Indicators of Compromise (IOCs) are key forensic data points used to detect security breaches. They include file hashes, suspicious IP addresses, domain names, URLs, specific email addresses, unusual file names, registry changes, unexpected processes, and abnormal network traffic patterns. These elements help identify malicious activity and are crucial for timely detection and response to cybersecurity threats.
ANY.RUN Threat Intelligence (TI) lookup service offers threat data from millions of malware and phishing sample analyses, which is continuously updated by a community of security professionals who submit samples to a public database.
Security analysts can search this vast database (2 TB) using over 40 parameters and wildcards to find specific threats. The service provides quick results, each linked to a corresponding sandbox analysis session, allowing for in-depth investigation.
It supports the creation and integration of YARA rules with security systems via API, which empowers security professionals to identify current threats, generate precise Indicators of Compromise (IOCs), and predict and prevent future attacks.
TI Lookup now offers indicators of compromise (IOCs) extracted from malware configurations by the analyst team, derived from reverse-engineered malware samples, covering 79 malware families.
TI Lookup effectively identifies potential C2 domains associated with the Remcos malware by leveraging the “malconf” tag. A query combining “threatName:’remcos’” and “domainName:”” yields over 250 domains found in sandbox environments containing Remcos.
Prioritizing results with the “malconf” label highlights domains extracted directly from malware configurations, significantly increasing the likelihood of uncovering active command-and-control infrastructure used by Remcos attacks.
An investigator can leverage indicators of compromise (IOCs) extracted from a sandboxed AsyncRAT sample to discover further malicious activity.
If the sandbox report reveals an IP address within the AsyncRAT configuration, analysts can utilize TI Lookup for investigation.
According to ANY RUN technical write-up, By submitting a search query with the destination IP field set to the extracted IP (e.g., “destinationIP: 37(.)120.233.226”), TI Lookup can provide valuable information about the IP’s potential maliciousness.
It can include historical sightings in malware samples, connections to known bad actors, and associated domain names, which empowers investigators to determine the IP’s role in the AsyncRAT campaign and identify broader threats.
TI Lookup identified 55 analysis sessions associated with the malicious IP. By examining these sessions, they can extract hash sums and other indicators of compromise related to the malware.
It will enable the identification of the malware family and potentially uncover additional threats employed by the attackers through correlation with related events, files, destination ports, and sandbox sessions linked to the indicator.
Demonstrates how to investigate a Vidar URL using TI Lookup within the ANY.RUN sandbox environment. By extracting a URL from the Vidar configuration within a sandbox analysis session, a TI Lookup query can be constructed using the “url:” search operator.
In the example, the query “url:”[https(:)//t.me/ armad2a](https (:)//t.me/ armad2a)”” is used to search for indicators associated with the provided URL.
The results from TI Lookup can reveal additional samples containing similar indicators, potentially providing insights into the broader threat landscape.
The investigation by ANY RUN further identifies a connection between Vidar and PrivateLoader, suggesting that Vidar might be frequently deployed through this particular downloader tool.
Analyze Suspicious Files and URLs in ANY.RUN
The ANY.RUN sandbox offers an interactive approach to malware analysis. You can engage with the files and links in a safe virtual environment and perform all the necessary actions to investigate each threat’s true extent.
The service automatically detects and lists all activities across network traffic, registry, file system, and processes and extracts indicators of compromise.
Explore all features of ANY.RUN, including the private mode and extra VM settings, by Requesting a 14-day Free Trial!
The post How to Collect and Use IOCs From Malware Configs in TI Lookup – SOC/DFIR Teams appeared first on Cyber Security News.