URLhaus data (URLhaus )

Providing URLs being used for malware distribution. You also gain the payloads observed in combination with the URL, and, in future, associated malware files will also made available.

When a new URL is added, a message is triggered including the following fields: uuid, type, id, url, host, timestamp, url_status, anonymous, reporter, tags.

You will also notified when the following updates are made, with their associated metadata:

  • – Removed
  • – Changed
  • – A new file download is available
  • – Payloads are observed, or
  • – Payload changes

To compare the Real Time Intelligence Feed data with publicly available data, see here.

MalwareBazaar data (Malware Bazaar )

Focussed on sharing confirmed malware samples. Security researchers can hunt for malware samples by a hash (MD5, SHA256, SHA1), imphash, tlsh hash, ClamAV signature, tag or malware family.

When a new file is added, a message is triggered including the following fields: uuid, type, md5_hash, sha526_hash, sha1_hash, sha3_384_hash, file_name, file_size, timestamp, humanhash, imphash, ssdeep, tlsh, telfhash, dhash_icon, mime_type, file_type, file_ext, signature, tags, anonymous, reporter, comment.

You will also notified when the following updates are made, with their associated metadata:

  • – Meta data of a file changes;
  • – A file gets removed.

To compare the Real Time Intelligence Feed data with publicly available data, see here.

ThreatFox data (Threat Fox )

Sharing indicators of compromise (IOCs) associated with malware. This dataset enables organizations and security researchers to consume technical indicators connected to cyber-attacks in a structured way.

When a new IOC is added, or an IOC that is already known get pushed to the dataset again, a message is triggered including the following fields: uuid, type, id, ioc, confidence_level, ioc_type, threat_type, threat_type_description, malware, malware_printable, malware_alias, timestamp, sightings, anonymous, reporter, tags, comment.

You will also notified when the following updates are made, with their associated metadata:

  • – Meta data of an IOC change;
  • – An IOC gets removed.

To compare the Real Time Intelligence Feed data with publicly available data, see here.

YARAify data (YARAify )

A large repository of YARA rules. Users can scan suspicious files, such as malware samples or process dumps, against these rules to identify targeted attacks and threats, specific to their environment. This is one of the most comprehensive repositories of threat hunting rules available.

When a new file is uploaded, a message is triggered including the following fields: uuid, type, md5_hash, sha256_hash, sha1_hash, sha3_384_hash, file_size, timestamp, imphash, ssdeep, tlsh, telfhash, gimphash, dhash_icon, mime_type. 

You will also notified when new task results are available, with the associated metadata.

To compare the Real Time Intelligence Feed data with publicly available data, see here.

Feodo Tracker data (Feodo Tracker )

Sharing botnet C&C infrastructure associated with major malware threats that facilitate ransomware attacks. This data helps network owners to protect their users from the likes of Dridex, Emotet (aka Heodo), TrickBot, QakBot (aka QuakBot/Qbot) and BazarLoader (aka BazarBackdoor).

Every time an active botnet C&C is observed by Feodo Tracker, a message is triggered including the following fields: uuid, type, ip_address, port, protocol, malware_family, timestamp_unix, as_number, as_name, country, first_seen (when observed for the first time), first_seen (when (re-)validated by Feodo Tracker last time), last_online.

You will also notified when a botnet C&C is removed, with the associated metadata.

To compare the Real Time Intelligence Feed data with publicly available data, see here.

Sandnet data (Sandnet )

A non-public platform that collects and executes malware samples in a controlled environment. The goal is to collect signals and meta data from malware samples prior to, and during, the execution.

Every time a new file is observed by Sandnet (prior to classification engine – meaning the file could be legit), a message is triggered including the following fields: uuid, type, md5_hash, sha256_hash, timestamp, filesize, file_ext, imphash, ssdeep, tlsh, dhash_icon, download_location.

You will also notified about the following, with any associated metadata:

  • – Sandbox reports;
  • – New unpacked files;
  • – New process dumps;
  • – YARA results;
  • – Network artifacts.

To understand where an event, and its associated message, gets triggered during the overall detonation process of suspicious files, see here.