Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alphaSeclab/malware-ioc-hash

Collection of malware ioc hashes from blog posts. A Python script is provided to search through it.
https://github.com/alphaSeclab/malware-ioc-hash

indicators-of-compromise malware malware-ioc

Last synced: 22 days ago
JSON representation

Collection of malware ioc hashes from blog posts. A Python script is provided to search through it.

Host: GitHub
URL: https://github.com/alphaSeclab/malware-ioc-hash
Owner: alphaSeclab
Created: 2020-09-09T03:31:22.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-09-10T04:12:04.000Z (over 4 years ago)
Last Synced: 2024-11-18T09:32:58.583Z (25 days ago)
Topics: indicators-of-compromise, malware, malware-ioc
Language: Python
Homepage:
Size: 5.63 MB
Stars: 17
Watchers: 3
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: Readme.md
- Changelog: history/20200910094654_post_hash.json

Awesome Lists containing this project

awesome-hacking-lists - alphaSeclab/malware-ioc-hash - Collection of malware ioc hashes from blog posts. A Python script is provided to search through it. (Python)

README

1. [MalwareIoCHash](#malwareiochash)
2. [仓库内容](#仓库内容)
3. [使用](#使用)
1. [支持的命令行](#支持的命令行)
2. [打印文件信息](#打印文件信息)
3. [搜索哈希值](#搜索哈希值)
4. [搜索文章标题(内容)](#搜索文章标题内容)
5. [搜索文章链接](#搜索文章链接)
6. [搜索包含哈希值的文件](#搜索包含哈希值的文件)
7. [输出搜索结果: 导出与打印、自定义字段选择](#输出搜索结果-导出与打印自定义字段选择)
1. [导出到`json`文件](#导出到json文件)
2. [指定输出(导出/打印)的内容](#指定输出导出打印的内容)
4. [TODO](#todo)

# MalwareIoCHash
- 对从多个站点抓取的包含IoC-Hash的文章进行搜索.
- 当前包括文章个数: `11757`
- 当前包括Hash个数: `37871`

# 仓库内容
- `data.json`: 从多个网站抓取包含Hash的文章后, 对IoC进行在线验证与扩充(VT/HybridAnalysis)后的数据
- 每个文章包括的字段：
- `time`: 文章发布日期(可能不准确)
- `title`: 文章标题
- `link`: 文章链接
- `pending`: 从文章内容中提取的Hash值, 没有在VT/HybridAnalysis等站点中找到对应项, 导致此哈希值没有完整的`(md5, sha1, sha256)`对, 则为`pending`
- `confirmed`: 从文章中提取的Hash值, 在VT/HybridAnalysis等站点中找到了对应项, 补全了`(md5, sha1, sha256)`对, 则为`confirmed`
- `topic_list`: 在文章内容中搜索到的预定义的`topic`列表.
- `topic`来源: [MIPS](https://www.misp-project.org/), [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/)
- 以字符串包含方式, 将`topic`与文章正文内容进行匹配
- `cli.py`: Python脚本, 对`data.json`中的内容进行过滤、导出等操作

# 使用
- 只支持Python3
- `pip3 install -r requirements.txt`: 安装依赖
- `chmod +x cli`: 在`Linux`系统下, 可直接使用`cli`
- `Windows`系统使用`python3 cli.py`

## 支持的命令行
- `./cli --help`: 根命令
```
Commands:
info 打印信息.
search -> 搜索.
```
- `./cli search --help`: 搜索命令
```
-> 搜索.
Commands:
file 从指定文件中读取哈希值, 并搜索.
hash 搜索哈希值.
url 搜索链接.
word 搜索文章关键词(默认只有title, 如果需要搜索content则指定 --content).
```

## 打印文件信息
- `./cli info`
```
topic 个数: 3684
['gobrut', 'smominru', 'ismo', 'lsmo', 'botnet', 'chachaddos', 'shade', 'zebrocy', 'zekapab', 'loudminer', 'buhtrap', 'ratopak', 'fakeapp', 'winnti', 'agent.alqhi', 'etso', 'miner', 'plead', 'apt28', 'sofacy', 'sednit', 'fancybear', 'pawnstorm', 'tsarteam', 'jkeyskw', 'carberplike', 'downrage', 'jhuhugit', 'komplex', 'seduploader', 'gamefish', 'sofacycarberp', 'tg-4127', 'grey-cloud', 'group-4127', 'strontium', 'threatgroup-4127', 'swallowtail', 'irontwilight', 'tag_0700', 'group74', 'oceanlotus', 'emotet', 'gobotkr', 'android.filecoder', 'amavaldo', 'balkan', 'balkanrat', 'balkandoor', 'newsource', 'armageddon', 'systemcrypter', 'loocipher', 'freeme', 'boooamcrypt', 'eris', 'expboot', 'doppelpaymer', 'skystars', 'zerofucks', 'tflower', 'xorist', 'syrk', 'arsium', 'yobacrypt', 'plague', 'mykings', 'xrat', 'gootkit', 'talalpek', 'xswkit', 'trickbot', 'trickloader', 'trickster', 'thetrick', 'remcos', 'miraixminer', 'viagra', 'asruex', 'necro', 'agenttesla', 'nymaim', 'nymain', 'pinkslipbot', 'qakbot', 'qbot', 'ramnit', 'nimnul', 'zegost', 'lokibot', 'expiro', 'cerber', 'crbrencryptor', 'tofsee', 'gheg', 'mondera', 'kovter', 'xtremerat', 'extrat', 'gh0strat'] ...
个数: 11757
pending-hash 个数: 419
confirmed-sha256 个数: 37452
```

## 搜索哈希值
- 当前只支持完整的`md5/sha1/sha256`哈希值的搜索
- `./cli search hash -h ec2ed8e85eb96c65c64f666a63a5e9e6`
```
要搜索的哈希值: ec2ed8e85eb96c65c64f666a63a5e9e6
待搜索个数: 11757
搜索结果: 1
------------------------------
2014-07-22
The Bank INTERAC was accepted. - virus
https://techhelplist.com/spam-list/605-the-bank-interac-was-accepted-virus
confirmed:
ec2ed8e85eb96c65c64f666a63a5e9e6
90a4e2156839d855d29952a4ebf1d54f3c9b1950
c83c891dbdd02f7f45bde586a1e802276819267904190e2f053a6f50da3513ad
```

## 搜索文章标题(内容)
- `./cli search word -w apt28`: 未指定`--content`, 只匹配标题, 搜索结果: `19`
```
要搜索的词: apt28
待搜索个数: 11757
搜索结果: 19
------------------------------
2019-11-07
Here We GO: Crimeware & APT Journey From “RobbinHood” to APT28
https://www.sentinelone.com/blog/here-we-go-crimeware-apt-journey-from-robbinhood-to-apt28/
confirmed:
602d2901d55c2720f955503456ac2f68
80e61ba572b2c955c50d8359eb68e6c13fc16ae1
93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa
// ...
------------------------------
2019-08-10
APT28分析之X-agent样本分析
https://xz.aliyun.com/t/5898
confirmed:
6fc8602c8b3a18765bb6d2307d8a4ae1
57f455bfc074c881076f506aa8e3090f75e2e0ac
dfba21b4b7e1e6ebd162010c880c82c9b04d797893311c19faab97431bf25927
// ...
// ........
```
- `./cli search word -w apt28 --content`: 指定`--content`, 搜索结果: `55`
```
要搜索的词: apt28
待搜索个数: 11757
搜索结果: 55
------------------------------
2020-03-26
The Dukes of Moscow
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/
confirmed:
28f96a57fa5ff663926e9bad51a1d0cb
a75995f94854dea8799650a2f4a97980b71199d2
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d
// ....
```
- `./cli search word -w keylogger`
```
要搜索的词: keylogger
待搜索个数: 11757
搜索结果: 46
------------------------------
2019-10-07
Dissecting Ardamax Keylogger
https://medium.com/p/f33f922d2576
confirmed:
4a57ce1565f05454e9b5a4a80d048865
24362704e540b58aafbc6d736bb99b5b1b28e784
907587a797ef5ee759534b95e6f886cdea5989129d65de5b684b6d3b4aa645dc
// ...
```

## 搜索文章链接
- `./cli search url alienvault.com`
```
要搜索的链接: alienvault.com
待搜索个数: 11757
搜索结果: 43
------------------------------
2019-04-02
Xwo - A Python-based bot scanner
https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner
confirmed:
fd67a98599b08832cf8570a641712301
1faf363809f266bb2d90fb8d3fc43c18253d0048
6408c69e802de04e949ed3047dc1174ef20125603ce7ba5c093e820cb77b1ae1
// ...
```

## 搜索包含哈希值的文件
- `cat ~/tmp/xx.txt`: 文件内包括2个哈希值
```
fd67a98599b08832cf8570a641712301
4a57ce1565f05454e9b5a4a80d048865
```
- `./cli search file -f ~/tmp/xx.txt`
```
文件路径: /home/xxx/tmp/xx.txt
原文件行数: 2
过滤后剩余行数: 2
过滤后剩余有效哈希数: 2
待搜索个数: 11757
搜索结果: 2
------------------------------
2019-10-07
Dissecting Ardamax Keylogger
https://medium.com/p/f33f922d2576
confirmed:
4a57ce1565f05454e9b5a4a80d048865
24362704e540b58aafbc6d736bb99b5b1b28e784
907587a797ef5ee759534b95e6f886cdea5989129d65de5b684b6d3b4aa645dc
// ...
------------------------------
2019-04-02
Xwo - A Python-based bot scanner
https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner
confirmed:
fd67a98599b08832cf8570a641712301
1faf363809f266bb2d90fb8d3fc43c18253d0048
6408c69e802de04e949ed3047dc1174ef20125603ce7ba5c093e820cb77b1ae1
// ...
```

## 输出搜索结果: 导出与打印、自定义字段选择
- **适用于以上所有搜索命令**
- 支持选项:
```
--out TEXT 将搜索结果导出到指定目录(目录必须存在)(未指定则打印到控制台)
--col TEXT 要导出/打印的列, 中间以逗号(,)分割
不指定则导出/打印全部(可选:"time/title/link/hash/sha256)"
--json 是否以 json 格式导出/打印
```

### 导出到`json`文件
- `./cli search word -w apt28 --out ~/tmp`
```
要搜索的词: apt28
待搜索个数: 11757
搜索结果: 19
结果导出至文件: /home/xxx/tmp/20200910115449_hash_output.txt
```

### 指定输出(导出/打印)的内容
- `./cli search word -w apt28 --col title,time`
```
要搜索的词: apt28
待搜索个数: 11757
搜索结果: 19
------------------------------
2019-11-07
Here We GO: Crimeware & APT Journey From “RobbinHood” to APT28
------------------------------
2019-08-10
APT28分析之X-agent样本分析
// ....
```
- `./cli search word -w apt28 --col hash`: 只输出哈希值
```
要搜索的词: apt28
待搜索个数: 11757搜索结果: 19
65de07fc6b821d9fd3497cfa64212df2d39935dd515a86eda80d08086b183a3f
7cd1b5f6774b25727e1d80b29979dadd1d427d3a
// ...
```
- `./cli search word -w apt28 --col sha256`: 对于`confirmed`类型的哈希值, 只输出`sha256`
```
要搜索的词: apt28
待搜索个数: 11757
搜索结果: 19
e7dd9678b0a1c4881e80230ac716b21a41757648d71c538417755521438576f6
6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a
fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e
// ....
```
- `./cli search word -w apt28 --col title,sha256`: 混合
```
要搜索的词: apt28
待搜索个数: 11757
搜索结果: 19
------------------------------
Here We GO: Crimeware & APT Journey From “RobbinHood” to APT28
hash:
93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa
3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
------------------------------
APT28分析之X-agent样本分析
hash:
dfba21b4b7e1e6ebd162010c880c82c9b04d797893311c19faab97431bf25927
5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1
// ....
```

# TODO
- 1. 搜索时可指定同名(alias)