e0a8f2f5a09a63b2b5f9411028c86d4c2022-08-09 06:05:17NoneUrgent RFQ_AP65425652_032421,pdf.exe760832application/x-dosexecexe...NoneNone12288:8y5/OnuA02iN2NAoeZBaiGLKb8A1HuNwlSD9Y62s...00071a1b52522920[exe, RemcosRAT][][SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL]2631None
8bc6f494da47a6a0d914d0accb1e3297610a32feae69271...4490f159f125e64ccf23eb09fa51109a335ec5917e0e4f...895d1f61c833447a0db9769679e05594b766fa1af61c74deae0ce023bf2231e030edb7ab2022-08-03 17:44:57Nonef61c74deae0ce023bf2231e030edb7ab466944application/x-dosexecexe...NoneNone6144:Mc53ezqVrhiBZ84M/k22nZcrTEfCNV0cjd2shWR5d...c4d48eaa8ad4d4f8[32, exe, RemcosRAT][][Win.Trojan.Remcos-9841897-0]3301None
9548a6de77d41a75d8463e4aa3d596caf294b6d5bfbc486...0fd1b5613e91115f9ce75685bc5c74402f0a63f6020ca6...dc09e242d4a334a70717421a767e2fd76e9f5deca35383f9431d405cd1164a1ba5c93a2a2022-08-03 12:38:58Nonea35383f9431d405cd1164a1ba5c93a2a466944application/x-dosexecexe...NoneNone6144:Mc53ezqVrhiBZ84M/k22nZcrTEfCNV0cjd2shWR5d...c4d48eaa8ad4d4f8[32, exe, RemcosRAT][][Win.Trojan.Remcos-9841897-0]2781None
\n", "

10 rows × 25 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 2bca2ddb0d37c48969f9ca795248774bc84b2408240e8a... \n", "1 81cccbe0fe96183f9a3612910a02f5e85479d687b55ac7... \n", "2 a0911f69ebcbc93540e63bf007fcab0bbece1a9f55c780... \n", "3 e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e141... \n", "4 766ab97dc545207fe08d285356fa47298904585e8f2690... \n", "5 98bd9ce6256c71da1189ff7552bc318b6e9e2e89561224... \n", "6 56b9e1a9f0704305007504a26661905930387fc49d0fb0... \n", "7 629dd4f1db7eec3c7a084575676b48ac035fcc0a3ae9df... \n", "8 bc6f494da47a6a0d914d0accb1e3297610a32feae69271... \n", "9 548a6de77d41a75d8463e4aa3d596caf294b6d5bfbc486... \n", "\n", " sha3_384_hash \\\n", "0 f924724c6186e5f07bc77327ef1a7321b980b32a723c97... \n", "1 5f98b68c5216d0a71e55d472e2b795ffbb04fd8c92c02c... \n", "2 677dc1d42d01e91314fe205639a73edf083e38553bb540... \n", "3 15d04e1a1b58d63896d5e7a8424a058a9a3d28c74a4174... \n", "4 90ffec08c7fa6921c635e5489a83528246956c2afcded5... \n", "5 a08db4ff8a043048e33d36a32b5e958ab4b2e27210205e... \n", "6 38e6187ed866f6abe9e3fa98995691d765498718817412... \n", "7 8520e6655999cfd773163f19a1a6b4d0eb46097064843c... \n", "8 4490f159f125e64ccf23eb09fa51109a335ec5917e0e4f... \n", "9 0fd1b5613e91115f9ce75685bc5c74402f0a63f6020ca6... \n", "\n", " sha1_hash md5_hash \\\n", "0 c6915d02b759be4a2feb2cfe79bd861dd98d2486 b239afc5e3fec697142676c5de84a52a \n", "1 db3095e714bc1de4ee07a8ed41f3a8c5211ce7e3 64c7bfc9069bbad2837a9fadcc2b5543 \n", "2 f35faaa0884f2124d15172e22e889f306a6ab4dc 909b5860cad8562a6908b2e043e89da8 \n", "3 efaefb940f47210dd0a3e9483aede0d9d5ce8a52 648e9dc18a8bd5dda03ca12f4f2768e7 \n", "4 0073c8b602efaca3c2f676079abc771ad8abaed6 ba540e864f3f4afdd2512c6bb91c0b8d \n", "5 067bd2264d1fe4a61fa7abd46ba4eb104987e2bb bfa2f087b22e9e188bdb4654ddf17f0a \n", "6 d972b5f0d29ebd6db596c607434bf930ab822d48 da88c3cc6dbd042b0971b5951d6fb5f4 \n", "7 326d6ffa21b340ee5dd54f11baa4c1fe24c1e6d7 e0a8f2f5a09a63b2b5f9411028c86d4c \n", "8 895d1f61c833447a0db9769679e05594b766fa1a f61c74deae0ce023bf2231e030edb7ab \n", "9 dc09e242d4a334a70717421a767e2fd76e9f5dec a35383f9431d405cd1164a1ba5c93a2a \n", "\n", " first_seen last_seen \\\n", "0 2022-08-10 19:53:02 None \n", "1 2022-08-10 19:52:37 None \n", "2 2022-08-10 19:51:51 None \n", "3 2022-08-10 19:51:08 None \n", "4 2022-08-10 19:48:12 2022-08-10 19:53:51 \n", "5 2022-08-10 19:47:49 None \n", "6 2022-08-10 19:47:26 2022-08-10 19:49:18 \n", "7 2022-08-09 06:05:17 None \n", "8 2022-08-03 17:44:57 None \n", "9 2022-08-03 12:38:58 None \n", "\n", " file_name file_size file_type_mime \\\n", "0 csQDaSnx.exe 126976 application/x-dosexec \n", "1 F5AjC83U.exe 126976 application/x-dosexec \n", "2 rrXcTwCT.exe 126976 application/x-dosexec \n", "3 RtJT2FrE.exe 131072 application/x-dosexec \n", "4 g6yLQx19.exe 131072 application/x-dosexec \n", "5 E1Rj5TTL.exe 126976 application/x-dosexec \n", "6 f6x8LJCP.exe 131072 application/x-dosexec \n", "7 Urgent RFQ_AP65425652_032421,pdf.exe 760832 application/x-dosexec \n", "8 f61c74deae0ce023bf2231e030edb7ab 466944 application/x-dosexec \n", "9 a35383f9431d405cd1164a1ba5c93a2a 466944 application/x-dosexec \n", "\n", " file_type ... telfhash gimphash \\\n", "0 exe ... None None \n", "1 exe ... None None \n", "2 exe ... None None \n", "3 exe ... None None \n", "4 exe ... None None \n", "5 exe ... None None \n", "6 exe ... None None \n", "7 exe ... None None \n", "8 exe ... None None \n", "9 exe ... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUk... d4a22b2e0792f0f0 \n", "1 3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUX... d4a22b2e0792f0f0 \n", "2 3072:mpgk9sZwnSD9Pb0CR36oWdHZ8xyicFtsnal5OzqhP... d4a22b2e0792f0f0 \n", "3 3072:mhh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUn... d4a22b2e0792f0f0 \n", "4 3072:nbD9fB6vOkQo7pXTu7i0xHj39kzLQx5/rbyxKyMjO... d4a22b2e0792f0f0 \n", "5 3072:BSUtqGqBzWgp7q8zZYqCxarWjPHDoGnMAFI+zIcoS... d4a22b2e0792f0f0 \n", "6 3072:3bD9fB6vOkQo7pXTu7i0xHj39kzLQx5/rbyxKyMjO... d4a22b2e0792f0f0 \n", "7 12288:8y5/OnuA02iN2NAoeZBaiGLKb8A1HuNwlSD9Y62s... 00071a1b52522920 \n", "8 6144:Mc53ezqVrhiBZ84M/k22nZcrTEfCNV0cjd2shWR5d... c4d48eaa8ad4d4f8 \n", "9 6144:Mc53ezqVrhiBZ84M/k22nZcrTEfCNV0cjd2shWR5d... c4d48eaa8ad4d4f8 \n", "\n", " tags code_sign \\\n", "0 [exe, remcos, RemcosRAT] [] \n", "1 [exe, remcos, RemcosRAT] [] \n", "2 [exe, remcos, RemcosRAT] [] \n", "3 [exe, NetWire, remcos] [] \n", "4 [exe, Remcos RAT 3.x, RemcosRAT] [] \n", "5 [exe, Remcos RAT 3.x, RemcosRAT] [] \n", "6 [exe, Remcos RAT 3.x, RemcosRAT] [] \n", "7 [exe, RemcosRAT] [] \n", "8 [32, exe, RemcosRAT] [] \n", "9 [32, exe, RemcosRAT] [] \n", "\n", " intelligence.clamav intelligence.downloads \\\n", "0 [SecuriteInfo.com.Trojan.Siggen8.46567.11590.2... 189 \n", "1 [SecuriteInfo.com.Trojan.Siggen8.46567.11590.2... 184 \n", "2 [Win.Malware.Rescoms-6598304-0, Win.Trojan.Rem... 177 \n", "3 [SecuriteInfo.com.Trojan.Siggen8.46567.11590.2... 177 \n", "4 [Win.Trojan.Remcos-9752328-1, Win.Trojan.Remco... 180 \n", "5 [Win.Malware.Rescoms-6598304-0, Win.Trojan.Rem... 174 \n", "6 [Win.Trojan.Remcos-9752328-1, Win.Trojan.Remco... 179 \n", "7 [SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL] 263 \n", "8 [Win.Trojan.Remcos-9841897-0] 330 \n", "9 [Win.Trojan.Remcos-9841897-0] 278 \n", "\n", " intelligence.uploads intelligence.mail \n", "0 1 None \n", "1 1 None \n", "2 1 None \n", "3 1 None \n", "4 4 None \n", "5 1 None \n", "6 4 None \n", "7 1 None \n", "8 1 None \n", "9 1 None \n", "\n", "[10 rows x 25 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"win_remcos_g0\", mb_type='yara', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified TLSH" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...tlshtelfhashgimphashssdeepdhash_icontagsintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
052fce8f05b7bcad7c37912d8408be264e25301464474c4...f7af2c9164495b59c212fe63a822ba96e87fae7c91ad87...f4683e2471507c46d615e2139b25507e3406de7fba061b60e72e81ef174c6f38ecbe40a52020-06-17 00:09:41Nonepops.works_manahet__913ab4nu59ok.exe.malw496037application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...681None
1e549369801506cbbef9a872289ac450273a6f1673e2c9b...2483b4b9e4c0a25d57a6bd628b9c59e6040d37c7760873...f96464d8c8b3a4591a4bc34452a59df7052aabd9991b6d39966597c12b0ea799a056d49e2020-06-17 00:09:34Nonepops.works_manahet__910ab4nu59ok.exe.malw496127application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...671None
269b47b24ade5077dd694765b73e1fb2c16c69d03e39f42...93739fdca08dff670f91b4af8b8633809a76173ce97d6f...b21075a21bd7473620a5d67746185ed0efe17c1b8f914d42f69b6408cfcb12922ee396992020-06-16 23:35:00Nonepops.works_manahet__2988ab4nu59ok.exe.malw495990application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...591None
3cfb9760bf161f34f1f6922babe8c09dd9477b34b832de1...1d888d5c5c303b6e5871bc70c8672cced0891700e348f4...64b56fa3c3fc6542632d0d5d1d819e4c35cd34ad1b9453d1193a14db559150f40d9539872020-06-16 23:18:36Nonepops.works_manahet__2711ab4nu59ok.exe.malw496085application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...611None
4c7d996fed3fac2ff6add0ba741a61176f20dadcf25cfce...31c27c607d7691a98a816028cc9804f2427cdf3853cab2...9587b2eff81736f4bb98a33782665907bcc98ca5efdd28e398a9cadc5a97877a901229132020-06-16 22:42:20Nonepops.works_manahet__198ab4nu59ok.exe.malw496164application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...601None
5f2757682119b5daf632e40b37586d55850ef46cd510f18...31aff8cd78201e74db323bb3315e6adb954e5358926179...3f8db2d73670b655fbe3375dbb07a5ef676fb082354f67d77cbf9d5ccd211673205c3dc32020-06-16 22:38:15Nonepops.works_manahet__1941ab4nu59ok.exe.malw496078application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...541None
6eba4014f86d3d6ff53b40db04fe41a62ab3bbea61761d9...2c7f98f4de25b2c679b08df288eeff364c53f24fda68b1...c92d4b2698e653d37de5f7bf4bd3387e0062452389e958619bc685ce85b52950f52c022e2020-06-16 22:37:40Nonepops.works_manahet__1928ab4nu59ok.exe.malw496390application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...531None
72d9e273e556e79c1a712a7b8044be998d681cc7953b1f8...127294be489448bd6d1f55f399271510e85381a66b2a80...2e387fc861253bd637ba24425030c3be65085bfb438f2357cf0916af3b6e495c140456b82020-06-16 22:18:19Nonepops.works_manahet__1623ab4nu59ok.exe.malw496056application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...611None
82c3723ae043796895afb2aa8e6d465e65e1fc0b22dac84...601223ce7eeb84a0545ed9e455b6f0865ca64bbb05b2d9...c7d18c164f41faf9337a4d2ee7e25fa32d6cc7cba1efd37441a618a2b4a4a38ebc7680512020-06-16 22:15:46Nonepops.works_manahet__158ab4nu59ok.exe.malw496289application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...571None
96560ba1a1c5046ef58b32c96871949ea41a50f94397721...71a8f2cce38c299324bb98d685bfcd56efa1fec1be4892...3dfc79aa0876d075e5917e4f3798e351b75b04d4fa57f5d615aabe519d250deae48ecdf32020-06-16 22:08:50Nonepops.works_manahet__1498ab4nu59ok.exe.malw496017application/x-dosexecexe...4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4...NoneNone6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU...None[malw, TrickBot][SecuriteInfo.com.BScope.Backdoor.Emotet.14181...581None
\n", "

10 rows × 24 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 52fce8f05b7bcad7c37912d8408be264e25301464474c4... \n", "1 e549369801506cbbef9a872289ac450273a6f1673e2c9b... \n", "2 69b47b24ade5077dd694765b73e1fb2c16c69d03e39f42... \n", "3 cfb9760bf161f34f1f6922babe8c09dd9477b34b832de1... \n", "4 c7d996fed3fac2ff6add0ba741a61176f20dadcf25cfce... \n", "5 f2757682119b5daf632e40b37586d55850ef46cd510f18... \n", "6 eba4014f86d3d6ff53b40db04fe41a62ab3bbea61761d9... \n", "7 2d9e273e556e79c1a712a7b8044be998d681cc7953b1f8... \n", "8 2c3723ae043796895afb2aa8e6d465e65e1fc0b22dac84... \n", "9 6560ba1a1c5046ef58b32c96871949ea41a50f94397721... \n", "\n", " sha3_384_hash \\\n", "0 f7af2c9164495b59c212fe63a822ba96e87fae7c91ad87... \n", "1 2483b4b9e4c0a25d57a6bd628b9c59e6040d37c7760873... \n", "2 93739fdca08dff670f91b4af8b8633809a76173ce97d6f... \n", "3 1d888d5c5c303b6e5871bc70c8672cced0891700e348f4... \n", "4 31c27c607d7691a98a816028cc9804f2427cdf3853cab2... \n", "5 31aff8cd78201e74db323bb3315e6adb954e5358926179... \n", "6 2c7f98f4de25b2c679b08df288eeff364c53f24fda68b1... \n", "7 127294be489448bd6d1f55f399271510e85381a66b2a80... \n", "8 601223ce7eeb84a0545ed9e455b6f0865ca64bbb05b2d9... \n", "9 71a8f2cce38c299324bb98d685bfcd56efa1fec1be4892... \n", "\n", " sha1_hash md5_hash \\\n", "0 f4683e2471507c46d615e2139b25507e3406de7f ba061b60e72e81ef174c6f38ecbe40a5 \n", "1 f96464d8c8b3a4591a4bc34452a59df7052aabd9 991b6d39966597c12b0ea799a056d49e \n", "2 b21075a21bd7473620a5d67746185ed0efe17c1b 8f914d42f69b6408cfcb12922ee39699 \n", "3 64b56fa3c3fc6542632d0d5d1d819e4c35cd34ad 1b9453d1193a14db559150f40d953987 \n", "4 9587b2eff81736f4bb98a33782665907bcc98ca5 efdd28e398a9cadc5a97877a90122913 \n", "5 3f8db2d73670b655fbe3375dbb07a5ef676fb082 354f67d77cbf9d5ccd211673205c3dc3 \n", "6 c92d4b2698e653d37de5f7bf4bd3387e00624523 89e958619bc685ce85b52950f52c022e \n", "7 2e387fc861253bd637ba24425030c3be65085bfb 438f2357cf0916af3b6e495c140456b8 \n", "8 c7d18c164f41faf9337a4d2ee7e25fa32d6cc7cb a1efd37441a618a2b4a4a38ebc768051 \n", "9 3dfc79aa0876d075e5917e4f3798e351b75b04d4 fa57f5d615aabe519d250deae48ecdf3 \n", "\n", " first_seen last_seen file_name \\\n", "0 2020-06-17 00:09:41 None pops.works_manahet__913ab4nu59ok.exe.malw \n", "1 2020-06-17 00:09:34 None pops.works_manahet__910ab4nu59ok.exe.malw \n", "2 2020-06-16 23:35:00 None pops.works_manahet__2988ab4nu59ok.exe.malw \n", "3 2020-06-16 23:18:36 None pops.works_manahet__2711ab4nu59ok.exe.malw \n", "4 2020-06-16 22:42:20 None pops.works_manahet__198ab4nu59ok.exe.malw \n", "5 2020-06-16 22:38:15 None pops.works_manahet__1941ab4nu59ok.exe.malw \n", "6 2020-06-16 22:37:40 None pops.works_manahet__1928ab4nu59ok.exe.malw \n", "7 2020-06-16 22:18:19 None pops.works_manahet__1623ab4nu59ok.exe.malw \n", "8 2020-06-16 22:15:46 None pops.works_manahet__158ab4nu59ok.exe.malw \n", "9 2020-06-16 22:08:50 None pops.works_manahet__1498ab4nu59ok.exe.malw \n", "\n", " file_size file_type_mime file_type ... \\\n", "0 496037 application/x-dosexec exe ... \n", "1 496127 application/x-dosexec exe ... \n", "2 495990 application/x-dosexec exe ... \n", "3 496085 application/x-dosexec exe ... \n", "4 496164 application/x-dosexec exe ... \n", "5 496078 application/x-dosexec exe ... \n", "6 496390 application/x-dosexec exe ... \n", "7 496056 application/x-dosexec exe ... \n", "8 496289 application/x-dosexec exe ... \n", "9 496017 application/x-dosexec exe ... \n", "\n", " tlsh telfhash gimphash \\\n", "0 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "1 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "2 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "3 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "4 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "5 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "6 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "7 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "8 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "9 4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "1 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "2 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "3 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "4 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "5 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "6 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "7 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "8 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "9 6144:uXKJlnagpOWod1+3Ea6dDeCR7yaEnC+lbUGhclavU... None \n", "\n", " tags intelligence.clamav \\\n", "0 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "1 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "2 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "3 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "4 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "5 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "6 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "7 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "8 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "9 [malw, TrickBot] [SecuriteInfo.com.BScope.Backdoor.Emotet.14181... \n", "\n", " intelligence.downloads intelligence.uploads intelligence.mail \n", "0 68 1 None \n", "1 67 1 None \n", "2 59 1 None \n", "3 61 1 None \n", "4 60 1 None \n", "5 54 1 None \n", "6 53 1 None \n", "7 61 1 None \n", "8 57 1 None \n", "9 58 1 None \n", "\n", "[10 rows x 24 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4FBC789AA020A31B05ED12350\", mb_type='tlsh', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified Telfhash" ] }, { "cell_type": "code", "execution_count": 12, "metadata": { "tags": [] }, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...tlshtelfhashgimphashssdeepdhash_icontagsintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
02a57fa24db780dbd1f69f8e5a1b9b706b8c194c191caab...a0a788306dea0da357ebf2a9eb8e33b5a49cff4e834d79...51b84deed7b2241107fc2466ee35515c8bbf7c3f9cd79b3a9da869b9b763620691ecc0442021-06-22 15:22:38None9cd79b3a9da869b9b763620691ecc04468176application/x-executableelf...88635AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...None[32, elf, intel, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...1181None
19367a86cc5573afc8c34963ac610baaa59fc279c2f38d1...c3c8157eb7b395eb7bc3560af8efd89c1283b46358d682...2cebe480f78bb005ec20a1b35f4d7701b6fb6021cb8d0427ff2256bca6d0f668b66dc8032021-02-23 19:16:02Nonecb8d0427ff2256bca6d0f668b66dc80368176application/x-executableelf...E3634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...1321None
289b34c5b07f27d0d28a497525340fa17a623d53544dd59...8e356f3cdfa5bb04e25cc11496768b649b62af0d57812a...a9ad5e11e59037ebc178eac0f4708f590a6d7e0ac8998a85f4c9f1d79ef360cf10ce01e32021-02-23 19:16:00Nonec8998a85f4c9f1d79ef360cf10ce01e368176application/x-executableelf...81634BC4B643D9F2ED0602B524B7EF338E76F5B6216AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcu/JOas6vYUZ...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...1351None
30ca882a6b9eac11e951bdb8dbf44dccf66c63818c68846...b04d983571c634862a94710c75fefe5b3cb61286e8f26b...cfadb6f29ef5fe8c2a05304002d446843a074e253208d52296dc5bd0d016b0869c3cc4c72021-02-23 19:13:38None3208d52296dc5bd0d016b0869c3cc4c768144application/x-executableelf...5C634AC8BA43D9F2EC0602B52077EF338E76F5B6215AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...911None
4f72ef232f04ae1ea49281e8e1d8a3d0b39ffd6622f8e8a...2565e69468bc93b44a7d2e7b871c21dca89b00584a4863...ff94b4e679a2af8da8a158ad47d73c45bb90021359eb4dba2597fcf07f1953c8d7df82262021-02-23 19:13:13None59eb4dba2597fcf07f1953c8d7df822668144application/x-executableelf...C3634AC8BA43D9F2EC1602B52077EF338E76F5B6215AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...581None
53386838e10e6f0235e26615bc5ca8fa43139eb0cf58453...ae605253a5c8860b33e6528e2a518a517429628996e392...ef59eb366924c376a377e6ef072f276aea26e0fb6407985c60bd18bee0339e8e949dfe432021-02-23 19:13:06None6407985c60bd18bee0339e8e949dfe4368176application/x-executableelf...65634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcMl2fas6vYUR...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...581None
6398c0b834906624f41aad7609c6a1d65a684f173a62fb6...ba9d52b4a7b604eb063a92ba0bfa4b6dcab88e137601a4...5fec0097093243d3d69f1c473eb4a2a992b58dcfb1abf91fe2460339de5ab1d2da23b2a52021-02-23 19:12:31Noneb1abf91fe2460339de5ab1d2da23b2a568176application/x-executableelf...0D634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcMol2eas6vYU...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...561None
7e3065b89a497edde2a814cf88204aa09a6ab6f181d8893...7cc24dc2189d4502dc5f773826fecc43d05074bd6fb867...7627d5f44dfbdcb332fc824693aee63004bef1807b1ac2b9ff3e06aecca478466be683d82021-02-23 19:10:19None7b1ac2b9ff3e06aecca478466be683d868176application/x-executableelf...B7634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...511None
815ff59c63e25fee8ab22639ee034600557090bb2789d0e...a640ad190054466151b16ea18dc6ae262ec3b240beda28...405096c641c1af1417fe239be43611a184fc48bdde61ac7b487c95db132070e6add18c7c2021-02-23 19:10:16Nonede61ac7b487c95db132070e6add18c7c68176application/x-executableelf...99634BC4B643D9F2ED0602B524B7EF338E76F5B6216AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcu/JOas6vYUR...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...541None
984b5aa70e56ee461234480fd887a2b08c5e717b62b3020...643287d5665d73b3bfdd40bca2895d57d98f121747431a...17bdf61c4fa9fa9d6717f595b44207861287c26de495a650899a09ff1b1bbb22e5c1b42c2021-02-23 19:10:04Nonee495a650899a09ff1b1bbb22e5c1b42c68144application/x-executableelf...85634AC8BA43D9F2EC0602B52077EF338E76F5B6215AF9...ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037...None1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH...None[botnet, mirai][SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S...511None
\n", "

10 rows × 24 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 2a57fa24db780dbd1f69f8e5a1b9b706b8c194c191caab... \n", "1 9367a86cc5573afc8c34963ac610baaa59fc279c2f38d1... \n", "2 89b34c5b07f27d0d28a497525340fa17a623d53544dd59... \n", "3 0ca882a6b9eac11e951bdb8dbf44dccf66c63818c68846... \n", "4 f72ef232f04ae1ea49281e8e1d8a3d0b39ffd6622f8e8a... \n", "5 3386838e10e6f0235e26615bc5ca8fa43139eb0cf58453... \n", "6 398c0b834906624f41aad7609c6a1d65a684f173a62fb6... \n", "7 e3065b89a497edde2a814cf88204aa09a6ab6f181d8893... \n", "8 15ff59c63e25fee8ab22639ee034600557090bb2789d0e... \n", "9 84b5aa70e56ee461234480fd887a2b08c5e717b62b3020... \n", "\n", " sha3_384_hash \\\n", "0 a0a788306dea0da357ebf2a9eb8e33b5a49cff4e834d79... \n", "1 c3c8157eb7b395eb7bc3560af8efd89c1283b46358d682... \n", "2 8e356f3cdfa5bb04e25cc11496768b649b62af0d57812a... \n", "3 b04d983571c634862a94710c75fefe5b3cb61286e8f26b... \n", "4 2565e69468bc93b44a7d2e7b871c21dca89b00584a4863... \n", "5 ae605253a5c8860b33e6528e2a518a517429628996e392... \n", "6 ba9d52b4a7b604eb063a92ba0bfa4b6dcab88e137601a4... \n", "7 7cc24dc2189d4502dc5f773826fecc43d05074bd6fb867... \n", "8 a640ad190054466151b16ea18dc6ae262ec3b240beda28... \n", "9 643287d5665d73b3bfdd40bca2895d57d98f121747431a... \n", "\n", " sha1_hash md5_hash \\\n", "0 51b84deed7b2241107fc2466ee35515c8bbf7c3f 9cd79b3a9da869b9b763620691ecc044 \n", "1 2cebe480f78bb005ec20a1b35f4d7701b6fb6021 cb8d0427ff2256bca6d0f668b66dc803 \n", "2 a9ad5e11e59037ebc178eac0f4708f590a6d7e0a c8998a85f4c9f1d79ef360cf10ce01e3 \n", "3 cfadb6f29ef5fe8c2a05304002d446843a074e25 3208d52296dc5bd0d016b0869c3cc4c7 \n", "4 ff94b4e679a2af8da8a158ad47d73c45bb900213 59eb4dba2597fcf07f1953c8d7df8226 \n", "5 ef59eb366924c376a377e6ef072f276aea26e0fb 6407985c60bd18bee0339e8e949dfe43 \n", "6 5fec0097093243d3d69f1c473eb4a2a992b58dcf b1abf91fe2460339de5ab1d2da23b2a5 \n", "7 7627d5f44dfbdcb332fc824693aee63004bef180 7b1ac2b9ff3e06aecca478466be683d8 \n", "8 405096c641c1af1417fe239be43611a184fc48bd de61ac7b487c95db132070e6add18c7c \n", "9 17bdf61c4fa9fa9d6717f595b44207861287c26d e495a650899a09ff1b1bbb22e5c1b42c \n", "\n", " first_seen last_seen file_name file_size \\\n", "0 2021-06-22 15:22:38 None 9cd79b3a9da869b9b763620691ecc044 68176 \n", "1 2021-02-23 19:16:02 None cb8d0427ff2256bca6d0f668b66dc803 68176 \n", "2 2021-02-23 19:16:00 None c8998a85f4c9f1d79ef360cf10ce01e3 68176 \n", "3 2021-02-23 19:13:38 None 3208d52296dc5bd0d016b0869c3cc4c7 68144 \n", "4 2021-02-23 19:13:13 None 59eb4dba2597fcf07f1953c8d7df8226 68144 \n", "5 2021-02-23 19:13:06 None 6407985c60bd18bee0339e8e949dfe43 68176 \n", "6 2021-02-23 19:12:31 None b1abf91fe2460339de5ab1d2da23b2a5 68176 \n", "7 2021-02-23 19:10:19 None 7b1ac2b9ff3e06aecca478466be683d8 68176 \n", "8 2021-02-23 19:10:16 None de61ac7b487c95db132070e6add18c7c 68176 \n", "9 2021-02-23 19:10:04 None e495a650899a09ff1b1bbb22e5c1b42c 68144 \n", "\n", " file_type_mime file_type ... \\\n", "0 application/x-executable elf ... \n", "1 application/x-executable elf ... \n", "2 application/x-executable elf ... \n", "3 application/x-executable elf ... \n", "4 application/x-executable elf ... \n", "5 application/x-executable elf ... \n", "6 application/x-executable elf ... \n", "7 application/x-executable elf ... \n", "8 application/x-executable elf ... \n", "9 application/x-executable elf ... \n", "\n", " tlsh \\\n", "0 88635AC4B643D9F2ED0602B52477EF338E76F5B6216AF9... \n", "1 E3634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9... \n", "2 81634BC4B643D9F2ED0602B524B7EF338E76F5B6216AF9... \n", "3 5C634AC8BA43D9F2EC0602B52077EF338E76F5B6215AF9... \n", "4 C3634AC8BA43D9F2EC1602B52077EF338E76F5B6215AF9... \n", "5 65634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9... \n", "6 0D634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9... \n", "7 B7634AC4B643D9F2ED0602B52477EF338E76F5B6216AF9... \n", "8 99634BC4B643D9F2ED0602B524B7EF338E76F5B6216AF9... \n", "9 85634AC8BA43D9F2EC0602B52077EF338E76F5B6215AF9... \n", "\n", " telfhash gimphash \\\n", "0 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "1 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "2 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "3 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "4 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "5 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "6 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "7 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "8 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "9 ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037... None \n", "\n", " ssdeep dhash_icon \\\n", "0 1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU... None \n", "1 1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU... None \n", "2 1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcu/JOas6vYUZ... None \n", "3 1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH... None \n", "4 1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH... None \n", "5 1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcMl2fas6vYUR... None \n", "6 1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcMol2eas6vYU... None \n", "7 1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcrol2fas6vYU... None \n", "8 1536:5g80fNaLw64nUcBTicXg5PcS/DLhtcu/JOas6vYUR... None \n", "9 1536:Dc0fNarwa4HU8Bzi83gZP8SfjLBoCYFehRbz3xZGH... None \n", "\n", " tags intelligence.clamav \\\n", "0 [32, elf, intel, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "1 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "2 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "3 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "4 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "5 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "6 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "7 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "8 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "9 [botnet, mirai] [SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL, S... \n", "\n", " intelligence.downloads intelligence.uploads intelligence.mail \n", "0 118 1 None \n", "1 132 1 None \n", "2 135 1 None \n", "3 91 1 None \n", "4 58 1 None \n", "5 58 1 None \n", "6 56 1 None \n", "7 51 1 None \n", "8 54 1 None \n", "9 51 1 None \n", "\n", "[10 rows x 24 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037a00463e93033abe466069c7a\", mb_type='telfhash', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified Gimphash" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...tlshtelfhashgimphashssdeepdhash_icontagsintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
09e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c...74e9232b812f998d63121c5836d26e85c09abea8e8e3c2...265a613ac405e6c3557e36a19f0ead2d18638cb006124da5b4d6ef31dbfd7a6094fc52a62022-04-05 06:30:212022-04-05 08:07:53base-update.exe4499408application/x-dosexecexe...T1C1264B23F89154E9C0AED230C666D262BB7178945730...None50f5783c2188897815d9b34a77aa4df70ac96a71542ddc...49152:lPz3d4kmYh3Urb/TcvO90dL3BmAFd4A64nsfJTxe...None[Elephant, exe, Hive, Ransomware][SecuriteInfo.com.Trojan.PWS.Siggen3.13990.534...2132None
\n", "

1 rows × 24 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c... \n", "\n", " sha3_384_hash \\\n", "0 74e9232b812f998d63121c5836d26e85c09abea8e8e3c2... \n", "\n", " sha1_hash md5_hash \\\n", "0 265a613ac405e6c3557e36a19f0ead2d18638cb0 06124da5b4d6ef31dbfd7a6094fc52a6 \n", "\n", " first_seen last_seen file_name file_size \\\n", "0 2022-04-05 06:30:21 2022-04-05 08:07:53 base-update.exe 4499408 \n", "\n", " file_type_mime file_type ... \\\n", "0 application/x-dosexec exe ... \n", "\n", " tlsh telfhash \\\n", "0 T1C1264B23F89154E9C0AED230C666D262BB7178945730... None \n", "\n", " gimphash \\\n", "0 50f5783c2188897815d9b34a77aa4df70ac96a71542ddc... \n", "\n", " ssdeep dhash_icon \\\n", "0 49152:lPz3d4kmYh3Urb/TcvO90dL3BmAFd4A64nsfJTxe... None \n", "\n", " tags \\\n", "0 [Elephant, exe, Hive, Ransomware] \n", "\n", " intelligence.clamav intelligence.downloads \\\n", "0 [SecuriteInfo.com.Trojan.PWS.Siggen3.13990.534... 213 \n", "\n", " intelligence.uploads intelligence.mail \n", "0 2 None \n", "\n", "[1 rows x 24 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"50f5783c2188897815d9b34a77aa4df70ac96a71542ddc79b94fef8ce7ba2120\", mb_type='gimphash', limit=10)\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified Certificate Issuer Info" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...anonymoussignatureimphashtlshtelfhashgimphashssdeepdhash_icontagscode_sign
0bbb3c68240e69552a21b9fc649cf9a2686d26ad9297d87...Nonefece4c968c28f10849f7708346842a4c844aa5d34a4d26599ba12e48de5310d2b789ef902022-07-15 14:43:52Nonevirussign.com_4a4d26599ba12e48de5310d2b789ef903393656application/x-dosexecexe...0None00be6e6c4f9e287672c8301b72bdabf3T19EF512C1EDA042B9E6A10F3149A5F6351B6D3FF0FE24...NoneNone98304:C5zgfx9C7H5O1Wy8GgZ5samBLz2aj352a0GV027Z...78e4cad0e6a6b8d8[exe, signed][{'subject_cn': 'Audials AG', 'issuer_cn': 'Se...
1cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee...Noneb575cf708602d0285e97071dc7bee8daef41583299fdd1d682a0c2999731ad61b2c0cc2e2022-07-14 18:20:502022-07-14 22:04:4399fdd1d682a0c2999731ad61b2c0cc2e.exe17269872application/x-dosexecexe...0RemoteManipulator38be718d163809a15e0c7a672311fe41T19407336BE7E68825D4FB47BA09BD8B20177ABCC91813...NoneNone393216:YfdYUDnIXid6KrMleGADjXUlQuEPrDLQCLs6JAY...c4dacabacac0c244[exe, RemoteManipulator, signed][{'subject_cn': 'Remote Utilities LLC', 'issue...
268fff33757fe2d5f3453319c42c4f2fa0e566db3e9e192...None7feb1ad024ba549905c3e112982db2ff6d7a066b84786123b44e1c871a458403c82519ae2022-07-12 10:45:18None68fff33757fe2d5f3453319c42c4f2fa0e566db3e9e192...1795832application/x-dosexecexe...0None117f9d7a56c3cbec9a67cd881171e7ecT184855D21A3D58437D0732E7A5C2A96946D2A7E202E78...NoneNone49152:1gE01Su+FT8wSa3C3+6Oo9grFiw5fT+XOnUg:1gV...cc94b2a6a2a2a0f0[exe, signed][{'subject_cn': 'IObit CO., LTD', 'issuer_cn':...
38d50514a50c7f6c76a47524a40aba6d7b25de685c5558b...None9e7af942ca6147a9517c16f018d61f6a025044c39ba470b8527aa227810d0c7316ab0a5a2022-07-11 09:47:25None8d50514a50c7f6c76a47524a40aba6d7b25de685c5558b...1222592application/x-dosexecdll...0None31b08bc72f8daf46c9fc08479f4bb223T10F45CFB31914679AF370743E475C238164EB9C894BC9...NoneNone12288:vf9ROHAu+fkh6oxqCiZk2r/mPoQrHJRM0dN+WMNx...None[dll, OmniContact, signed][{'subject_cn': 'OmniContact', 'issuer_cn': 'S...
457d6f2bef4bb6701f19f1009528cc716c8e220f3c86601...Noned775b52aa8e1ca033572757b64f212b1701ce4efd0fca62ff23bf70ee6a3fc41cff8b2c12022-07-11 09:47:20None57d6f2bef4bb6701f19f1009528cc716c8e220f3c86601...1222592application/x-dosexecdll...0None31b08bc72f8daf46c9fc08479f4bb223T11845CFB31914679AF370743E475C238164EB9C894BC9...NoneNone12288:Vf9ROHAu+fkh6oxqCiZk2r/mPoQrHJRM0dN+WMNx...None[dll, OmniContact, signed][{'subject_cn': 'OmniContact', 'issuer_cn': 'S...
..................................................................
951bdc2af9d05938e370a3aa3bdca8cc58923e85461f15cd...None04750cdaa55f51c718b1dace954e52007dcfcb2476e1ca1c6012b83e028f5c6b20247dd62021-12-15 10:59:362021-12-15 13:01:091bdc2af9d05938e370a3aa3bdca8cc58923e85461f15cd...782256application/x-dosexecdll...0Quakbotc967abd8a4b2caed74d57814c5fadb12T194F49F22B2F14477C1B32A3D9C7B52A594297E113E38...NoneNone12288:W03XYpmWl+zDTCWxLgXUlId1AMK++U4wvpAHXQDf...399998ecd4d46c0e[dll, MIDDRA INTERNATIONAL CORP., Quakbot, sig...[{'subject_cn': 'MIDDRA INTERNATIONAL CORP.', ...
9601c434536512a312098bcdf8a82dc3172153e15b7c033a...None5f91717901585e8de4993fd916703314bcac6715ea93eb3704c67210a65f14cde3feb6d22021-12-15 10:59:292021-12-15 13:01:1601c434536512a312098bcdf8a82dc3172153e15b7c033a...524720application/x-dosexecdll...0Quakbot8e3a2e9f601b5312da264792515ac8a5T199B4AF22F6D04437C2732A388C5F56A8A8357E502E29...NoneNone12288:iPjtak6OdAvsE1655WY9NceCizMz/NrKp+:Ujgeb...399998ecd4d46c0e[dll, MIDDRA INTERNATIONAL CORP., Quakbot, sig...[{'subject_cn': 'MIDDRA INTERNATIONAL CORP.', ...
97950008035d225dd5f4c3a229082f1206eb9bce8c4aa482...None549735f585590452985451faf8ab1e6f22903abf518d125bb64a8f8dc8b94054daf5e6df2021-12-14 20:14:052021-12-15 00:51:19518d125bb64a8f8dc8b94054daf5e6df375656application/x-dosexecexe...0CobaltStrike1e8a809e0505b426516db96be454b4f8T1FB84F361B2D6AF33F5135633C479AFB21E0BDDA802CE...NoneNone6144:eum89DM6Wn26B/vLcTnR2PYbtw3nnhsW/WQkwy+qq...c0d4ec80b0b4b4e4[32, CobaltStrike, exe, signed, trojan][{'subject_cn': 'REI LUX UK LIMITED', 'issuer_...
988140ac01ec377af7788eddd79d665d5000b34e7d064499...None9db7b3f5c7cff58d8a06f2f4cc82d9f7339f49e167d5dfcde8225a0cdf760d833ca443872021-12-14 17:50:31NoneYukoste3.ocx535440application/x-dosexecdll...0Matanbuchusc87b0244d3ec3baa302e51fc063cf2a4T1C4B47CB6B7DF8437D22315389C5B6F74A835FE502D28...NoneNone12288:OCoerqtL8cwg/dQA1pb6ENUvIq9YXItrhL+hMalf...399998ecd4d46c0e[dll, matanbuchus, ocx, Qakbot, signed][{'subject_cn': 'TLGM ApS', 'issuer_cn': 'Sect...
997c549b6db99a8422b4e3c5a4d291057832ac5a36b6368a...None575f6e0a006bc19d5dfb5e5001f0b2b1a69cc0e862f20e4565b40b78c9b0c1c7f77c1f642021-12-14 17:49:42NoneYukoste1.ocx782224application/x-dosexecdll...0Quakbotc967abd8a4b2caed74d57814c5fadb12T1ECF49F22B1F18477C1B32A3D9C7B52A594297E113E38...NoneNone12288:B03XYpmWl+zDTCWxLgXUlId1AMK++U4wvpAHXQDf...399998ecd4d46c0e[dll, ocx, Qakbot, Quakbot, signed][{'subject_cn': 'TLGM ApS', 'issuer_cn': 'Sect...
\n", "

100 rows × 21 columns

\n", "
" ], "text/plain": [ " sha256_hash sha3_384_hash \\\n", "0 bbb3c68240e69552a21b9fc649cf9a2686d26ad9297d87... None \n", "1 cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee... None \n", "2 68fff33757fe2d5f3453319c42c4f2fa0e566db3e9e192... None \n", "3 8d50514a50c7f6c76a47524a40aba6d7b25de685c5558b... None \n", "4 57d6f2bef4bb6701f19f1009528cc716c8e220f3c86601... None \n", ".. ... ... \n", "95 1bdc2af9d05938e370a3aa3bdca8cc58923e85461f15cd... None \n", "96 01c434536512a312098bcdf8a82dc3172153e15b7c033a... None \n", "97 950008035d225dd5f4c3a229082f1206eb9bce8c4aa482... None \n", "98 8140ac01ec377af7788eddd79d665d5000b34e7d064499... None \n", "99 7c549b6db99a8422b4e3c5a4d291057832ac5a36b6368a... None \n", "\n", " sha1_hash \\\n", "0 fece4c968c28f10849f7708346842a4c844aa5d3 \n", "1 b575cf708602d0285e97071dc7bee8daef415832 \n", "2 7feb1ad024ba549905c3e112982db2ff6d7a066b \n", "3 9e7af942ca6147a9517c16f018d61f6a025044c3 \n", "4 d775b52aa8e1ca033572757b64f212b1701ce4ef \n", ".. ... \n", "95 04750cdaa55f51c718b1dace954e52007dcfcb24 \n", "96 5f91717901585e8de4993fd916703314bcac6715 \n", "97 549735f585590452985451faf8ab1e6f22903abf \n", "98 9db7b3f5c7cff58d8a06f2f4cc82d9f7339f49e1 \n", "99 575f6e0a006bc19d5dfb5e5001f0b2b1a69cc0e8 \n", "\n", " md5_hash first_seen \\\n", "0 4a4d26599ba12e48de5310d2b789ef90 2022-07-15 14:43:52 \n", "1 99fdd1d682a0c2999731ad61b2c0cc2e 2022-07-14 18:20:50 \n", "2 84786123b44e1c871a458403c82519ae 2022-07-12 10:45:18 \n", "3 9ba470b8527aa227810d0c7316ab0a5a 2022-07-11 09:47:25 \n", "4 d0fca62ff23bf70ee6a3fc41cff8b2c1 2022-07-11 09:47:20 \n", ".. ... ... \n", "95 76e1ca1c6012b83e028f5c6b20247dd6 2021-12-15 10:59:36 \n", "96 ea93eb3704c67210a65f14cde3feb6d2 2021-12-15 10:59:29 \n", "97 518d125bb64a8f8dc8b94054daf5e6df 2021-12-14 20:14:05 \n", "98 67d5dfcde8225a0cdf760d833ca44387 2021-12-14 17:50:31 \n", "99 62f20e4565b40b78c9b0c1c7f77c1f64 2021-12-14 17:49:42 \n", "\n", " last_seen file_name \\\n", "0 None virussign.com_4a4d26599ba12e48de5310d2b789ef90 \n", "1 2022-07-14 22:04:43 99fdd1d682a0c2999731ad61b2c0cc2e.exe \n", "2 None 68fff33757fe2d5f3453319c42c4f2fa0e566db3e9e192... \n", "3 None 8d50514a50c7f6c76a47524a40aba6d7b25de685c5558b... \n", "4 None 57d6f2bef4bb6701f19f1009528cc716c8e220f3c86601... \n", ".. ... ... \n", "95 2021-12-15 13:01:09 1bdc2af9d05938e370a3aa3bdca8cc58923e85461f15cd... \n", "96 2021-12-15 13:01:16 01c434536512a312098bcdf8a82dc3172153e15b7c033a... \n", "97 2021-12-15 00:51:19 518d125bb64a8f8dc8b94054daf5e6df \n", "98 None Yukoste3.ocx \n", "99 None Yukoste1.ocx \n", "\n", " file_size file_type_mime file_type ... anonymous \\\n", "0 3393656 application/x-dosexec exe ... 0 \n", "1 17269872 application/x-dosexec exe ... 0 \n", "2 1795832 application/x-dosexec exe ... 0 \n", "3 1222592 application/x-dosexec dll ... 0 \n", "4 1222592 application/x-dosexec dll ... 0 \n", ".. ... ... ... ... ... \n", "95 782256 application/x-dosexec dll ... 0 \n", "96 524720 application/x-dosexec dll ... 0 \n", "97 375656 application/x-dosexec exe ... 0 \n", "98 535440 application/x-dosexec dll ... 0 \n", "99 782224 application/x-dosexec dll ... 0 \n", "\n", " signature imphash \\\n", "0 None 00be6e6c4f9e287672c8301b72bdabf3 \n", "1 RemoteManipulator 38be718d163809a15e0c7a672311fe41 \n", "2 None 117f9d7a56c3cbec9a67cd881171e7ec \n", "3 None 31b08bc72f8daf46c9fc08479f4bb223 \n", "4 None 31b08bc72f8daf46c9fc08479f4bb223 \n", ".. ... ... \n", "95 Quakbot c967abd8a4b2caed74d57814c5fadb12 \n", "96 Quakbot 8e3a2e9f601b5312da264792515ac8a5 \n", "97 CobaltStrike 1e8a809e0505b426516db96be454b4f8 \n", "98 Matanbuchus c87b0244d3ec3baa302e51fc063cf2a4 \n", "99 Quakbot c967abd8a4b2caed74d57814c5fadb12 \n", "\n", " tlsh telfhash gimphash \\\n", "0 T19EF512C1EDA042B9E6A10F3149A5F6351B6D3FF0FE24... None None \n", "1 T19407336BE7E68825D4FB47BA09BD8B20177ABCC91813... None None \n", "2 T184855D21A3D58437D0732E7A5C2A96946D2A7E202E78... None None \n", "3 T10F45CFB31914679AF370743E475C238164EB9C894BC9... None None \n", "4 T11845CFB31914679AF370743E475C238164EB9C894BC9... None None \n", ".. ... ... ... \n", "95 T194F49F22B2F14477C1B32A3D9C7B52A594297E113E38... None None \n", "96 T199B4AF22F6D04437C2732A388C5F56A8A8357E502E29... None None \n", "97 T1FB84F361B2D6AF33F5135633C479AFB21E0BDDA802CE... None None \n", "98 T1C4B47CB6B7DF8437D22315389C5B6F74A835FE502D28... None None \n", "99 T1ECF49F22B1F18477C1B32A3D9C7B52A594297E113E38... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 98304:C5zgfx9C7H5O1Wy8GgZ5samBLz2aj352a0GV027Z... 78e4cad0e6a6b8d8 \n", "1 393216:YfdYUDnIXid6KrMleGADjXUlQuEPrDLQCLs6JAY... c4dacabacac0c244 \n", "2 49152:1gE01Su+FT8wSa3C3+6Oo9grFiw5fT+XOnUg:1gV... cc94b2a6a2a2a0f0 \n", "3 12288:vf9ROHAu+fkh6oxqCiZk2r/mPoQrHJRM0dN+WMNx... None \n", "4 12288:Vf9ROHAu+fkh6oxqCiZk2r/mPoQrHJRM0dN+WMNx... None \n", ".. ... ... \n", "95 12288:W03XYpmWl+zDTCWxLgXUlId1AMK++U4wvpAHXQDf... 399998ecd4d46c0e \n", "96 12288:iPjtak6OdAvsE1655WY9NceCizMz/NrKp+:Ujgeb... 399998ecd4d46c0e \n", "97 6144:eum89DM6Wn26B/vLcTnR2PYbtw3nnhsW/WQkwy+qq... c0d4ec80b0b4b4e4 \n", "98 12288:OCoerqtL8cwg/dQA1pb6ENUvIq9YXItrhL+hMalf... 399998ecd4d46c0e \n", "99 12288:B03XYpmWl+zDTCWxLgXUlId1AMK++U4wvpAHXQDf... 399998ecd4d46c0e \n", "\n", " tags \\\n", "0 [exe, signed] \n", "1 [exe, RemoteManipulator, signed] \n", "2 [exe, signed] \n", "3 [dll, OmniContact, signed] \n", "4 [dll, OmniContact, signed] \n", ".. ... \n", "95 [dll, MIDDRA INTERNATIONAL CORP., Quakbot, sig... \n", "96 [dll, MIDDRA INTERNATIONAL CORP., Quakbot, sig... \n", "97 [32, CobaltStrike, exe, signed, trojan] \n", "98 [dll, matanbuchus, ocx, Qakbot, signed] \n", "99 [dll, ocx, Qakbot, Quakbot, signed] \n", "\n", " code_sign \n", "0 [{'subject_cn': 'Audials AG', 'issuer_cn': 'Se... \n", "1 [{'subject_cn': 'Remote Utilities LLC', 'issue... \n", "2 [{'subject_cn': 'IObit CO., LTD', 'issuer_cn':... \n", "3 [{'subject_cn': 'OmniContact', 'issuer_cn': 'S... \n", "4 [{'subject_cn': 'OmniContact', 'issuer_cn': 'S... \n", ".. ... \n", "95 [{'subject_cn': 'MIDDRA INTERNATIONAL CORP.', ... \n", "96 [{'subject_cn': 'MIDDRA INTERNATIONAL CORP.', ... \n", "97 [{'subject_cn': 'REI LUX UK LIMITED', 'issuer_... \n", "98 [{'subject_cn': 'TLGM ApS', 'issuer_cn': 'Sect... \n", "99 [{'subject_cn': 'TLGM ApS', 'issuer_cn': 'Sect... \n", "\n", "[100 rows x 21 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"Sectigo RSA Code Signing CA\", mb_type='issuerinfo')\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified Certificate Subject Info" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...anonymoussignatureimphashtlshtelfhashgimphashssdeepdhash_icontagscode_sign
0c79957ca77f6355fb02b9a0d9d2a4c86bca3d6fd53afbf...None989847d98a42b5e38dec8da84273908773666fee61f8e8680493350a1b3df43bde88030f2020-08-26 11:43:222020-08-26 12:51:22srt_join2.bin280448application/x-dosexecexe...0TA505099a636c552cf9ca90b2cb789202a3432A54C09ADB23D2E4E869D5F07574B6733E363D08E26447...NoneNone3072:5Zw1GCu5naotdOJb72+1zhgR0hbxVzTvtV3aLztDA...None[64bit, dll, TA505][{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...
1257b0d37f34e05dc0ffb5e8c93f9a2eadf7d5ae3bcecb0...None0c95cc765cfa1b623e4a2e19479a8d9388dd57df7212195ad8edbdc8d063fa7ae29e4e042020-08-26 11:43:052020-08-26 12:51:31srt_join1.bin348032application/x-dosexecdll...0TA5054b9b01fb6891e95cfb189a66c9ebc808C574E102BBD2D5B9C8CB843458B55A7C07BBCD663F4028...NoneNone6144:bTbhpsgZ09JTYNirD6tlMFnYmkx2/511qZb2ithvs...None[32bit, dll, TA505][{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...
2f7125019233ca9714d5b2b16ef66119c37bc9033597f0c...None9f34f0590d3c19153a800cdaea19b1ce4ba26cb636af9b047a76cd1e37a8188d8ad4119d2020-08-25 12:41:012020-08-25 14:14:08srt_join2.bin274304application/x-dosexecexe...0TA505cdf5bfe175bda0bb60d50a48dd0ca746D044CFA7DB57B1EEF952D630E5A47A337E353918A12C8E...NoneNone6144:zU0DDlOPbQ6+aKVelI7PuUMtgE6+KFlBNJXjq7fAb...None[64bit, dll, TA505][{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...
37ad188a87fed28bbb4570f32ad729c492d434b8d3efdc1...Nonedfed494c9e2afc0aa48cbee2ad7f27ac9cef8a91f7020878397a7dcf7f661a166ae9fab52020-08-25 12:40:482020-08-25 14:17:52srt_join1.bin324480application/x-dosexecdll...0TA50557bbb25cc369c676e719c14c25249dd8186402485AE24A3AF1E9023C51E60744A9652DB02F90A0...NoneNone6144:xXoWnIxqmbeF0x9QAd1HielOXYonTKF9YPbuHENCr...None[32bit, dll, TA505][{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn...
\n", "

4 rows × 21 columns

\n", "
" ], "text/plain": [ " sha256_hash sha3_384_hash \\\n", "0 c79957ca77f6355fb02b9a0d9d2a4c86bca3d6fd53afbf... None \n", "1 257b0d37f34e05dc0ffb5e8c93f9a2eadf7d5ae3bcecb0... None \n", "2 f7125019233ca9714d5b2b16ef66119c37bc9033597f0c... None \n", "3 7ad188a87fed28bbb4570f32ad729c492d434b8d3efdc1... None \n", "\n", " sha1_hash md5_hash \\\n", "0 989847d98a42b5e38dec8da84273908773666fee 61f8e8680493350a1b3df43bde88030f \n", "1 0c95cc765cfa1b623e4a2e19479a8d9388dd57df 7212195ad8edbdc8d063fa7ae29e4e04 \n", "2 9f34f0590d3c19153a800cdaea19b1ce4ba26cb6 36af9b047a76cd1e37a8188d8ad4119d \n", "3 dfed494c9e2afc0aa48cbee2ad7f27ac9cef8a91 f7020878397a7dcf7f661a166ae9fab5 \n", "\n", " first_seen last_seen file_name file_size \\\n", "0 2020-08-26 11:43:22 2020-08-26 12:51:22 srt_join2.bin 280448 \n", "1 2020-08-26 11:43:05 2020-08-26 12:51:31 srt_join1.bin 348032 \n", "2 2020-08-25 12:41:01 2020-08-25 14:14:08 srt_join2.bin 274304 \n", "3 2020-08-25 12:40:48 2020-08-25 14:17:52 srt_join1.bin 324480 \n", "\n", " file_type_mime file_type ... anonymous signature \\\n", "0 application/x-dosexec exe ... 0 TA505 \n", "1 application/x-dosexec dll ... 0 TA505 \n", "2 application/x-dosexec exe ... 0 TA505 \n", "3 application/x-dosexec dll ... 0 TA505 \n", "\n", " imphash \\\n", "0 099a636c552cf9ca90b2cb789202a343 \n", "1 4b9b01fb6891e95cfb189a66c9ebc808 \n", "2 cdf5bfe175bda0bb60d50a48dd0ca746 \n", "3 57bbb25cc369c676e719c14c25249dd8 \n", "\n", " tlsh telfhash gimphash \\\n", "0 2A54C09ADB23D2E4E869D5F07574B6733E363D08E26447... None None \n", "1 C574E102BBD2D5B9C8CB843458B55A7C07BBCD663F4028... None None \n", "2 D044CFA7DB57B1EEF952D630E5A47A337E353918A12C8E... None None \n", "3 186402485AE24A3AF1E9023C51E60744A9652DB02F90A0... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 3072:5Zw1GCu5naotdOJb72+1zhgR0hbxVzTvtV3aLztDA... None \n", "1 6144:bTbhpsgZ09JTYNirD6tlMFnYmkx2/511qZb2ithvs... None \n", "2 6144:zU0DDlOPbQ6+aKVelI7PuUMtgE6+KFlBNJXjq7fAb... None \n", "3 6144:xXoWnIxqmbeF0x9QAd1HielOXYonTKF9YPbuHENCr... None \n", "\n", " tags code_sign \n", "0 [64bit, dll, TA505] [{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn... \n", "1 [32bit, dll, TA505] [{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn... \n", "2 [64bit, dll, TA505] [{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn... \n", "3 [32bit, dll, TA505] [{'subject_cn': 'Ekitai Data Inc.', 'issuer_cn... \n", "\n", "[4 rows x 21 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"Ekitai Data Inc.\", mb_type='subjectinfo')\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieves latest samples that matches the specified Certificate Serial Number" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...anonymoussignatureimphashtlshtelfhashgimphashssdeepdhash_icontagscode_sign
01a49d434e0a95bd312d3d0a6d4fd5335830970bef8009e...Noned10b67e61fcce873ecac3ff3b5fca077106ff4d45d3727294622a3191a33b87049e4fbaa2020-11-04 17:11:15None1247015.exe277456application/x-dosexecexe...0Quakbot015974618e9105226f001019d35e62e5D944F12329799033F4220BB64DE6D2724C7D78685A3209...NoneNone6144:QLfhdM/bXZswyIZkEuHrBuYFCAN8XkwDLPUf:ivKb...None[exe, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
1e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd...None5bafc16caa8e8a8a7f3e963c581e7c389a72cc4b09c3b79f25e4fb96636099e1c032e4402020-11-01 10:12:012020-11-07 12:50:41e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd...261072application/x-dosexecexe...0QuakBot4844E04213E84445FC6B667A4CB2C32016527C95A72EAF...NoneNone6144:CawCRk4Z0Nhb4s6g1IILx4r37gCyljA6+:+Gk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
2d394623d69c8cbac395b6197210ae622fb98293d2cfcd6...Nonee33121ab4e815bb22c000e5283037f054c5c28a562891560f0dd59eb551625ed6450712e2020-11-01 10:11:582020-11-06 10:55:49d394623d69c8cbac395b6197210ae622fb98293d2cfcd6...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa52EC44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...NoneNone6144:adtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
3d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa...None495247119b938027aa9b06be0453a7aab57154587234795ec5e1575c0fde8231830df5852020-11-01 10:11:552020-11-07 12:48:51d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa526944E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...NoneNone6144:adtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
4b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e...None466dd9671f9590f9d239bd2aa3f917c1a966d733e93c2a807d6a6e8093b1e4d92976418f2020-11-01 10:11:532020-11-06 11:28:35b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e...261072application/x-dosexecexe...0QuakBot6544E04213E84445F86B667A4CB2C32016527C95A72EAF...NoneNone6144:+awCRk4Z0Nhb4s6g1IILx4r37gCyljAri:qGk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
5b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8...None6d3ac735ba3022c337cbb9a980ef29ce3879d234076c9badb09bfadea92f797b8492039d2020-11-01 10:11:502020-11-07 12:52:10b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8...261072application/x-dosexecexe...0QuakBot1544E04213E84445FC6B667A4CB2C32016627C95A72EAF...NoneNone6144:UawCRk4Z0Nhb4s6g1IILx4r37gCyljAWX:kGk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
6b5e167293b5978ad7aa100c846e91e42cc1a8da04cb860...Nonec4c3c49ecb41e79cbb3e156dd531926b6248f8c8b3ffeafc033067e6fa3b1233db3720b42020-11-01 10:11:482020-11-06 11:11:36b5e167293b5978ad7aa100c846e91e42cc1a8da04cb860...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa529E44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...NoneNone6144:qdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
7303121f6de8cf468ba8556e3da25d7b4ce3d326d97125a...None70ab3c4af274fc98f9388460352fb35c71c57b140c480dd3889b16c97e5279bd4780eda12020-11-01 10:11:462020-11-06 11:22:41303121f6de8cf468ba8556e3da25d7b4ce3d326d97125a...261072application/x-dosexecexe...0QuakBot2144E04213E84445FC6B627A4CB2C32016527C95A76EAF...NoneNone6144:pawCRk4Z0Nhb4s6g1IILx4r37gCyljA1A:vGk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
867506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270...None920c5e99cc170eb91df304a18517e9f19296dfefee0ebee0f94b643807db675d43fee80a2020-11-01 10:11:442020-11-07 12:51:0967506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa52EB44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...NoneNone6144:+dtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
92964eeb4bb8c0efe746244428f24422aa311b216238faf...Nonec47e5c9ce2c229ea155d141b0cbc2ff2b7fb4aabc7fda8ee4fc40075ce80747c4688942b2020-11-01 10:11:422020-11-06 10:58:142964eeb4bb8c0efe746244428f24422aa311b216238faf...261072application/x-dosexecexe...0QuakBotFA44E04213E84445FC6B667A4CB2C32016627C95A72EAF...NoneNone6144:5awCRk4Z0Nhb4s6g1IILx4r37gCyljAyU:fGk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
10495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6...None41c6b58c5d6a930723462e438c4a9fda00ca46778819d42d87d41ef33804b444725453a12020-11-01 10:11:402020-11-06 11:37:21495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa523744E0C2A3EC4044FAA652BB4073C3153A217D5D983EAB...NoneNone6144:zdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
11162a0d1651250cab75ba0219b85763bdaf5af3398b5dfe...Nonecf26b10796acb1a9ccc253090662a7b6c8833e8be491ece1e104ee96dd39a2349c1576a42020-11-01 10:11:382020-11-07 12:53:22162a0d1651250cab75ba0219b85763bdaf5af3398b5dfe...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa52D844E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...NoneNone6144:FdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
1285aa8419001ffcc0dac6a29548dc0438c05261b842d625...None8824d0e2faf62218f05dfcf2bee3ec349018b3868da737c1dc7d34d2c3b3157d29a156ad2020-11-01 10:11:362020-11-06 11:09:4585aa8419001ffcc0dac6a29548dc0438c05261b842d625...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa52D144E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...NoneNone6144:rdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
1346c407bc6a89726389f73de450a801d6d14a9fb97447f2...Nonea04121ab830393c7dd500f78e63e94c0d9603f5f4c86351a2c1c889699ac9e3ebf831c722020-11-01 10:11:342020-11-07 12:52:4946c407bc6a89726389f73de450a801d6d14a9fb97447f2...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa523F44E0C2A3E84044FAA652BB4073C3153A217D5D983EAB...NoneNone6144:rdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
14037d8b7946f740cc7d4f72b8e133766c3f5ca141369707...None353c5ae6b7f7e75933b6a1021f3ed2d7afe1ed4907c57f584f3b67f6026730ead1bfcb462020-11-01 10:11:322020-11-07 12:51:58037d8b7946f740cc7d4f72b8e133766c3f5ca141369707...263632application/x-dosexecexe...0QuakBot303f89b8f429d52fa9a67ddad2dbfa527544E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB...NoneNone6144:7dtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
1516f511f7fdc83981b31b85fe6c42591093db5397d7634b...None04a1650ec2c3e5b87865cf5ef36c7bfdc486d03d15f3bcd8d6edacb9432e69ed7c218d632020-11-01 10:11:302020-11-06 11:35:2716f511f7fdc83981b31b85fe6c42591093db5397d7634b...261072application/x-dosexecexe...0QuakBot5A44D04213E84445FC6B667A4CB2C32016527C95A72EAF...NoneNone6144:lawCRk4Z0Nhb4s6g1IILx4r37gCyljAqT:bGk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
169d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02a...None93f94d86e22ddcd9659b37263cb5c826db3b21e32652cb6dede0a322f2aaa727ba63bc912020-11-01 10:11:282020-11-06 11:33:289d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02a...261072application/x-dosexecexe...0QuakBotC744E04213EC4445F86B667A4CB2C32016527C95A72EAF...NoneNone6144:SawCRk4Z0Nhb4s6g1IILx4r37gCyljAWx:uGk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
173b948ca55076ceedc3e6915ff9db3ede5a24341b34ba55...Noned5a6c35bbeb0990bb7d890abdaca1533f31305a2288bc129d402228bb3cac14828d26ecf2020-11-01 10:11:262020-11-07 12:50:213b948ca55076ceedc3e6915ff9db3ede5a24341b34ba55...261072application/x-dosexecexe...0QuakBot3E44E04213E84445F86B667A4CB2C32016627C95972EAF...NoneNone6144:PawCRk4Z0Nhb4s6g1IILx4r37gCyljAEg:ZGk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
181f622642ed6ea23622fb1786f08270c81b635c29b00350...None4eada9d3ff43852dbe527d8558358506eba58b6fc0e542a6270d57d5dc2c319a79e91c692020-11-01 10:11:162020-11-06 11:29:571f622642ed6ea23622fb1786f08270c81b635c29b00350...261072application/x-dosexecexe...0QuakBot1E44E04213E84445F86B627A4CB2C32016627C95676EAF...NoneNone6144:tawCRk4Z0Nhb4s6g1IILx4r37gCyljAMl:zGk4Zkh...None[APPI CZ a.s, Qakbot, Quakbot, signed][{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S...
\n", "

19 rows × 21 columns

\n", "
" ], "text/plain": [ " sha256_hash sha3_384_hash \\\n", "0 1a49d434e0a95bd312d3d0a6d4fd5335830970bef8009e... None \n", "1 e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd... None \n", "2 d394623d69c8cbac395b6197210ae622fb98293d2cfcd6... None \n", "3 d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa... None \n", "4 b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e... None \n", "5 b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8... None \n", "6 b5e167293b5978ad7aa100c846e91e42cc1a8da04cb860... None \n", "7 303121f6de8cf468ba8556e3da25d7b4ce3d326d97125a... None \n", "8 67506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270... None \n", "9 2964eeb4bb8c0efe746244428f24422aa311b216238faf... None \n", "10 495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6... None \n", "11 162a0d1651250cab75ba0219b85763bdaf5af3398b5dfe... None \n", "12 85aa8419001ffcc0dac6a29548dc0438c05261b842d625... None \n", "13 46c407bc6a89726389f73de450a801d6d14a9fb97447f2... None \n", "14 037d8b7946f740cc7d4f72b8e133766c3f5ca141369707... None \n", "15 16f511f7fdc83981b31b85fe6c42591093db5397d7634b... None \n", "16 9d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02a... None \n", "17 3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba55... None \n", "18 1f622642ed6ea23622fb1786f08270c81b635c29b00350... None \n", "\n", " sha1_hash \\\n", "0 d10b67e61fcce873ecac3ff3b5fca077106ff4d4 \n", "1 5bafc16caa8e8a8a7f3e963c581e7c389a72cc4b \n", "2 e33121ab4e815bb22c000e5283037f054c5c28a5 \n", "3 495247119b938027aa9b06be0453a7aab5715458 \n", "4 466dd9671f9590f9d239bd2aa3f917c1a966d733 \n", "5 6d3ac735ba3022c337cbb9a980ef29ce3879d234 \n", "6 c4c3c49ecb41e79cbb3e156dd531926b6248f8c8 \n", "7 70ab3c4af274fc98f9388460352fb35c71c57b14 \n", "8 920c5e99cc170eb91df304a18517e9f19296dfef \n", "9 c47e5c9ce2c229ea155d141b0cbc2ff2b7fb4aab \n", "10 41c6b58c5d6a930723462e438c4a9fda00ca4677 \n", "11 cf26b10796acb1a9ccc253090662a7b6c8833e8b \n", "12 8824d0e2faf62218f05dfcf2bee3ec349018b386 \n", "13 a04121ab830393c7dd500f78e63e94c0d9603f5f \n", "14 353c5ae6b7f7e75933b6a1021f3ed2d7afe1ed49 \n", "15 04a1650ec2c3e5b87865cf5ef36c7bfdc486d03d \n", "16 93f94d86e22ddcd9659b37263cb5c826db3b21e3 \n", "17 d5a6c35bbeb0990bb7d890abdaca1533f31305a2 \n", "18 4eada9d3ff43852dbe527d8558358506eba58b6f \n", "\n", " md5_hash first_seen \\\n", "0 5d3727294622a3191a33b87049e4fbaa 2020-11-04 17:11:15 \n", "1 09c3b79f25e4fb96636099e1c032e440 2020-11-01 10:12:01 \n", "2 62891560f0dd59eb551625ed6450712e 2020-11-01 10:11:58 \n", "3 7234795ec5e1575c0fde8231830df585 2020-11-01 10:11:55 \n", "4 e93c2a807d6a6e8093b1e4d92976418f 2020-11-01 10:11:53 \n", "5 076c9badb09bfadea92f797b8492039d 2020-11-01 10:11:50 \n", "6 b3ffeafc033067e6fa3b1233db3720b4 2020-11-01 10:11:48 \n", "7 0c480dd3889b16c97e5279bd4780eda1 2020-11-01 10:11:46 \n", "8 ee0ebee0f94b643807db675d43fee80a 2020-11-01 10:11:44 \n", "9 c7fda8ee4fc40075ce80747c4688942b 2020-11-01 10:11:42 \n", "10 8819d42d87d41ef33804b444725453a1 2020-11-01 10:11:40 \n", "11 e491ece1e104ee96dd39a2349c1576a4 2020-11-01 10:11:38 \n", "12 8da737c1dc7d34d2c3b3157d29a156ad 2020-11-01 10:11:36 \n", "13 4c86351a2c1c889699ac9e3ebf831c72 2020-11-01 10:11:34 \n", "14 07c57f584f3b67f6026730ead1bfcb46 2020-11-01 10:11:32 \n", "15 15f3bcd8d6edacb9432e69ed7c218d63 2020-11-01 10:11:30 \n", "16 2652cb6dede0a322f2aaa727ba63bc91 2020-11-01 10:11:28 \n", "17 288bc129d402228bb3cac14828d26ecf 2020-11-01 10:11:26 \n", "18 c0e542a6270d57d5dc2c319a79e91c69 2020-11-01 10:11:16 \n", "\n", " last_seen file_name \\\n", "0 None 1247015.exe \n", "1 2020-11-07 12:50:41 e4053c912df782e2756904eaf7eb2fc4cd54ea0b59f2dd... \n", "2 2020-11-06 10:55:49 d394623d69c8cbac395b6197210ae622fb98293d2cfcd6... \n", "3 2020-11-07 12:48:51 d1bb3f027353c0a0714df4f1078d9cd0682c81e7bb27aa... \n", "4 2020-11-06 11:28:35 b722d1e333d3cabbc9399d799a05cbbf17b09f4bf48a4e... \n", "5 2020-11-07 12:52:10 b06e103b426a26533360cb1ab47055e3f8b3a75b7995f8... \n", "6 2020-11-06 11:11:36 b5e167293b5978ad7aa100c846e91e42cc1a8da04cb860... \n", "7 2020-11-06 11:22:41 303121f6de8cf468ba8556e3da25d7b4ce3d326d97125a... \n", "8 2020-11-07 12:51:09 67506d9141b18c0878e73fe9bc13f6bdaf5415c31cd270... \n", "9 2020-11-06 10:58:14 2964eeb4bb8c0efe746244428f24422aa311b216238faf... \n", "10 2020-11-06 11:37:21 495dedc7acdd334f376eb57d8d87d5bcacbc0da799adc6... \n", "11 2020-11-07 12:53:22 162a0d1651250cab75ba0219b85763bdaf5af3398b5dfe... \n", "12 2020-11-06 11:09:45 85aa8419001ffcc0dac6a29548dc0438c05261b842d625... \n", "13 2020-11-07 12:52:49 46c407bc6a89726389f73de450a801d6d14a9fb97447f2... \n", "14 2020-11-07 12:51:58 037d8b7946f740cc7d4f72b8e133766c3f5ca141369707... \n", "15 2020-11-06 11:35:27 16f511f7fdc83981b31b85fe6c42591093db5397d7634b... \n", "16 2020-11-06 11:33:28 9d8eb1fc299a3be657eb975c5c7bc69bff72f536c6c02a... \n", "17 2020-11-07 12:50:21 3b948ca55076ceedc3e6915ff9db3ede5a24341b34ba55... \n", "18 2020-11-06 11:29:57 1f622642ed6ea23622fb1786f08270c81b635c29b00350... \n", "\n", " file_size file_type_mime file_type ... anonymous signature \\\n", "0 277456 application/x-dosexec exe ... 0 Quakbot \n", "1 261072 application/x-dosexec exe ... 0 QuakBot \n", "2 263632 application/x-dosexec exe ... 0 QuakBot \n", "3 263632 application/x-dosexec exe ... 0 QuakBot \n", "4 261072 application/x-dosexec exe ... 0 QuakBot \n", "5 261072 application/x-dosexec exe ... 0 QuakBot \n", "6 263632 application/x-dosexec exe ... 0 QuakBot \n", "7 261072 application/x-dosexec exe ... 0 QuakBot \n", "8 263632 application/x-dosexec exe ... 0 QuakBot \n", "9 261072 application/x-dosexec exe ... 0 QuakBot \n", "10 263632 application/x-dosexec exe ... 0 QuakBot \n", "11 263632 application/x-dosexec exe ... 0 QuakBot \n", "12 263632 application/x-dosexec exe ... 0 QuakBot \n", "13 263632 application/x-dosexec exe ... 0 QuakBot \n", "14 263632 application/x-dosexec exe ... 0 QuakBot \n", "15 261072 application/x-dosexec exe ... 0 QuakBot \n", "16 261072 application/x-dosexec exe ... 0 QuakBot \n", "17 261072 application/x-dosexec exe ... 0 QuakBot \n", "18 261072 application/x-dosexec exe ... 0 QuakBot \n", "\n", " imphash \\\n", "0 015974618e9105226f001019d35e62e5 \n", "1 \n", "2 303f89b8f429d52fa9a67ddad2dbfa52 \n", "3 303f89b8f429d52fa9a67ddad2dbfa52 \n", "4 \n", "5 \n", "6 303f89b8f429d52fa9a67ddad2dbfa52 \n", "7 \n", "8 303f89b8f429d52fa9a67ddad2dbfa52 \n", "9 \n", "10 303f89b8f429d52fa9a67ddad2dbfa52 \n", "11 303f89b8f429d52fa9a67ddad2dbfa52 \n", "12 303f89b8f429d52fa9a67ddad2dbfa52 \n", "13 303f89b8f429d52fa9a67ddad2dbfa52 \n", "14 303f89b8f429d52fa9a67ddad2dbfa52 \n", "15 \n", "16 \n", "17 \n", "18 \n", "\n", " tlsh telfhash gimphash \\\n", "0 D944F12329799033F4220BB64DE6D2724C7D78685A3209... None None \n", "1 4844E04213E84445FC6B667A4CB2C32016527C95A72EAF... None None \n", "2 EC44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB... None None \n", "3 6944E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB... None None \n", "4 6544E04213E84445F86B667A4CB2C32016527C95A72EAF... None None \n", "5 1544E04213E84445FC6B667A4CB2C32016627C95A72EAF... None None \n", "6 9E44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB... None None \n", "7 2144E04213E84445FC6B627A4CB2C32016527C95A76EAF... None None \n", "8 EB44E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB... None None \n", "9 FA44E04213E84445FC6B667A4CB2C32016627C95A72EAF... None None \n", "10 3744E0C2A3EC4044FAA652BB4073C3153A217D5D983EAB... None None \n", "11 D844E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB... None None \n", "12 D144E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB... None None \n", "13 3F44E0C2A3E84044FAA652BB4073C3153A217D5D983EAB... None None \n", "14 7544E0C2A3EC4044FAA652BB4173C3153A217D5D983EAB... None None \n", "15 5A44D04213E84445FC6B667A4CB2C32016527C95A72EAF... None None \n", "16 C744E04213EC4445F86B667A4CB2C32016527C95A72EAF... None None \n", "17 3E44E04213E84445F86B667A4CB2C32016627C95972EAF... None None \n", "18 1E44E04213E84445F86B627A4CB2C32016627C95676EAF... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 6144:QLfhdM/bXZswyIZkEuHrBuYFCAN8XkwDLPUf:ivKb... None \n", "1 6144:CawCRk4Z0Nhb4s6g1IILx4r37gCyljA6+:+Gk4Zkh... None \n", "2 6144:adtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "3 6144:adtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "4 6144:+awCRk4Z0Nhb4s6g1IILx4r37gCyljAri:qGk4Zkh... None \n", "5 6144:UawCRk4Z0Nhb4s6g1IILx4r37gCyljAWX:kGk4Zkh... None \n", "6 6144:qdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "7 6144:pawCRk4Z0Nhb4s6g1IILx4r37gCyljA1A:vGk4Zkh... None \n", "8 6144:+dtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "9 6144:5awCRk4Z0Nhb4s6g1IILx4r37gCyljAyU:fGk4Zkh... None \n", "10 6144:zdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "11 6144:FdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "12 6144:rdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "13 6144:rdtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "14 6144:7dtJ9rtpMBa7FjRbRtwM/XNfNMzpLLpqUxLRbch5c... None \n", "15 6144:lawCRk4Z0Nhb4s6g1IILx4r37gCyljAqT:bGk4Zkh... None \n", "16 6144:SawCRk4Z0Nhb4s6g1IILx4r37gCyljAWx:uGk4Zkh... None \n", "17 6144:PawCRk4Z0Nhb4s6g1IILx4r37gCyljAEg:ZGk4Zkh... None \n", "18 6144:tawCRk4Z0Nhb4s6g1IILx4r37gCyljAMl:zGk4Zkh... None \n", "\n", " tags \\\n", "0 [exe, Quakbot, signed] \n", "1 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "2 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "3 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "4 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "5 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "6 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "7 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "8 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "9 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "10 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "11 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "12 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "13 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "14 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "15 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "16 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "17 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "18 [APPI CZ a.s, Qakbot, Quakbot, signed] \n", "\n", " code_sign \n", "0 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "1 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "2 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "3 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "4 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "5 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "6 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "7 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "8 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "9 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "10 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "11 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "12 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "13 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "14 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "15 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "16 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "17 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "18 [{'subject_cn': 'APPI CZ a.s', 'issuer_cn': 'S... \n", "\n", "[19 rows x 21 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbdetail = mblookup.lookup_ioc(observable=\"51CD5393514F7ACE2B407C3DBFB09D8D\", mb_type='certificate')\n", "display(mbdetail)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get Recent Samples added\n", "\n", "It is possible to retrieve the recent samples added to the Malware Bazaar database by using the function get_recent(). \n", "\n", "This function takes in parameter a 'selector' that can be:\n", "* 'time': to retrieve the samples added in the latest 60 minutes\n", "* 100: to get the latest 100 samples\n", "\n", "The below examples shows how to use it. " ] }, { "cell_type": "code", "execution_count": 19, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...telfhashgimphashssdeepdhash_icontagscode_signintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
0f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...b89f8a9d02dbb2139430a1a30314e4f2cff29f716444777ae59bee41428a9c3a53741c802022-08-11 09:29:03None91361.doc9068application/octet-streamunknown...NoneNone192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...NoneNone[]None161None
1ce1e8e57264e84d75ed4960855768418c7a73707d0855d...2945d468176ca3766e5982574652025887cdce34028f4c...7fd429ceb24c476a9b3796fe71961575e7637738fea743ac96b30d64f914d491e802abc12022-08-11 09:22:06NoneCopia di pagamento-3400753232678_001-11.08.202...625664application/x-dosexecexe...NoneNone12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...d4e2c8b4ccc8f2cc[agenttesla, exe][]None1211None
22582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...e03a9f658327fc96d774ae19d714add257a10d882f4a3782d2ab90126ff927026dac50772022-08-11 09:19:47None2f4a3782d2ab90126ff927026dac5077834560application/x-dosexecexe...NoneNone12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...None[32, exe, RemcosRAT, trojan][]None1111None
36e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...69bf7182f7cd72ca775be7736b843345efbbdc0eca25cc1a0351513cbb0bb70343b038622022-08-11 09:19:27Noneca25cc1a0351513cbb0bb70343b03862857600application/x-dosexecexe...NoneNone12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...None[32, exe, Formbook, trojan][]None1011None
49bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...117b1e130cc2f2406b0f38d3b3677e4699f6521457ecac082ee320cf94b2de1a0927a9942022-08-11 09:19:13None57ecac082ee320cf94b2de1a0927a994879616application/x-dosexecexe...NoneNone24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...None[32, AgentTesla, exe][]None1071None
5f2a4cc133dfeca5432bf22c2817aeb8edb434057711727...13ad83f7ec5e622b022a06b80f2afa90272cb6a5d7eb5f...b1eedf6d0b197b0d743e60390864aa279f1f915ab9694513a38e321b8cbfd807367b7e212022-08-11 09:15:26NoneProject sheets.pdf.exe147736application/x-dosexecexe...NoneNone3072:rTpc2Du8SknETVtyMl9Rrhr7jmSBe9BeZ/F8xB2dM...d2e8ecb2b2a2b282[exe, Loki][]None1221None
6f53a803c52691f8506f33d2719028822db93ae1799d0ba...32b0422e11faafaa49f39f0df7b093cddeb316f5087134...9b2c6fddac6ea6c27a2c5c25d515d389429703c04e416bdf228c332a60a4fc0d8326373f2022-08-11 09:00:33None4e416bdf228c332a60a4fc0d8326373f.exe207360application/x-dosexecexe...NoneNone3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPs...None[exe, NanoCore, RAT][]None1451None
7ba66c7a46a35c1b38aa76a199ae19a65674786771b153e...5983e487146283ae8c880a5c21b7ef989307d0a0327d59...b340afd00d6feb4da15b9b10446417e51d3f7082e6ae2071837c90e79a7f4c6e8e778f0f2022-08-11 09:00:31Nonee6ae2071837c90e79a7f4c6e8e778f0f.exe923829application/x-dosexecexe...NoneNone24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E...b298acbab2ca7a72[exe, RecordBreaker][]None1331None
893b24291abe4b2c7d3eebd64168cf86e5b36571bd30645...bc79bfe7cf79004f707014cae678bb19a55a91402cc143...92b194b6c75c6c2e8e693fca7f0c660fbcd70be576755f4c31240a6247689c0ffdc6e6272022-08-11 08:45:49NoneAST_928765425672-09876353B.exe864256application/x-dosexecexe...NoneNone12288:9N+7nP3i1XkYIgj7wPQdh0TLeb9hIv001mWfTd0:...c496b2b8fcccacdc[AgentTesla, exe][]None1751None
908375457359c0439dde333b220071987d355b3a2b0aa9f...ca9ceb34ae3cd40cd0767a8d665a8346af419f56fd023b...58133e441cebee95176aba75ef533a99af208758bb2518245e5b20e35c7a22521be3b6fb2022-08-11 08:45:38NoneMV TONIC_CTM REQUEST.exe762368application/x-dosexecexe...NoneNone12288:xqoKggb2iNdvpc++E4+xp985R+J0vuxrHeBCVLbC...None[exe, Loki][]None1591None
10f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6...936d638104e56fd4cdbf6f56c1ea63679a02e763eaef01...cd8ddf4094ff130568ace0dfc578500213eb5be4d3c1e94c64ce0e37e03af92f18067ea42022-08-11 08:40:28Noned3c1e94c64ce0e37e03af92f18067ea4.exe922983application/x-dosexecexe...NoneNone24576:pAT8QE+kHVNpJc7Y/sDZ0239GhjS9knREHXsW02E...b298acbab2ca7a72[exe, RecordBreaker][]None1581None
11cce110eed95c36bf618669b1a290ee90b5152ee9c660b6...c5becc588aaf916b5e3410577e7da0c584580acb8b9133...998f81830fedf6ed17772adbafb0e35f4db9092150e4b08657bacf6cc461e5b804bf63272022-08-11 08:33:42NoneCerere de oferta P.0- 202208100237RO.vbs3279text/plainvbs...NoneNone48:7VH5HxRyYdZGYG6QSdtBGJS8rSMB0sAZtBL0Bd1lzyo...None[RemcosRAT, vbs][]None921None
126461adafdbd61960915775dea557e0e90befe75f1dd4e5...22e9653bd814fd0e4c1f56f32531089bafcd274bb5a80e...656b499793e15d10ff2f5c390fe68b0936747bf40981f372b79a6cb066b549f77222ed992022-08-11 08:33:22NoneBlocked_Mtcn_pdf.jar762743application/zipjar...NoneNone12288:pYLm8IIt9zaZOodSEq0MmKKpwF5RL+g581tQWyq2...None[jar, Vjw0rm][]None931None
132d879a04feb390c4a7fcf0351a18ac23b203936dac3dcf...6691d54452ae7f6edbbae5340a96021673d31cf1e82b43...c77c349436d747a1509870d687221ada7528ecaef8d8bd0c38f4c99a83a38856fa9b7e4e2022-08-11 08:33:10NoneDhl.exe109568application/x-dosexecexe...NoneNone192:Gy1HDYwzBbx3Z5FvmTAOeqfOZQNdDnHOiSa52nkwi6...0000000000000000[DHL, exe, Formbook][]None1761None
14aa7436d336aa352db635976f19fe9f6fce9078608d3fdb...f8e4f386d86829a3e01c46da571c694079c16a7bbec253...6f091e5c2c085341e4b95b79b9d0f5738f3adb55382b66f8a5dca1305cf1e5de83b7fdef2022-08-11 08:32:53NoneTNT Original Invoice.exe289824application/x-dosexecexe...NoneNone6144:joq5HAUwC5UM1kSlTXmLAtBP8wGYmLReHgcaVkJvp...d2e8ecb2b2a2b282[exe, Formbook, TNT, VelvetSweatshop][]None1661None
\n", "

15 rows × 26 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc... \n", "1 ce1e8e57264e84d75ed4960855768418c7a73707d0855d... \n", "2 2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7... \n", "3 6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88... \n", "4 9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0... \n", "5 f2a4cc133dfeca5432bf22c2817aeb8edb434057711727... \n", "6 f53a803c52691f8506f33d2719028822db93ae1799d0ba... \n", "7 ba66c7a46a35c1b38aa76a199ae19a65674786771b153e... \n", "8 93b24291abe4b2c7d3eebd64168cf86e5b36571bd30645... \n", "9 08375457359c0439dde333b220071987d355b3a2b0aa9f... \n", "10 f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6... \n", "11 cce110eed95c36bf618669b1a290ee90b5152ee9c660b6... \n", "12 6461adafdbd61960915775dea557e0e90befe75f1dd4e5... \n", "13 2d879a04feb390c4a7fcf0351a18ac23b203936dac3dcf... \n", "14 aa7436d336aa352db635976f19fe9f6fce9078608d3fdb... \n", "\n", " sha3_384_hash \\\n", "0 054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3... \n", "1 2945d468176ca3766e5982574652025887cdce34028f4c... \n", "2 05d09b744be600daf03e2f67bcdc4b81ee317336ee7988... \n", "3 7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd... \n", "4 513b59672d898a92ea8b79a2c015cc79867ed7cac5d271... \n", "5 13ad83f7ec5e622b022a06b80f2afa90272cb6a5d7eb5f... \n", "6 32b0422e11faafaa49f39f0df7b093cddeb316f5087134... \n", "7 5983e487146283ae8c880a5c21b7ef989307d0a0327d59... \n", "8 bc79bfe7cf79004f707014cae678bb19a55a91402cc143... \n", "9 ca9ceb34ae3cd40cd0767a8d665a8346af419f56fd023b... \n", "10 936d638104e56fd4cdbf6f56c1ea63679a02e763eaef01... \n", "11 c5becc588aaf916b5e3410577e7da0c584580acb8b9133... \n", "12 22e9653bd814fd0e4c1f56f32531089bafcd274bb5a80e... \n", "13 6691d54452ae7f6edbbae5340a96021673d31cf1e82b43... \n", "14 f8e4f386d86829a3e01c46da571c694079c16a7bbec253... \n", "\n", " sha1_hash \\\n", "0 b89f8a9d02dbb2139430a1a30314e4f2cff29f71 \n", "1 7fd429ceb24c476a9b3796fe71961575e7637738 \n", "2 e03a9f658327fc96d774ae19d714add257a10d88 \n", "3 69bf7182f7cd72ca775be7736b843345efbbdc0e \n", "4 117b1e130cc2f2406b0f38d3b3677e4699f65214 \n", "5 b1eedf6d0b197b0d743e60390864aa279f1f915a \n", "6 9b2c6fddac6ea6c27a2c5c25d515d389429703c0 \n", "7 b340afd00d6feb4da15b9b10446417e51d3f7082 \n", "8 92b194b6c75c6c2e8e693fca7f0c660fbcd70be5 \n", "9 58133e441cebee95176aba75ef533a99af208758 \n", "10 cd8ddf4094ff130568ace0dfc578500213eb5be4 \n", "11 998f81830fedf6ed17772adbafb0e35f4db90921 \n", "12 656b499793e15d10ff2f5c390fe68b0936747bf4 \n", "13 c77c349436d747a1509870d687221ada7528ecae \n", "14 6f091e5c2c085341e4b95b79b9d0f5738f3adb55 \n", "\n", " md5_hash first_seen last_seen \\\n", "0 6444777ae59bee41428a9c3a53741c80 2022-08-11 09:29:03 None \n", "1 fea743ac96b30d64f914d491e802abc1 2022-08-11 09:22:06 None \n", "2 2f4a3782d2ab90126ff927026dac5077 2022-08-11 09:19:47 None \n", "3 ca25cc1a0351513cbb0bb70343b03862 2022-08-11 09:19:27 None \n", "4 57ecac082ee320cf94b2de1a0927a994 2022-08-11 09:19:13 None \n", "5 b9694513a38e321b8cbfd807367b7e21 2022-08-11 09:15:26 None \n", "6 4e416bdf228c332a60a4fc0d8326373f 2022-08-11 09:00:33 None \n", "7 e6ae2071837c90e79a7f4c6e8e778f0f 2022-08-11 09:00:31 None \n", "8 76755f4c31240a6247689c0ffdc6e627 2022-08-11 08:45:49 None \n", "9 bb2518245e5b20e35c7a22521be3b6fb 2022-08-11 08:45:38 None \n", "10 d3c1e94c64ce0e37e03af92f18067ea4 2022-08-11 08:40:28 None \n", "11 50e4b08657bacf6cc461e5b804bf6327 2022-08-11 08:33:42 None \n", "12 0981f372b79a6cb066b549f77222ed99 2022-08-11 08:33:22 None \n", "13 f8d8bd0c38f4c99a83a38856fa9b7e4e 2022-08-11 08:33:10 None \n", "14 382b66f8a5dca1305cf1e5de83b7fdef 2022-08-11 08:32:53 None \n", "\n", " file_name file_size \\\n", "0 91361.doc 9068 \n", "1 Copia di pagamento-3400753232678_001-11.08.202... 625664 \n", "2 2f4a3782d2ab90126ff927026dac5077 834560 \n", "3 ca25cc1a0351513cbb0bb70343b03862 857600 \n", "4 57ecac082ee320cf94b2de1a0927a994 879616 \n", "5 Project sheets.pdf.exe 147736 \n", "6 4e416bdf228c332a60a4fc0d8326373f.exe 207360 \n", "7 e6ae2071837c90e79a7f4c6e8e778f0f.exe 923829 \n", "8 AST_928765425672-09876353B.exe 864256 \n", "9 MV TONIC_CTM REQUEST.exe 762368 \n", "10 d3c1e94c64ce0e37e03af92f18067ea4.exe 922983 \n", "11 Cerere de oferta P.0- 202208100237RO.vbs 3279 \n", "12 Blocked_Mtcn_pdf.jar 762743 \n", "13 Dhl.exe 109568 \n", "14 TNT Original Invoice.exe 289824 \n", "\n", " file_type_mime file_type ... telfhash gimphash \\\n", "0 application/octet-stream unknown ... None None \n", "1 application/x-dosexec exe ... None None \n", "2 application/x-dosexec exe ... None None \n", "3 application/x-dosexec exe ... None None \n", "4 application/x-dosexec exe ... None None \n", "5 application/x-dosexec exe ... None None \n", "6 application/x-dosexec exe ... None None \n", "7 application/x-dosexec exe ... None None \n", "8 application/x-dosexec exe ... None None \n", "9 application/x-dosexec exe ... None None \n", "10 application/x-dosexec exe ... None None \n", "11 text/plain vbs ... None None \n", "12 application/zip jar ... None None \n", "13 application/x-dosexec exe ... None None \n", "14 application/x-dosexec exe ... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu... None \n", "1 12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm... d4e2c8b4ccc8f2cc \n", "2 12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB... None \n", "3 12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX... None \n", "4 24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7... None \n", "5 3072:rTpc2Du8SknETVtyMl9Rrhr7jmSBe9BeZ/F8xB2dM... d2e8ecb2b2a2b282 \n", "6 3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPs... None \n", "7 24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E... b298acbab2ca7a72 \n", "8 12288:9N+7nP3i1XkYIgj7wPQdh0TLeb9hIv001mWfTd0:... c496b2b8fcccacdc \n", "9 12288:xqoKggb2iNdvpc++E4+xp985R+J0vuxrHeBCVLbC... None \n", "10 24576:pAT8QE+kHVNpJc7Y/sDZ0239GhjS9knREHXsW02E... b298acbab2ca7a72 \n", "11 48:7VH5HxRyYdZGYG6QSdtBGJS8rSMB0sAZtBL0Bd1lzyo... None \n", "12 12288:pYLm8IIt9zaZOodSEq0MmKKpwF5RL+g581tQWyq2... None \n", "13 192:Gy1HDYwzBbx3Z5FvmTAOeqfOZQNdDnHOiSa52nkwi6... 0000000000000000 \n", "14 6144:joq5HAUwC5UM1kSlTXmLAtBP8wGYmLReHgcaVkJvp... d2e8ecb2b2a2b282 \n", "\n", " tags code_sign intelligence.clamav \\\n", "0 None [] None \n", "1 [agenttesla, exe] [] None \n", "2 [32, exe, RemcosRAT, trojan] [] None \n", "3 [32, exe, Formbook, trojan] [] None \n", "4 [32, AgentTesla, exe] [] None \n", "5 [exe, Loki] [] None \n", "6 [exe, NanoCore, RAT] [] None \n", "7 [exe, RecordBreaker] [] None \n", "8 [AgentTesla, exe] [] None \n", "9 [exe, Loki] [] None \n", "10 [exe, RecordBreaker] [] None \n", "11 [RemcosRAT, vbs] [] None \n", "12 [jar, Vjw0rm] [] None \n", "13 [DHL, exe, Formbook] [] None \n", "14 [exe, Formbook, TNT, VelvetSweatshop] [] None \n", "\n", " intelligence.downloads intelligence.uploads intelligence.mail \n", "0 16 1 None \n", "1 121 1 None \n", "2 111 1 None \n", "3 101 1 None \n", "4 107 1 None \n", "5 122 1 None \n", "6 145 1 None \n", "7 133 1 None \n", "8 175 1 None \n", "9 159 1 None \n", "10 158 1 None \n", "11 92 1 None \n", "12 93 1 None \n", "13 176 1 None \n", "14 166 1 None \n", "\n", "[15 rows x 26 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbrecent = mblookup.get_recent(selector='time')\n", "display(mbrecent)" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...telfhashgimphashssdeepdhash_icontagscode_signintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
0f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...b89f8a9d02dbb2139430a1a30314e4f2cff29f716444777ae59bee41428a9c3a53741c802022-08-11 09:29:03None91361.doc9068application/octet-streamunknown...NoneNone192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...NoneNone[]None161None
1ce1e8e57264e84d75ed4960855768418c7a73707d0855d...2945d468176ca3766e5982574652025887cdce34028f4c...7fd429ceb24c476a9b3796fe71961575e7637738fea743ac96b30d64f914d491e802abc12022-08-11 09:22:06NoneCopia di pagamento-3400753232678_001-11.08.202...625664application/x-dosexecexe...NoneNone12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...d4e2c8b4ccc8f2cc[agenttesla, exe][]None1211None
22582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...e03a9f658327fc96d774ae19d714add257a10d882f4a3782d2ab90126ff927026dac50772022-08-11 09:19:47None2f4a3782d2ab90126ff927026dac5077834560application/x-dosexecexe...NoneNone12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...None[32, exe, RemcosRAT, trojan][]None1111None
36e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...69bf7182f7cd72ca775be7736b843345efbbdc0eca25cc1a0351513cbb0bb70343b038622022-08-11 09:19:27Noneca25cc1a0351513cbb0bb70343b03862857600application/x-dosexecexe...NoneNone12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...None[32, exe, Formbook, trojan][]None1011None
49bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...117b1e130cc2f2406b0f38d3b3677e4699f6521457ecac082ee320cf94b2de1a0927a9942022-08-11 09:19:13None57ecac082ee320cf94b2de1a0927a994879616application/x-dosexecexe...NoneNone24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...None[32, AgentTesla, exe][]None1071None
..................................................................
954277df25da3817b0c6aac6c24e47e1e6cda846c585cb1b...48f23ca01941f503b427a82051addc6fca3a4e35e50424...fd91f6185d3607e015661262295f9c8842dc6d08e94d0d63b2154b88866750cf75c0aa582022-08-11 06:23:21Nonee94d0d63b2154b88866750cf75c0aa58.exe1494016application/x-dosexecexe...NoneNone24576:rsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtToli...d0f09ef8b2f2d80c[exe, Socelars][]None1721None
96bb5efa133c2756135061e56c3a7e739e246827412af03a...383317694a8870466919391028ad63a7bcfb261ba4f68a...d6af2bc47eb595fba9a377c72e2f28a9d7b7c081cd65a330e760b1fc08352119b418aaa42022-08-11 06:21:262022-08-11 06:50:58hesaphareketi-01.exe899072application/x-dosexecexe...NoneNone24576:/vM4vwHmQlz8QpSh1UqvtClbsT2L+uUgi:/M84qk...0069e8e8e8e89669[exe, geo, MassLogger, TUR][]None1753None
97ebfcaab875819a883c8e6447e8e99e01bc01b0a3185773...45246ec90235d21e6d2cc131b07f9c505ad62faf725be9...31db8c4f74aadbc180f79389165b9539f357e36b3426783d67482f377199bb73979095252022-08-11 06:21:152022-08-11 06:51:00Ziraat Bankasi Swift Mesaji.exe968192application/x-dosexecexe...NoneNone24576:GmY4vwHmQlPOfpSe+wFGcgNCLCxZC63DmAUkrgi:...0069e8e8e8e89669[exe, Formbook, geo, TUR][]None1882None
98ae554c838c7389ca65c3b7f5abce1006217c9893316e1e...eb19d5e88af0b1a0e9ad0cbf6633f0b499420d6073a1dd...0dc97e5825bdb91a03629815372916bfe641e2180a03c724d8f793c7019d232cfdc8e6d42022-08-11 06:21:072022-08-11 06:51:02Amended Signed Contract.doc2598632text/rtfdoc...NoneNone24576:tnW6hT611mIvGrJun1bTqRIq81PqAx/S8CS9ZzmS...None[doc, Formbook][]None1852None
99a3e8a495c7d1f7d8fc1c2f2f7ead0eefdc82e23a4f0ecf...2fc8db74bf932e87170c330eb376a22f24bc88bb8e9ec0...95cd652f1c7c3df8fd4386dec295e6f19b9205b3689e34eec5c133f95ac8a24d04ed7a4a2022-08-11 06:19:48NoneDELAY_NOTICE_NEW_SHIPMENT_SCHEDULE.vbs339381text/plainvbs...NoneNone1536:b3/l9wbmaPJsGBJUby0OIZgc92CEehkk4D3L7Mqoq...None[GuLoader, vbs][]None1151None
\n", "

100 rows × 26 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc... \n", "1 ce1e8e57264e84d75ed4960855768418c7a73707d0855d... \n", "2 2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7... \n", "3 6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88... \n", "4 9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0... \n", ".. ... \n", "95 4277df25da3817b0c6aac6c24e47e1e6cda846c585cb1b... \n", "96 bb5efa133c2756135061e56c3a7e739e246827412af03a... \n", "97 ebfcaab875819a883c8e6447e8e99e01bc01b0a3185773... \n", "98 ae554c838c7389ca65c3b7f5abce1006217c9893316e1e... \n", "99 a3e8a495c7d1f7d8fc1c2f2f7ead0eefdc82e23a4f0ecf... \n", "\n", " sha3_384_hash \\\n", "0 054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3... \n", "1 2945d468176ca3766e5982574652025887cdce34028f4c... \n", "2 05d09b744be600daf03e2f67bcdc4b81ee317336ee7988... \n", "3 7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd... \n", "4 513b59672d898a92ea8b79a2c015cc79867ed7cac5d271... \n", ".. ... \n", "95 48f23ca01941f503b427a82051addc6fca3a4e35e50424... \n", "96 383317694a8870466919391028ad63a7bcfb261ba4f68a... \n", "97 45246ec90235d21e6d2cc131b07f9c505ad62faf725be9... \n", "98 eb19d5e88af0b1a0e9ad0cbf6633f0b499420d6073a1dd... \n", "99 2fc8db74bf932e87170c330eb376a22f24bc88bb8e9ec0... \n", "\n", " sha1_hash \\\n", "0 b89f8a9d02dbb2139430a1a30314e4f2cff29f71 \n", "1 7fd429ceb24c476a9b3796fe71961575e7637738 \n", "2 e03a9f658327fc96d774ae19d714add257a10d88 \n", "3 69bf7182f7cd72ca775be7736b843345efbbdc0e \n", "4 117b1e130cc2f2406b0f38d3b3677e4699f65214 \n", ".. ... \n", "95 fd91f6185d3607e015661262295f9c8842dc6d08 \n", "96 d6af2bc47eb595fba9a377c72e2f28a9d7b7c081 \n", "97 31db8c4f74aadbc180f79389165b9539f357e36b \n", "98 0dc97e5825bdb91a03629815372916bfe641e218 \n", "99 95cd652f1c7c3df8fd4386dec295e6f19b9205b3 \n", "\n", " md5_hash first_seen \\\n", "0 6444777ae59bee41428a9c3a53741c80 2022-08-11 09:29:03 \n", "1 fea743ac96b30d64f914d491e802abc1 2022-08-11 09:22:06 \n", "2 2f4a3782d2ab90126ff927026dac5077 2022-08-11 09:19:47 \n", "3 ca25cc1a0351513cbb0bb70343b03862 2022-08-11 09:19:27 \n", "4 57ecac082ee320cf94b2de1a0927a994 2022-08-11 09:19:13 \n", ".. ... ... \n", "95 e94d0d63b2154b88866750cf75c0aa58 2022-08-11 06:23:21 \n", "96 cd65a330e760b1fc08352119b418aaa4 2022-08-11 06:21:26 \n", "97 3426783d67482f377199bb7397909525 2022-08-11 06:21:15 \n", "98 0a03c724d8f793c7019d232cfdc8e6d4 2022-08-11 06:21:07 \n", "99 689e34eec5c133f95ac8a24d04ed7a4a 2022-08-11 06:19:48 \n", "\n", " last_seen file_name \\\n", "0 None 91361.doc \n", "1 None Copia di pagamento-3400753232678_001-11.08.202... \n", "2 None 2f4a3782d2ab90126ff927026dac5077 \n", "3 None ca25cc1a0351513cbb0bb70343b03862 \n", "4 None 57ecac082ee320cf94b2de1a0927a994 \n", ".. ... ... \n", "95 None e94d0d63b2154b88866750cf75c0aa58.exe \n", "96 2022-08-11 06:50:58 hesaphareketi-01.exe \n", "97 2022-08-11 06:51:00 Ziraat Bankasi Swift Mesaji.exe \n", "98 2022-08-11 06:51:02 Amended Signed Contract.doc \n", "99 None DELAY_NOTICE_NEW_SHIPMENT_SCHEDULE.vbs \n", "\n", " file_size file_type_mime file_type ... telfhash gimphash \\\n", "0 9068 application/octet-stream unknown ... None None \n", "1 625664 application/x-dosexec exe ... None None \n", "2 834560 application/x-dosexec exe ... None None \n", "3 857600 application/x-dosexec exe ... None None \n", "4 879616 application/x-dosexec exe ... None None \n", ".. ... ... ... ... ... ... \n", "95 1494016 application/x-dosexec exe ... None None \n", "96 899072 application/x-dosexec exe ... None None \n", "97 968192 application/x-dosexec exe ... None None \n", "98 2598632 text/rtf doc ... None None \n", "99 339381 text/plain vbs ... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu... None \n", "1 12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm... d4e2c8b4ccc8f2cc \n", "2 12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB... None \n", "3 12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX... None \n", "4 24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7... None \n", ".. ... ... \n", "95 24576:rsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtToli... d0f09ef8b2f2d80c \n", "96 24576:/vM4vwHmQlz8QpSh1UqvtClbsT2L+uUgi:/M84qk... 0069e8e8e8e89669 \n", "97 24576:GmY4vwHmQlPOfpSe+wFGcgNCLCxZC63DmAUkrgi:... 0069e8e8e8e89669 \n", "98 24576:tnW6hT611mIvGrJun1bTqRIq81PqAx/S8CS9ZzmS... None \n", "99 1536:b3/l9wbmaPJsGBJUby0OIZgc92CEehkk4D3L7Mqoq... None \n", "\n", " tags code_sign intelligence.clamav \\\n", "0 None [] None \n", "1 [agenttesla, exe] [] None \n", "2 [32, exe, RemcosRAT, trojan] [] None \n", "3 [32, exe, Formbook, trojan] [] None \n", "4 [32, AgentTesla, exe] [] None \n", ".. ... ... ... \n", "95 [exe, Socelars] [] None \n", "96 [exe, geo, MassLogger, TUR] [] None \n", "97 [exe, Formbook, geo, TUR] [] None \n", "98 [doc, Formbook] [] None \n", "99 [GuLoader, vbs] [] None \n", "\n", " intelligence.downloads intelligence.uploads intelligence.mail \n", "0 16 1 None \n", "1 121 1 None \n", "2 111 1 None \n", "3 101 1 None \n", "4 107 1 None \n", ".. ... ... ... \n", "95 172 1 None \n", "96 175 3 None \n", "97 188 2 None \n", "98 185 2 None \n", "99 115 1 None \n", "\n", "[100 rows x 26 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbrecent = mblookup.get_recent(selector=100)\n", "display(mbrecent)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Query Code Signing Certificate Blocklist (CSCB)\n", "\n", "MalwareBazaar maintains a list of code signing certificates used by threat actors to sign malware. The CSCB is being generated every 5 minutes and availabe in CSV format. \n", "\n", "The function get_cscb() can be used to retrieve the list in a pandas dataframe. This function can be used without any parameters." ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
sha256_hashsha3_384_hashsha1_hashmd5_hashfirst_seenlast_seenfile_namefile_sizefile_type_mimefile_type...telfhashgimphashssdeepdhash_icontagscode_signintelligence.clamavintelligence.downloadsintelligence.uploadsintelligence.mail
0f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc...054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3...b89f8a9d02dbb2139430a1a30314e4f2cff29f716444777ae59bee41428a9c3a53741c802022-08-11 09:29:03None91361.doc9068application/octet-streamunknown...NoneNone192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu...NoneNone[]None161None
1ce1e8e57264e84d75ed4960855768418c7a73707d0855d...2945d468176ca3766e5982574652025887cdce34028f4c...7fd429ceb24c476a9b3796fe71961575e7637738fea743ac96b30d64f914d491e802abc12022-08-11 09:22:06NoneCopia di pagamento-3400753232678_001-11.08.202...625664application/x-dosexecexe...NoneNone12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm...d4e2c8b4ccc8f2cc[agenttesla, exe][]None1211None
22582008cc5626a748f4926d0973f1b4ea0717e5167e1f7...05d09b744be600daf03e2f67bcdc4b81ee317336ee7988...e03a9f658327fc96d774ae19d714add257a10d882f4a3782d2ab90126ff927026dac50772022-08-11 09:19:47None2f4a3782d2ab90126ff927026dac5077834560application/x-dosexecexe...NoneNone12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB...None[32, exe, RemcosRAT, trojan][]None1111None
36e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88...7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd...69bf7182f7cd72ca775be7736b843345efbbdc0eca25cc1a0351513cbb0bb70343b038622022-08-11 09:19:27Noneca25cc1a0351513cbb0bb70343b03862857600application/x-dosexecexe...NoneNone12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX...None[32, exe, Formbook, trojan][]None1011None
49bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0...513b59672d898a92ea8b79a2c015cc79867ed7cac5d271...117b1e130cc2f2406b0f38d3b3677e4699f6521457ecac082ee320cf94b2de1a0927a9942022-08-11 09:19:13None57ecac082ee320cf94b2de1a0927a994879616application/x-dosexecexe...NoneNone24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7...None[32, AgentTesla, exe][]None1071None
..................................................................
954277df25da3817b0c6aac6c24e47e1e6cda846c585cb1b...48f23ca01941f503b427a82051addc6fca3a4e35e50424...fd91f6185d3607e015661262295f9c8842dc6d08e94d0d63b2154b88866750cf75c0aa582022-08-11 06:23:21Nonee94d0d63b2154b88866750cf75c0aa58.exe1494016application/x-dosexecexe...NoneNone24576:rsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtToli...d0f09ef8b2f2d80c[exe, Socelars][]None1721None
96bb5efa133c2756135061e56c3a7e739e246827412af03a...383317694a8870466919391028ad63a7bcfb261ba4f68a...d6af2bc47eb595fba9a377c72e2f28a9d7b7c081cd65a330e760b1fc08352119b418aaa42022-08-11 06:21:262022-08-11 06:50:58hesaphareketi-01.exe899072application/x-dosexecexe...NoneNone24576:/vM4vwHmQlz8QpSh1UqvtClbsT2L+uUgi:/M84qk...0069e8e8e8e89669[exe, geo, MassLogger, TUR][]None1753None
97ebfcaab875819a883c8e6447e8e99e01bc01b0a3185773...45246ec90235d21e6d2cc131b07f9c505ad62faf725be9...31db8c4f74aadbc180f79389165b9539f357e36b3426783d67482f377199bb73979095252022-08-11 06:21:152022-08-11 06:51:00Ziraat Bankasi Swift Mesaji.exe968192application/x-dosexecexe...NoneNone24576:GmY4vwHmQlPOfpSe+wFGcgNCLCxZC63DmAUkrgi:...0069e8e8e8e89669[exe, Formbook, geo, TUR][]None1882None
98ae554c838c7389ca65c3b7f5abce1006217c9893316e1e...eb19d5e88af0b1a0e9ad0cbf6633f0b499420d6073a1dd...0dc97e5825bdb91a03629815372916bfe641e2180a03c724d8f793c7019d232cfdc8e6d42022-08-11 06:21:072022-08-11 06:51:02Amended Signed Contract.doc2598632text/rtfdoc...NoneNone24576:tnW6hT611mIvGrJun1bTqRIq81PqAx/S8CS9ZzmS...None[doc, Formbook][]None1852None
99a3e8a495c7d1f7d8fc1c2f2f7ead0eefdc82e23a4f0ecf...2fc8db74bf932e87170c330eb376a22f24bc88bb8e9ec0...95cd652f1c7c3df8fd4386dec295e6f19b9205b3689e34eec5c133f95ac8a24d04ed7a4a2022-08-11 06:19:48NoneDELAY_NOTICE_NEW_SHIPMENT_SCHEDULE.vbs339381text/plainvbs...NoneNone1536:b3/l9wbmaPJsGBJUby0OIZgc92CEehkk4D3L7Mqoq...None[GuLoader, vbs][]None1151None
\n", "

100 rows × 26 columns

\n", "
" ], "text/plain": [ " sha256_hash \\\n", "0 f9a6e8aed26a829f9af2ecf722dc09ed76a3144d6fe4bc... \n", "1 ce1e8e57264e84d75ed4960855768418c7a73707d0855d... \n", "2 2582008cc5626a748f4926d0973f1b4ea0717e5167e1f7... \n", "3 6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88... \n", "4 9bc54f008c1a379e2a422b64b57339e7a3d8ee01745dd0... \n", ".. ... \n", "95 4277df25da3817b0c6aac6c24e47e1e6cda846c585cb1b... \n", "96 bb5efa133c2756135061e56c3a7e739e246827412af03a... \n", "97 ebfcaab875819a883c8e6447e8e99e01bc01b0a3185773... \n", "98 ae554c838c7389ca65c3b7f5abce1006217c9893316e1e... \n", "99 a3e8a495c7d1f7d8fc1c2f2f7ead0eefdc82e23a4f0ecf... \n", "\n", " sha3_384_hash \\\n", "0 054e57fe702fad8b75cefc8e91f071876b253b7cf48bf3... \n", "1 2945d468176ca3766e5982574652025887cdce34028f4c... \n", "2 05d09b744be600daf03e2f67bcdc4b81ee317336ee7988... \n", "3 7ba5d10ded17ef135d101e5caec3c8e8959b0beb25e6bd... \n", "4 513b59672d898a92ea8b79a2c015cc79867ed7cac5d271... \n", ".. ... \n", "95 48f23ca01941f503b427a82051addc6fca3a4e35e50424... \n", "96 383317694a8870466919391028ad63a7bcfb261ba4f68a... \n", "97 45246ec90235d21e6d2cc131b07f9c505ad62faf725be9... \n", "98 eb19d5e88af0b1a0e9ad0cbf6633f0b499420d6073a1dd... \n", "99 2fc8db74bf932e87170c330eb376a22f24bc88bb8e9ec0... \n", "\n", " sha1_hash \\\n", "0 b89f8a9d02dbb2139430a1a30314e4f2cff29f71 \n", "1 7fd429ceb24c476a9b3796fe71961575e7637738 \n", "2 e03a9f658327fc96d774ae19d714add257a10d88 \n", "3 69bf7182f7cd72ca775be7736b843345efbbdc0e \n", "4 117b1e130cc2f2406b0f38d3b3677e4699f65214 \n", ".. ... \n", "95 fd91f6185d3607e015661262295f9c8842dc6d08 \n", "96 d6af2bc47eb595fba9a377c72e2f28a9d7b7c081 \n", "97 31db8c4f74aadbc180f79389165b9539f357e36b \n", "98 0dc97e5825bdb91a03629815372916bfe641e218 \n", "99 95cd652f1c7c3df8fd4386dec295e6f19b9205b3 \n", "\n", " md5_hash first_seen \\\n", "0 6444777ae59bee41428a9c3a53741c80 2022-08-11 09:29:03 \n", "1 fea743ac96b30d64f914d491e802abc1 2022-08-11 09:22:06 \n", "2 2f4a3782d2ab90126ff927026dac5077 2022-08-11 09:19:47 \n", "3 ca25cc1a0351513cbb0bb70343b03862 2022-08-11 09:19:27 \n", "4 57ecac082ee320cf94b2de1a0927a994 2022-08-11 09:19:13 \n", ".. ... ... \n", "95 e94d0d63b2154b88866750cf75c0aa58 2022-08-11 06:23:21 \n", "96 cd65a330e760b1fc08352119b418aaa4 2022-08-11 06:21:26 \n", "97 3426783d67482f377199bb7397909525 2022-08-11 06:21:15 \n", "98 0a03c724d8f793c7019d232cfdc8e6d4 2022-08-11 06:21:07 \n", "99 689e34eec5c133f95ac8a24d04ed7a4a 2022-08-11 06:19:48 \n", "\n", " last_seen file_name \\\n", "0 None 91361.doc \n", "1 None Copia di pagamento-3400753232678_001-11.08.202... \n", "2 None 2f4a3782d2ab90126ff927026dac5077 \n", "3 None ca25cc1a0351513cbb0bb70343b03862 \n", "4 None 57ecac082ee320cf94b2de1a0927a994 \n", ".. ... ... \n", "95 None e94d0d63b2154b88866750cf75c0aa58.exe \n", "96 2022-08-11 06:50:58 hesaphareketi-01.exe \n", "97 2022-08-11 06:51:00 Ziraat Bankasi Swift Mesaji.exe \n", "98 2022-08-11 06:51:02 Amended Signed Contract.doc \n", "99 None DELAY_NOTICE_NEW_SHIPMENT_SCHEDULE.vbs \n", "\n", " file_size file_type_mime file_type ... telfhash gimphash \\\n", "0 9068 application/octet-stream unknown ... None None \n", "1 625664 application/x-dosexec exe ... None None \n", "2 834560 application/x-dosexec exe ... None None \n", "3 857600 application/x-dosexec exe ... None None \n", "4 879616 application/x-dosexec exe ... None None \n", ".. ... ... ... ... ... ... \n", "95 1494016 application/x-dosexec exe ... None None \n", "96 899072 application/x-dosexec exe ... None None \n", "97 968192 application/x-dosexec exe ... None None \n", "98 2598632 text/rtf doc ... None None \n", "99 339381 text/plain vbs ... None None \n", "\n", " ssdeep dhash_icon \\\n", "0 192:7jBthS94xAvK2s/XKIAJb5tOlptSX2kebp3gVkjOBu... None \n", "1 12288:3GVq6azddQyxvS8Fhyq+rq5IhAW3Lm1u9Cj0Vpzm... d4e2c8b4ccc8f2cc \n", "2 12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGB... None \n", "3 12288:WEoKggb2iNdvpc++HRBTEdG6gAGYN/lXXE5fRPcX... None \n", "4 24576:eoKgK1XpSN1RgXrhOquNb9cMQSKScGWgi:bKgKV7... None \n", ".. ... ... \n", "95 24576:rsLp0FasdJu/+/dfMs2KLoyaU/5DeTgtMyPtToli... d0f09ef8b2f2d80c \n", "96 24576:/vM4vwHmQlz8QpSh1UqvtClbsT2L+uUgi:/M84qk... 0069e8e8e8e89669 \n", "97 24576:GmY4vwHmQlPOfpSe+wFGcgNCLCxZC63DmAUkrgi:... 0069e8e8e8e89669 \n", "98 24576:tnW6hT611mIvGrJun1bTqRIq81PqAx/S8CS9ZzmS... None \n", "99 1536:b3/l9wbmaPJsGBJUby0OIZgc92CEehkk4D3L7Mqoq... None \n", "\n", " tags code_sign intelligence.clamav \\\n", "0 None [] None \n", "1 [agenttesla, exe] [] None \n", "2 [32, exe, RemcosRAT, trojan] [] None \n", "3 [32, exe, Formbook, trojan] [] None \n", "4 [32, AgentTesla, exe] [] None \n", ".. ... ... ... \n", "95 [exe, Socelars] [] None \n", "96 [exe, geo, MassLogger, TUR] [] None \n", "97 [exe, Formbook, geo, TUR] [] None \n", "98 [doc, Formbook] [] None \n", "99 [GuLoader, vbs] [] None \n", "\n", " intelligence.downloads intelligence.uploads intelligence.mail \n", "0 16 1 None \n", "1 121 1 None \n", "2 111 1 None \n", "3 101 1 None \n", "4 107 1 None \n", ".. ... ... ... \n", "95 172 1 None \n", "96 175 3 None \n", "97 188 2 None \n", "98 185 2 None \n", "99 115 1 None \n", "\n", "[100 rows x 26 columns]" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "mbcscb = mblookup.get_cscb()\n", "display(mbrecent)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Download a specific sample from Malware Bazaar\n", "The function download_sample() can be used to download a specific file by specifying a sha256. The downloaded file is zipped with a password. You can ask the password to @vx-underground. :p " ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "sample = mblookup.download_sample(\"7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754\")" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [], "source": [ "# Copy the bytes into a file.\n", "zippedsample = open(\"sample.zip\", \"wb\")\n", "zippedsample.write(sample)\n", "zippedsample.close()" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3 (ipykernel)", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.9.8" }, "vscode": { "interpreter": { "hash": "11feda34545c9af0495d8c8d6854b4469c1219b03eba0db0aa3ba1c9e34588aa" } } }, "nbformat": 4, "nbformat_minor": 4 }