Using Python to unearth a goldmine of threat intelligence from leaked chat logs

Author: Thomas Roccia |@fr0gger_

Introduction

Dealing with a great amount of data can be time consuming, thus using Python can be very powerful to help analysts sort information and extract the most relevant data for their investigation. The open-source tools library, MSTICpy, for example, is a tool dedicated to threat intelligence. It aims to help threat analysts acquire, enrich, analyze, and visualize data. In this notebook, we will explore the data in depth using Python. We will dissect the available information and learn more about their process and operation. Eventually, we will see how we can take advantage of the available information to pivot and hunt for additional context and threat intelligence using the MSTICpy library.

This notebook will allow analysts to reuse the code and continue to search for the extracted information on their own. Additionally, it offers an out-of-the-box methodology for analyzing chat logs, extracting indicators of compromise, and improving threat intelligence and defense process using Python.

What is the goal of this Notebook?

Through this notebook, we will explore the Conti Jabber leaks and provide a workflow of analysis using Python.

The notebook is composed of the following parts:

  • The first part of this notebook will provide details of the available data as well as how to transform them for using it with Python and for Interpretation.
  • The second part will provide details about the Jabber logs as well as some visualization.
  • The third part will be dedicated to threat intelligence, extracting relevant IOCs and pivoting with the extracted data.

Configuration

To use this notebook several library must be installed here is the list of the module, you can install them using pip.

  • pandas
  • msticpy
  • bokeh
  • pyvis
  • matplotlib
  • treelib
  • textsearch
  • ipywidgets
  • GoogleTranslator

Exploring the Jabber Logs

Compiling and translating the data

The leaked chat logs are written in the Russian language, requiring the data to be translated to English for analysis. We adopted the translation methodology published here..

Since raw Jabber logs are saved using a file per day, they will need to be compiled in one JSON file so they can easily be manipulated with Python. cat *.json | jq -cr > ../merged.json

Once the data is merged, they can be translated using the deep translator library.

In [ ]:
# Code borrowed and adapted from @azobec
import json
from deep_translator import GoogleTranslator

# Creating the list
chatList = []

# opening the file merged.json
with open('merged2.json', encoding="utf8") as f:
    for jsonObj in f:
        logs = json.loads(jsonObj)
        chatList.append(logs)

# Creating and adding the translated logs into translated_log.json.
with open('translated_log3.json', 'a+', encoding="utf8") as outfile:
    outfile.write("[")    
    for line in chatList:
        try:
            translation = GoogleTranslator(source='auto', target='en').translate(line["body"])
            line["LANG-EN"] = translation
            
        # When a translation is not possible we handle the error and write a message
        except Exception as e:
            line["LANG-EN"] = "Error during Translation"
    
        outfile.write(json.dumps(line, ensure_ascii = False).encode('utf8').decode())
        outfile.write(",")
    outfile.write("]")    

After the logs are translated and loaded into a new file, it’s then possible to load the data into a dataframe for manipulation and exploration.

Loading the translated logs into a dataframe

In [1]:
# Loading the data in a dataframe
import codecs
import pandas as pd
from IPython.display import Image

df = pd.read_json(codecs.open('translated_Log2.json', 'r', 'utf-8'))
In [2]:
# Print some information about the loaded dataframe
df.head()
Out[2]:
ts from to body LANG-EN
0 2021-01-29T00:06:46.929363 mango@q3mcco35auwcstmt.onion stern@q3mcco35auwcstmt.onion про битки не забудь, кош выше, я спать) don't forget about cue balls, kosh is higher, ...
1 2021-01-29T04:04:39.308133 mango@q3mcco35auwcstmt.onion stern@q3mcco35auwcstmt.onion привет Hey
2 2021-01-29T04:04:43.474243 mango@q3mcco35auwcstmt.onion stern@q3mcco35auwcstmt.onion битков не хватит на все.. bits are not enough for everything ..
3 2021-01-29T04:32:02.648304 price@q3mcco35auwcstmt.onion green@q3mcco35auwcstmt.onion привет!!! Hey!!!
4 2021-01-29T04:32:16.858754 price@q3mcco35auwcstmt.onion green@q3mcco35auwcstmt.onion опять прокладки сменились??? нет связи! have the pads changed again? no connection!

Slang translation

Russian slang words not properly translated by the automated process can be translated by creating a dictionary. A dictionary off a list proposed here was used in this case to correctly translate the slang:

In [3]:
# Creating a dictionnary with the translated slang words
slang = {"Hell": "AD", "YES": "DA", "wheelbarrow": "host", "cars": "hosts", "cue balls": "bitcoin", "credits":"credentials", "vmik":"WMIC", "grid":"network", "facial expressions":"mimikatz", "firework":"firewall", "whining":"SQL", "school":"SQL", "balls":"shares", "zithers":"Citrix", "food":"FUD", "silkcode":"shellcode", "kosh":"cash", "toad":"jabber", "booze":"Emotet", "the trick or trick": "Trickbot", "BC":"BazarBackdoor", "backpack":"Ryuk", "lock":"ransomware"}

# Replacing the words in the translated column
df['LANG-EN'] = df['LANG-EN'].replace(slang, regex=True)
df['LANG-EN'].head(10)
Out[3]:
0    don't forget about bitcoin, cash is higher, I'...
1                                                  Hey
2                bits are not enough for everything ..
3                                               Hey!!!
4          have the pads changed again? no connection!
5                                                  Hey
6    hello sn today I'm waiting for cash and the am...
7                                                  Hey
8    bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv - 0...
9                                               moment
Name: LANG-EN, dtype: object

Analyzing the chat activity timeline

In [4]:
# Static graph, you can double click on the graphic to get more details
df['ts'] = pd.to_datetime(df['ts']).dt.date
df['ts'] = pd.to_datetime(df['ts'])

# Sorting the data by datetime
data = df.groupby(df['ts'])['from'].count()
data.plot(kind='bar',figsize=(100,10),legend=True, title="Number of discussion per day")
Out[4]:
<AxesSubplot:title={'center':'Number of discussion per day'}, xlabel='ts'>
In [5]:
# Dynamic graph using Bokeh
import pandas_bokeh
from bokeh.models import ColumnDataSource, HoverTool
from bokeh.plotting import figure, show

df['ts'] = pd.to_datetime(df['ts']).dt.date
df['ts'] = pd.to_datetime(df['ts'])

pandas_bokeh.output_notebook()
pd.set_option('plotting.backend', 'pandas_bokeh')

# Filter the result to manipulate only timestamp and number of discussion per day
data2 = pd.DataFrame(df.groupby(df['ts'])['from'].count().reset_index())
Loading BokehJS ...
In [6]:
# Loading the filtered dataset into ColumnDataSource
source = ColumnDataSource(data2)

# Creating the figure with the size
p = figure(x_axis_type='datetime', plot_width=900, plot_height=500)

# Adding the hover tools
p.add_tools(HoverTool(tooltips=[('Date', '@ts{%F}'), ('Nb of discussion','@from{int}')],
                      formatters={'@ts':'datetime'}, mode='mouse'))

# Legend
p.title.text ='Activity discussion per day'
p.xaxis.axis_label = 'Date'
p.yaxis.axis_label = 'Number of discussion'

# diagram
p.line(x='ts', y='from', line_width=2, color='#851503', source=source)

# print the diagram
show(p)

Searching in the logs

Reading all the leak can be a bit time consuming so it could be interesting to build a simple search engine to search for specific occurence of a string into the chat logs. That way we can filter to specific data of interest such as bitcoin, usernames, malware name, exploit, CVE... to name a few.

In [7]:
# Import lib 
import ipywidgets as widgets
from textsearch import TextSearch
from IPython.display import display

pd.set_option('display.max_colwidth', None)

#configure widget
keyword = widgets.Text(
    value='',
    placeholder='Enter your search',
    description='Search:',
    disabled=False
)
display(keyword)

# Configure click button
button = widgets.Button(description="search", icon='check') # (FontAwesome names without the `fa-` prefix))
display(button)

output = widgets.Output()

# Searching for the input word
@output.capture()
def userInput(b):
    
    # store the search result in a list
    result = []
    print("[+] Searching the chat for occurence of: " + keyword.value)
    
    # look for the string into the translated column
    for i in df['LANG-EN']:
        ts = TextSearch(case="ignore", returns="match")
        words = keyword.value
        ts.add(words)
        
        # store the result into the list
        if ts.findall(str(i)):
            result.append(i)
    
    # Filter and print the result
    result = list(dict.fromkeys(result))    
    print('\n'.join(map(str, result)))

# get the input word
button.on_click(userInput)
display(output)

Analyzing the level of user activity

When analyzing chat logs, identifying the number of users and analyzing the most active ones can provide insight into the size of the group and roles of users within it. Using Python, the list of users can be extracted and saved in a text file.

In [8]:
# Extracting all the users
userfrom = df['from']
userto = df['to']

# Dropping duplicate and concatenate dataframe
user = pd.concat([userfrom.drop_duplicates(), userto.drop_duplicates()], ignore_index=True)
user = user.drop_duplicates()

# Save userlist to txt for additional hunting
user.to_csv(r'IOC\userlist.txt', header=None, index=None, sep='\t', mode='a')
In [9]:
# Static graphic
%matplotlib inline
df.groupby('from').count().ts.sort_values(ascending=False).iloc[:50].plot.barh(figsize=(15,10), title="Most active users")
Out[9]:
Figure(
id = '1218', …)
In [10]:
# Filtering and extracting the 10 most active users
user = pd.DataFrame(df.groupby('from').count().ts.sort_values(ascending=False).reset_index())
user.columns = user.columns.str.replace('ts', 'count')
user.head(10)
Out[10]:
from count
0 defender@q3mcco35auwcstmt.onion 8246
1 stern@q3mcco35auwcstmt.onion 4323
2 driver@q3mcco35auwcstmt.onion 3968
3 bio@q3mcco35auwcstmt.onion 3196
4 mango@q3mcco35auwcstmt.onion 3194
5 ttrr@conference.q3mcco35auwcstmt.onion 3122
6 veron@q3mcco35auwcstmt.onion 2955
7 hof@q3mcco35auwcstmt.onion 2389
8 bentley@q3mcco35auwcstmt.onion 1810
9 bloodrush@q3mcco35auwcstmt.onion 1798

Mapping the users’ connections

In [11]:
# Transforming the data, the weight corresponding to the number of message send between 2 users. 
df_weight = df.groupby(["from", "to"], as_index=False).count()
df_weight = df_weight.drop(['body','LANG-EN'], axis = 1)
df_weight.columns = df_weight.columns.str.replace('ts', 'weight')
df_weight.head(5)
Out[11]:
from to weight
0 admin@expiro-team.biz qwerty@q3mcco35auwcstmt.onion 1
1 admin@q3mcco35auwcstmt.onion demon@q3mcco35auwcstmt.onion 10
2 admin@q3mcco35auwcstmt.onion wind@q3mcco35auwcstmt.onion 1
3 admin@q3mcco35auwcstmt.onion zevs@q3mcco35auwcstmt.onion 6
4 admintest@q3mcco35auwcstmt.onion revers@q3mcco35auwcstmt.onion 15
In [14]:
# Importing the pyvis lib
from pyvis.network import Network

# Configuring the graph option
conti_net = Network(height='800px', width='100%', bgcolor='#222222', font_color='white', notebook = True)

# set the physics layout of the network, here we used the barnes hut
conti_net.barnes_hut()
conti_data = df_weight

# Split the data
sources = conti_data['from']
targets = conti_data['to']
weights = conti_data['weight']

edge_data = zip(sources, targets, weights)

# Browsing the data to construct the network graph
for e in edge_data:
    src = e[0]
    dst = e[1]
    w = e[2]
    
    conti_net.add_node(src, src, title=src)
    conti_net.add_node(dst, dst, title=dst)
    conti_net.add_edge(src, dst, value=w*10)
        
neighbor_map = conti_net.get_adj_list()

# add user data to node hover data
for node in conti_net.nodes:
    node['title'] += ' <br> - Discussion with:<br>' + '<br>'.join(neighbor_map[node['id']])
    node['value'] = len(neighbor_map[node['id']])
    
conti_net.show('conti_leak.html')
Out[14]:

Using MSTICPy to extract and analyze IOCs

Besides processing chat logs to analyze user activity and connections, Python can also be used to extract and analyze threat intelligence. This section shows how the MSTICPy library can be used to extract IOCs and how it can be used for additional threat hunting and intelligence.

Loading MSTICpy

In [15]:
# Imports and configuration
from IPython.display import display, HTML
from msticpy.sectools import IoCExtract
import matplotlib.pyplot as plt
import sys
import warnings
from msticpy import init_notebook
init_notebook(namespace=globals());

pd.set_option('display.max_rows', 500)
pd.set_option('display.max_columns', 50)
pd.set_option('display.max_colwidth', 100)

Starting Notebook initialization...


msticpy version installed: 1.7.5 latest published: 1.8.1
A newer version of msticpy - 1.8.1 is available.
Upgrade with 'pip install --upgrade msticpy'

Processing imports....
Imported: pd (pandas), IPython.get_ipython, IPython.display.display, IPython.display.HTML, IPython.display.Markdown, widgets (ipywidgets), pathlib.Path, plt (matplotlib.pyplot), matplotlib.MatplotlibDeprecationWarning, np (numpy), sns (seaborn), msticpy, msticpy.data.QueryProvider, msticpy.nbtools.foliummap.FoliumMap, msticpy.common.utility.md, msticpy.common.utility.md_warn, msticpy.common.wsconfig.WorkspaceConfig, msticpy.datamodel.pivot.Pivot, msticpy.datamodel.entities, msticpy.nbtools.nbmagics, msticpy.vis.mp_pandas_plot
Checking configuration....

The following configuration errors were found:
-----------------------------------------------
Missing or empty 'Workspaces' key in 'AzureSentinel' section
No warnings found.

No valid configuration for Microsoft Sentinel found.
Azure CLI credentials not detected. (see Caching credentials with Azure CLI)
Setting notebook options....
This library uses services provided by ipstack. https://ipstack.com


Notebook setup completed with some warnings.

One or more configuration items were missing or set incorrectly.

Please run the Getting Started Guide for Azure Sentinel ML Notebooks notebook. and the msticpy configuration guide.

This notebook may still run but with reduced functionality.

Notebook initialization complete


Extracting IOCs

MSTICPy is a Python library used for threat investigation and threat hunting. The library can connect to several threat intelligence providers, as well as Microsoft tools like Microsoft Sentinel. It can be used to query logs and to enrich data. It’s particularly convenient for analyzing IOCs and adding more threat contextualization.

In [16]:
# We clean the dataframe to remove None value
df['LANG-EN'] = df['LANG-EN'].fillna('').apply(str)

# Initiate the IOC extractor
ioc_extractor = IoCExtract()
ioc_df = ioc_extractor.extract(data = df, columns = ['LANG-EN'])

display(HTML("<h4>IoC patterns found in chat logs.</h4>"))
display(ioc_df.head(10))

IoC patterns found in chat logs.

IoCType Observable SourceIndex Input
0 dns qaz.im 23 https://qaz.im/load/Tb6rNh/dYkYy2
1 url https://qaz.im/load/Tb6rNh/dYkYy2 23 https://qaz.im/load/Tb6rNh/dYkYy2
2 dns qaz.im 25 https://qaz.im/load/hzkQTQ/BTa6Ze
3 url https://qaz.im/load/hzkQTQ/BTa6Ze 25 https://qaz.im/load/hzkQTQ/BTa6Ze
4 dns qaz.im 29 https://qaz.im/load/Tb6rNh/dYkYy2
5 url https://qaz.im/load/Tb6rNh/dYkYy2 29 https://qaz.im/load/Tb6rNh/dYkYy2
6 dns qaz.im 52 https://qaz.im/load/hzkQTQ/BTa6Ze
7 url https://qaz.im/load/hzkQTQ/BTa6Ze 52 https://qaz.im/load/hzkQTQ/BTa6Ze
8 ipv6 09:54:30 54 [09:54:30] <22> throw it right away. until March 1, whatever. and then you waste it on trifles a...
9 ipv6 09:55:17 54 [09:54:30] <22> throw it right away. until March 1, whatever. and then you waste it on trifles a...
In [17]:
# Extracting BTC addresses
# Adding the regex
extractor = IoCExtract()
extractor.add_ioc_type(ioc_type='btc', ioc_regex='^(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})$')

# Check that it added ok
print(extractor.ioc_types['btc'])

# Use it in our data set and create a new df
btc_df = ioc_extractor.extract(data=df, columns=['LANG-EN']).query('IoCType == \'btc\'')

display(HTML("<h4>BTC addresses found in chat logs.</h4>"))
display(btc_df.head(10))
IoCPattern(ioc_type='btc', comp_regex=re.compile('^(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})$', re.IGNORECASE|re.MULTILINE|re.VERBOSE), priority=0, group=None)

BTC addresses found in chat logs.

IoCType Observable SourceIndex Input
152 btc bc1q3efl4m2jcr6gk32usxnfyrxh294sr8plmpe3ye 806 bc1q3efl4m2jcr6gk32usxnfyrxh294sr8plmpe3ye
213 btc 1MxtwUpH4cWAz4en4kqVNzAdx5gpk9etUC 1131 hello, the bitcoins are over, in total 6 new servers, two vpn subscriptions, an ipvanish subscri...
214 btc 1MxtwUpH4cWAz4en4kqVNzAdx5gpk9etUC 1136 hello, the bitcoins are over, in total 6 new servers, two vpn subscriptions, an ipvanish subscri...
296 btc bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 1606 bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3
297 btc 17mc4Qm7ka9jhQEUB5LTxP3gW3tsDYUJGQ 1608 hello, the cue ball is over, in total 8 new servers, two vpn subscriptions, and 18 renewals have...
307 btc bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 1617 bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3
308 btc 17mc4Qm7ka9jhQEUB5LTxP3gW3tsDYUJGQ 1619 hello, the cue ball is over, in total 8 new servers, two vpn subscriptions, and 18 renewals have...
329 btc bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv 1669 bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv
330 btc 172KVKhMqL5CU1HN884RbArzu5DDL5hwE3 1680 172KVKhMqL5CU1HN884RbArzu5DDL5hwE3\n\n0.01523011
335 btc bc1qc39qwc3nl2eyh2cu4ct6tyh9zqzp9ye993c0y2 1716 bc1qc39qwc3nl2eyh2cu4ct6tyh9zqzp9ye993c0y2
In [18]:
display(HTML("<h4>Merging, filtering and sorting</h4>"))
# Merging dataframe

ioc_df = pd.concat([ioc_df, btc_df], axis=0).drop_duplicates(subset='Observable').reset_index(drop=True)
#ioc_df = ioc_df.drop_duplicates(subset='Observable', inplace=True)

# Removing IPV6 rows because they are false positive
ioc_df = ioc_df[ioc_df["IoCType"].str.contains("ipv6") == False]

ioc_df

Merging, filtering and sorting

Out[18]:
IoCType Observable SourceIndex Input
0 dns qaz.im 23 https://qaz.im/load/Tb6rNh/dYkYy2
1 url https://qaz.im/load/Tb6rNh/dYkYy2 23 https://qaz.im/load/Tb6rNh/dYkYy2
2 url https://qaz.im/load/hzkQTQ/BTa6Ze 25 https://qaz.im/load/hzkQTQ/BTa6Ze
6 url https://qaz.im/load/3EZGA7/4SEstA 103 https://qaz.im/load/3EZGA7/4SEstA
21 ipv4 54.183.140.39 228 yep, they all worked\nexcept\nbot\n54.183.140.39
... ... ... ... ...
4241 btc 1G5LWXMN42ueD2eWvm4zMrhXGihghHDgMq 59405 1G5LWXMN42ueD2eWvm4zMrhXGihghHDgMq\nAmount $1000
4242 btc bc1qr8fw0xj28emurqhu8k7gj4llzgnxf4dejhl04h 59913 hello, I turned to the defender to clarify the situation with the salary, he replied that now it...
4243 btc bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 60385 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6
4244 btc 33hiG13GTHTV2G8aZxzBJHBPBpDNevcK2B 60542 33hiG13GTHTV2G8aZxzBJHBPBpDNevcK2B
4245 btc 3351LRF9NrFH5v2CMZWsCv66tv5UAjX5Gn 60559 3351LRF9NrFH5v2CMZWsCv66tv5UAjX5Gn

2227 rows × 4 columns

In [19]:
# Save IOC to CSV
ioc_df.to_csv("IOC\\full_ioc.csv")

# Overview of the IOC in the dataset
ioc_df["IoCType"].value_counts()
Out[19]:
url            1137
dns             474
ipv4            317
btc             175
md5_hash        106
sha256_hash      16
sha1_hash         2
Name: IoCType, dtype: int64

Cleaning the extracted IOCs

In [20]:
ioc_df = ioc_df[ioc_df["Observable"].str.contains("privnote.com")==False ]
ioc_df = ioc_df[ioc_df["Observable"].str.contains("qaz.im")==False ]
In [21]:
ioc_df
Out[21]:
IoCType Observable SourceIndex Input
21 ipv4 54.183.140.39 228 yep, they all worked\nexcept\nbot\n54.183.140.39
24 dns 2Fwwwapps.ups.com 335 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F...
25 dns hura.me 335 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F...
26 url https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2Ftrack%3FHTMLtrackVer... 335 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F...
27 url https://hura.me/no-ref.php?url=http://wwwapps.ups.com/WebTracking/track?HTMLtrackVersion=5.0&loc... 335 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F...
... ... ... ... ...
4241 btc 1G5LWXMN42ueD2eWvm4zMrhXGihghHDgMq 59405 1G5LWXMN42ueD2eWvm4zMrhXGihghHDgMq\nAmount $1000
4242 btc bc1qr8fw0xj28emurqhu8k7gj4llzgnxf4dejhl04h 59913 hello, I turned to the defender to clarify the situation with the salary, he replied that now it...
4243 btc bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 60385 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6
4244 btc 33hiG13GTHTV2G8aZxzBJHBPBpDNevcK2B 60542 33hiG13GTHTV2G8aZxzBJHBPBpDNevcK2B
4245 btc 3351LRF9NrFH5v2CMZWsCv66tv5UAjX5Gn 60559 3351LRF9NrFH5v2CMZWsCv66tv5UAjX5Gn

1760 rows × 4 columns

IP Addresses Intelligence

In [22]:
df_ip = ioc_df.loc[ioc_df["IoCType"] == "ipv4"]
df_ip['IoCType'].count()
Out[22]:
317
In [23]:
# load all configured providers
ti_lookup = TILookup(providers = ["VirusTotal", "GreyNoise", "OTX"])
ti_lookup.provider_status
Out[23]:
['GreyNoise - GreyNoise Lookup. (primary)',
 'OTX - AlientVault OTX Lookup. (primary)',
 'VirusTotal - VirusTotal Lookup. (primary)']
In [24]:
# Don't forget to reload the providers once you specified the api key in the config file. 
ti_lookup.reload_providers()
Settings reloaded. Use reload_providers to update settings for loaded providers.
In [25]:
ip_intel = ti_lookup.lookup_iocs(data = df_ip["Observable"])
ip_intel.head(10)
Out[25]:
Ioc IocType SafeIoc QuerySubtype Provider Result Severity Details RawResult Reference Status
0 54.183.140.39 ipv4 54.183.140.39 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/54.183.140.39 404
1 5.139.220.204 ipv4 5.139.220.204 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/5.139.220.204 404
2 138.124.180.94 ipv4 138.124.180.94 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/138.124.180.94 404
3 45.14.226.47 ipv4 45.14.226.47 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/45.14.226.47 404
4 193.203.203.101 ipv4 193.203.203.101 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/193.203.203.101 404
5 173.163.176.177 ipv4 173.163.176.177 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/173.163.176.177 404
6 75.151.48.49 ipv4 75.151.48.49 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/75.151.48.49 404
7 71.105.126.26 ipv4 71.105.126.26 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/71.105.126.26 404
8 96.70.44.17 ipv4 96.70.44.17 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/96.70.44.17 404
9 96.93.217.253 ipv4 96.93.217.253 None GreyNoise False information Not found. <Response [404 Not Found]> https://api.greynoise.io/v3/community/96.93.217.253 404
In [26]:
# Saving the IP into a csv file.
ip_intel.to_csv("IOC\\ipintel.csv")
In [27]:
# Removing the ip with severity == information
ip_intel = ip_intel[ip_intel["Severity"].str.contains("information")==False ]
In [28]:
# You can also make a request for a single IP.
result = ti_lookup.lookup_ioc(observable="203.76.105.227")
ti_lookup.result_to_df(result).T
Out[28]:
GreyNoise OTX VirusTotal
Ioc 203.76.105.227 203.76.105.227 203.76.105.227
IocType ipv4 ipv4 ipv4
QuerySubtype None None None
Provider GreyNoise OTX VirusTotal
Result False True True
Severity information high information
Details Not found. {'pulse_count': 3, 'names': ['IoC Ransomware CONTI', 'Conti Ransomware | CISA', 'Conti Ransomwar... {'verbose_msg': 'IP address in dataset', 'response_code': 1, 'positives': 0, 'detected_urls': []...
RawResult <Response [404 Not Found]> {'whois': 'http://whois.domaintools.com/203.76.105.227', 'reputation': 0, 'indicator': '203.76.1... {'asn': 23688, 'undetected_urls': [], 'undetected_downloaded_samples': [{'date': '2021-05-25 16:...
Reference https://api.greynoise.io/v3/community/203.76.105.227 https://otx.alienvault.com/api/v1/indicators/IPv4/203.76.105.227/general https://www.virustotal.com/vtapi/v2/ip-address/report
Status 404 0 0

Browsing the result

In [29]:
from msticpy.nbtools.ti_browser import browse_results
ip_intel = pd.read_csv("IOC\\ipintel.csv")

ti_selector = browse_results(data = ip_intel, height="200px")
ti_selector

103.101.104.229

Type: 'ipv4', Provider: OTX, severity: high

Details

{'pulse_count': 50, 'names': ['Network IOCs', 'feodotracker-0-20220511', 'feodotracker-0-20220504', 'feodotracker-0-20220510', 'feodotracker-0-20220503', 'feodotracker-0-20220509', 'feodotracker-0-20220502', 'feodotracker-0-20220501', 'feodotracker-0-20220507', 'feodotracker-0-20220430', 'feodotracker-0-20220506', 'feodotracker-0-20220429', 'feodotracker-0-20220428', 'feodotracker-0-20220427', 'feodotracker-0-20220426', 'feodotracker-0-20220425', 'feodotracker-0-20220424', 'feodotracker-0-20220422', 'feodotracker-0-20220420', 'feodotracker-0-20220419', 'feodotracker-0-20220418', 'feodotracker-0-20220417', 'resteex_blacklist_(ipset|hash:ip)_20220423_LVL0', 'feodotracker-0-20220415', 'IoC Ransomware CONTI', 'feodotracker-0-20220413', 'feodotracker-0-20220412', 'feodotracker-0-20220410', 'feodotracker-0-20220410', 'feodotracker-0-20220409', 'feodotracker-0-20220407', 'feodotracker-0-20220406', 'feodotracker-0-20220405', 'feodotracker-0-20220404', 'Conti Ransomware | CISA', 'feodotracker-0-20220403', 'Conti Ransomware IOC', 'feodotracker-0-20220402', 'feodotracker-0-20220402', 'feodotracker-0-20220401', 'feodotracker-0-20220331', 'feodotracker-0-20220330', 'feodotracker-0-20220329', 'feodotracker-0-20220328', 'feodotracker-0-20220327', 'feodotracker-0-20220326', 'feodotracker-0-20220323', 'feodotracker-0-20220322', 'feodotracker-0-20220321', 'feodotracker-0-20220320'], 'tags': [['msi file', 'tuesday', 'malspam email', 'headers', 'anna paula', 'utf8', 'currc3adculo', 'from email', 'associated', 'zip archive'], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], ['uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', 'computer security', 'u. s. computer emergency readiness', 'cyber risks', 'conti', 'technique title', 'id use', 'trickbot', 'remote desktop', 'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'cobalt strike', 'icedid', 'zloader', 'service'], [], ['span', 'path', 'header dropdown', 'link', 'script', 'product', 'explore', 'footer', 'github', 'button', 'template', 'meta', 'form', 'team', 'enterprise', 'contact', 'code', 'copy', 'reload', 'body', 'star', 'open', 'desktop', 'main'], [], [], [], [], [], [], [], [], [], [], [], [], []], 'references': [['2021-09-21-Curriculo-IOCs.txt'], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], ['blacklist_ip.backup'], [], [], [], [], [], [], [], [], [], [], [], ['https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A.stix.xml', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-265a', 'https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/'], [], ['https://github.com/whichbuffer/Conti-Ransomware-IOC/blob/main/Conti%20IOC.txt'], [], [], [], [], [], [], [], [], [], [], [], [], []]}

Reference:

https://otx.alienvault.com/api/v1/indicators/IPv4/103.101.104.229/general

Raw Results

Raw results from provider...
("{'whois': 'http://whois.domaintools.com/103.101.104.229', 'reputation': 0, "
 "'indicator': '103.101.104.229', 'type': 'IPv4', 'type_title': 'IPv4', "
 "'base_indicator': {'id': 3011530694, 'indicator': '103.101.104.229', 'type': "
 "'IPv4', 'title': '', 'description': '', 'content': '', 'access_type': "
 "'public', 'access_reason': ''}, 'pulse_info': {'count': 50, 'pulses': "
 "[{'id': '614e0dc583aa90bf2dd4ec91', 'name': 'Network IOCs', 'description': "
 "'Network-based IOCs', 'modified': '2022-05-12T00:04:24.089000', 'created': "
 "'2021-09-24T17:41:25.461000', 'tags': ['msi file', 'tuesday', 'malspam "
 "email', 'headers', 'anna paula', 'utf8', 'currc3adculo', 'from email', "
 "'associated', 'zip archive'], 'references': "
 "['2021-09-21-Curriculo-IOCs.txt'], 'public': 1, 'adversary': '', "
 "'targeted_countries': [], 'malware_families': [], 'attack_ids': [], "
 "'industries': [], 'TLP': 'white', 'cloned_from': None, 'export_count': 87, "
 "'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': 0, 'locked': False, "
 "'pulse_source': 'web', 'validator_count': 0, 'comment_count': 0, "
 "'follower_count': 0, 'vote': 0, 'author': {'username': 'cnoscsoc@att.com', "
 "'id': '81627', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'domain': 3314, 'hostname': 610, 'URL': 16, 'email': 1, 'IPv4': 1893}, "
 "'indicator_count': 5834, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 102, 'modified_text': '13 minutes ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '627b45f5c02acb8a3eaee0db', "
 "'name': 'feodotracker-0-20220511', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-11T05:13:25.029000', 'created': "
 "'2022-05-11T05:13:25.029000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'IPv4': 2977}, 'indicator_count': 2977, 'is_author': False, "
 "'is_subscribing': None, 'subscriber_count': 340, 'modified_text': '19 hours "
 "ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
 "'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
 "'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
 "'627220e0f24ae0a0864f5a9c', 'name': 'feodotracker-0-20220504', "
 "'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-11T00:02:13.446000', 'created': "
 "'2022-05-04T06:44:48.234000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '1 day ago ', 'is_modified': True, "
 "'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6279ee8ce28a19e0aaf5353c', "
 "'name': 'feodotracker-0-20220510', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-10T04:48:12.315000', 'created': "
 "'2022-05-10T04:48:12.315000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 5, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'IPv4': 2977}, 'indicator_count': 2977, 'is_author': False, "
 "'is_subscribing': None, 'subscriber_count': 340, 'modified_text': '1 day ago "
 "', 'is_modified': False, 'groups': [], 'in_group': False, "
 "'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
 "'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
 "'6270d430bf9c2d34f0f370e3', 'name': 'feodotracker-0-20220503', "
 "'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-10T00:02:48.350000', 'created': "
 "'2022-05-03T07:05:20.872000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '2 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6278f04cce1a4c290610a27e', "
 "'name': 'feodotracker-0-20220509', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-09T10:43:24.661000', 'created': "
 "'2022-05-09T10:43:24.661000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'IPv4': 2977}, 'indicator_count': 2977, 'is_author': False, "
 "'is_subscribing': None, 'subscriber_count': 339, 'modified_text': '2 days "
 "ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
 "'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
 "'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
 "'626f7ad3d15c591e25689db0', 'name': 'feodotracker-0-20220502', "
 "'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-09T00:00:19.127000', 'created': "
 "'2022-05-02T06:31:47.984000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '3 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '626ee671ecd2054b5f340414', "
 "'name': 'feodotracker-0-20220501', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-08T00:03:14.586000', 'created': "
 "'2022-05-01T19:58:41.206000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '4 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '627611c2149b9e5c3de4a4a2', "
 "'name': 'feodotracker-0-20220507', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-07T06:29:22.630000', 'created': "
 "'2022-05-07T06:29:22.630000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'IPv4': 2974}, 'indicator_count': 2974, 'is_author': False, "
 "'is_subscribing': None, 'subscriber_count': 339, 'modified_text': '4 days "
 "ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
 "'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
 "'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
 "'626ccbd12c593dc8f62f452a', 'name': 'feodotracker-0-20220430', "
 "'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-07T00:03:18.570000', 'created': "
 "'2022-04-30T05:40:33.936000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '5 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6274f3ff64c4e483c4259859', "
 "'name': 'feodotracker-0-20220506', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-06T10:10:07.620000', 'created': "
 "'2022-05-06T10:10:07.620000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'IPv4': 2973}, 'indicator_count': 2973, 'is_author': False, "
 "'is_subscribing': None, 'subscriber_count': 339, 'modified_text': '5 days "
 "ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
 "'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
 "'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
 "'626b83311b4d4fa0370ade43', 'name': 'feodotracker-0-20220429', "
 "'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-06T00:03:41.989000', 'created': "
 "'2022-04-29T06:18:25.182000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '6 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '626a0e35c35f2f018f5ff6b2', "
 "'name': 'feodotracker-0-20220428', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-05T00:01:02.977000', 'created': "
 "'2022-04-28T03:47:01.193000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '7 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6268e0c9a4d3824a4433a4e1', "
 "'name': 'feodotracker-0-20220427', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-04T00:05:07.263000', 'created': "
 "'2022-04-27T06:20:57.338000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '8 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6267902ba01c16e11b513360', "
 "'name': 'feodotracker-0-20220426', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-03T00:01:26.398000', 'created': "
 "'2022-04-26T06:24:43.961000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '9 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '62664beab3e7e1f843d4ed7f', "
 "'name': 'feodotracker-0-20220425', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-02T00:00:42.176000', 'created': "
 "'2022-04-25T07:21:14.984000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '10 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6264df9ed4858e43a43aee5d', "
 "'name': 'feodotracker-0-20220424', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-05-01T00:02:33.075000', 'created': "
 "'2022-04-24T05:26:54.855000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '11 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '62623dde3f37fb753d715f80', "
 "'name': 'feodotracker-0-20220422', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-29T00:05:19.794000', 'created': "
 "'2022-04-22T05:32:14.297000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '13 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '625f95960531c82bac8ad4fb', "
 "'name': 'feodotracker-0-20220420', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-27T00:03:12.448000', 'created': "
 "'2022-04-20T05:09:42.428000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '15 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '625e3a21f48c0e3dd7fbfbb4', "
 "'name': 'feodotracker-0-20220419', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-26T00:01:30.700000', 'created': "
 "'2022-04-19T04:27:13.116000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '16 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '625d934f029f45492a6edc19', "
 "'name': 'feodotracker-0-20220418', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-25T00:00:49.923000', 'created': "
 "'2022-04-18T16:35:27.393000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '17 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '625bb92c0e105f8c0537b1b2', "
 "'name': 'feodotracker-0-20220417', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-24T00:01:15.470000', 'created': "
 "'2022-04-17T06:52:28.817000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '18 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '62637949a39428085f129938', "
 "'name': 'resteex_blacklist_(ipset|hash:ip)_20220423_LVL0', 'description': "
 "'', 'modified': '2022-04-23T03:58:01.062000', 'created': "
 "'2022-04-23T03:58:01.062000', 'tags': [], 'references': "
 "['blacklist_ip.backup'], 'public': 1, 'adversary': '', 'targeted_countries': "
 "[], 'malware_families': [], 'attack_ids': [], 'industries': [], 'TLP': "
 "'green', 'cloned_from': None, 'export_count': 10, 'upvotes_count': 0, "
 "'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': "
 "'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, "
 "'vote': 0, 'author': {'username': 'resteex0', 'id': '175858', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'IPv4': 63022, 'URL': 1429}, 'indicator_count': 64451, 'is_author': False, "
 "'is_subscribing': None, 'subscriber_count': 23, 'modified_text': '18 days "
 "ago ', 'is_modified': False, 'groups': [], 'in_group': False, "
 "'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
 "'related_indicator_type': 'IPv4', 'related_indicator_is_active': 1}, {'id': "
 "'6258f4c92dafeb4c4d2df77e', 'name': 'feodotracker-0-20220415', "
 "'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-22T00:03:50.614000', 'created': "
 "'2022-04-15T04:30:01.275000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '20 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '626186a215fc527fe850e655', "
 "'name': 'IoC Ransomware CONTI', 'description': 'IoC related with Ransomware "
 'CONTI. \\nRelated to the security event that occurred in Costa Rica on April '
 "20, 2022', 'modified': '2022-04-21T16:30:26.680000', 'created': "
 "'2022-04-21T16:30:26.680000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 7, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'soc_columbus', 'id': '2084', 'avatar_url': "
 "'/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_804adb6fc4.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'FileHash-SHA1': 8, 'IPv4': 423, 'URL': 3, 'domain': 55, 'hostname': 2}, "
 "'indicator_count': 491, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 139, 'modified_text': '20 days ago ', 'is_modified': "
 "False, 'groups': [], 'in_group': False, 'threat_hunter_scannable': True, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 1}, {'id': '625698919820c39fcc32e838', "
 "'name': 'feodotracker-0-20220413', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-20T00:02:21.571000', 'created': "
 "'2022-04-13T09:32:01.671000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '22 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '62550f0309fdf2231d0b9642', "
 "'name': 'feodotracker-0-20220412', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-19T00:01:05.210000', 'created': "
 "'2022-04-12T05:32:51.853000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '23 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6252630e40240989d59c3173', "
 "'name': 'feodotracker-0-20220410', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-17T00:01:27.728000', 'created': "
 "'2022-04-10T04:54:38.069000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '25 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6252672b086133e496b3dce4', "
 "'name': 'feodotracker-0-20220410', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-17T00:01:27.728000', 'created': "
 "'2022-04-10T05:12:11.861000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 0, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '25 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6251565b64f47ac1b7e6ec07', "
 "'name': 'feodotracker-0-20220409', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-16T00:04:53.479000', 'created': "
 "'2022-04-09T09:48:11.334000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '26 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '624e61bd1ce9fb5b0e6334df', "
 "'name': 'feodotracker-0-20220407', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-14T00:01:40.805000', 'created': "
 "'2022-04-07T03:59:57.344000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 11, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '28 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '624d36cef231bdea72ac18e5', "
 "'name': 'feodotracker-0-20220406', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-13T00:01:48.292000', 'created': "
 "'2022-04-06T06:44:30.129000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 6, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '29 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '624bdd422428575554ddd772', "
 "'name': 'feodotracker-0-20220405', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-12T00:02:34.248000', 'created': "
 "'2022-04-05T06:10:10.204000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 341, 'modified_text': '30 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '624adf0a9ea1216235242137', "
 "'name': 'feodotracker-0-20220404', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-11T00:04:29.819000', 'created': "
 "'2022-04-04T12:05:30.840000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 342, 'modified_text': '31 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '62290bead9aa05af6158671f', "
 "'name': 'Conti Ransomware | CISA', 'description': '', 'modified': "
 "'2022-04-10T00:02:49.890000', 'created': '2022-03-09T20:19:54.752000', "
 "'tags': ['uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', "
 "'computer security', 'u. s. computer emergency readiness', 'cyber risks', "
 "'conti', 'technique title', 'id use', 'trickbot', 'remote desktop', "
 "'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'cobalt strike', "
 "'icedid', 'zloader', 'service'], 'references': "
 "['https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A.stix.xml', "
 "'https://www.cisa.gov/uscert/ncas/alerts/aa21-265a', "
 "'https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/'], "
 "'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': "
 "[], 'attack_ids': [{'id': 'T1016', 'name': 'System Network Configuration "
 "Discovery', 'display_name': 'T1016 - System Network Configuration "
 "Discovery'}, {'id': 'T1021', 'name': 'Remote Services', 'display_name': "
 "'T1021 - Remote Services'}, {'id': 'T1021.002', 'name': 'SMB/Windows Admin "
 "Shares', 'display_name': 'T1021.002 - SMB/Windows Admin Shares'}, {'id': "
 "'T1027', 'name': 'Obfuscated Files or Information', 'display_name': 'T1027 - "
 "Obfuscated Files or Information'}, {'id': 'T1049', 'name': 'System Network "
 "Connections Discovery', 'display_name': 'T1049 - System Network Connections "
 "Discovery'}, {'id': 'T1055', 'name': 'Process Injection', 'display_name': "
 "'T1055 - Process Injection'}, {'id': 'T1057', 'name': 'Process Discovery', "
 "'display_name': 'T1057 - Process Discovery'}, {'id': 'T1059', 'name': "
 "'Command and Scripting Interpreter', 'display_name': 'T1059 - Command and "
 "Scripting Interpreter'}, {'id': 'T1059.003', 'name': 'Windows Command "
 "Shell', 'display_name': 'T1059.003 - Windows Command Shell'}, {'id': "
 "'T1078', 'name': 'Valid Accounts', 'display_name': 'T1078 - Valid "
 "Accounts'}, {'id': 'T1080', 'name': 'Taint Shared Content', 'display_name': "
 "'T1080 - Taint Shared Content'}, {'id': 'T1083', 'name': 'File and Directory "
 "Discovery', 'display_name': 'T1083 - File and Directory Discovery'}, {'id': "
 "'T1106', 'name': 'Native API', 'display_name': 'T1106 - Native API'}, {'id': "
 "'T1110', 'name': 'Brute Force', 'display_name': 'T1110 - Brute Force'}, "
 "{'id': 'T1133', 'name': 'External Remote Services', 'display_name': 'T1133 - "
 "External Remote Services'}, {'id': 'T1135', 'name': 'Network Share "
 "Discovery', 'display_name': 'T1135 - Network Share Discovery'}, {'id': "
 "'T1140', 'name': 'Deobfuscate/Decode Files or Information', 'display_name': "
 "'T1140 - Deobfuscate/Decode Files or Information'}, {'id': 'T1486', 'name': "
 "'Data Encrypted for Impact', 'display_name': 'T1486 - Data Encrypted for "
 "Impact'}, {'id': 'T1489', 'name': 'Service Stop', 'display_name': 'T1489 - "
 "Service Stop'}, {'id': 'T1490', 'name': 'Inhibit System Recovery', "
 "'display_name': 'T1490 - Inhibit System Recovery'}, {'id': 'T1558', 'name': "
 "'Steal or Forge Kerberos Tickets', 'display_name': 'T1558 - Steal or Forge "
 "Kerberos Tickets'}, {'id': 'T1558.003', 'name': 'Kerberoasting', "
 "'display_name': 'T1558.003 - Kerberoasting'}, {'id': 'T1566', 'name': "
 "'Phishing', 'display_name': 'T1566 - Phishing'}, {'id': 'T1566.001', 'name': "
 "'Spearphishing Attachment', 'display_name': 'T1566.001 - Spearphishing "
 "Attachment'}, {'id': 'T1566.002', 'name': 'Spearphishing Link', "
 "'display_name': 'T1566.002 - Spearphishing Link'}], 'industries': [], 'TLP': "
 "'white', 'cloned_from': None, 'export_count': 16, 'upvotes_count': 0, "
 "'downvotes_count': 0, 'votes_count': 0, 'locked': False, 'pulse_source': "
 "'web', 'validator_count': 0, 'comment_count': 0, 'follower_count': 0, "
 "'vote': 0, 'author': {'username': 'VertekLabs', 'id': '168455', "
 "'avatar_url': "
 "'/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'CVE': 2, 'domain': 98, 'BitcoinAddress': 202, 'FileHash-MD5': 24, "
 "'FileHash-SHA1': 24, 'FileHash-SHA256': 72}, 'indicator_count': 422, "
 "'is_author': False, 'is_subscribing': None, 'subscriber_count': 85, "
 "'modified_text': '32 days ago ', 'is_modified': True, 'groups': [], "
 "'in_group': False, 'threat_hunter_scannable': True, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '62494787cf39b823ff8f7afe', "
 "'name': 'feodotracker-0-20220403', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-10T00:02:49.890000', 'created': "
 "'2022-04-03T07:06:47.463000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 341, 'modified_text': '32 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6229d84f86d99550fa73e1fa', "
 "'name': 'Conti Ransomware IOC', 'description': '', 'modified': "
 "'2022-04-09T00:00:32.009000', 'created': '2022-03-10T10:51:59.898000', "
 "'tags': ['span', 'path', 'header dropdown', 'link', 'script', 'product', "
 "'explore', 'footer', 'github', 'button', 'template', 'meta', 'form', 'team', "
 "'enterprise', 'contact', 'code', 'copy', 'reload', 'body', 'star', 'open', "
 "'desktop', 'main'], 'references': "
 "['https://github.com/whichbuffer/Conti-Ransomware-IOC/blob/main/Conti%20IOC.txt'], "
 "'public': 1, 'adversary': '', 'targeted_countries': [], 'malware_families': "
 "[], 'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 8, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'web', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'bluewatcher', 'id': '174522', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': "
 "{'URL': 8, 'FileHash-MD5': 5, 'FileHash-SHA1': 1, 'FileHash-SHA256': 52, "
 "'domain': 111, 'email': 169}, 'indicator_count': 346, 'is_author': False, "
 "'is_subscribing': None, 'subscriber_count': 47, 'modified_text': '33 days "
 "ago ', 'is_modified': True, 'groups': [], 'in_group': False, "
 "'threat_hunter_scannable': True, 'threat_hunter_has_agents': 1, "
 "'related_indicator_type': 'IPv4', 'related_indicator_is_active': 0}, {'id': "
 "'6248002ceb67f57c92e0cf57', 'name': 'feodotracker-0-20220402', "
 "'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-09T00:00:32.009000', 'created': "
 "'2022-04-02T07:50:04.421000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '33 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '624804aac57a56b6d6f439ff', "
 "'name': 'feodotracker-0-20220402', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-09T00:00:32.009000', 'created': "
 "'2022-04-02T08:09:14.305000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '33 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6246a992168dfa61b62e0743', "
 "'name': 'feodotracker-0-20220401', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-08T00:05:40.239000', 'created': "
 "'2022-04-01T07:28:18.183000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 3, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '34 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '624557c656e4f6be5ee26782', "
 "'name': 'feodotracker-0-20220331', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-07T00:04:02.553000', 'created': "
 "'2022-03-31T07:27:02.349000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '35 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6243f3a2785e5607272c8999', "
 "'name': 'feodotracker-0-20220330', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-06T00:02:16.312000', 'created': "
 "'2022-03-30T06:07:30.478000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 2, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 343, 'modified_text': '36 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6242af0eb5b55b34f2281d71', "
 "'name': 'feodotracker-0-20220329', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-05T00:01:21.136000', 'created': "
 "'2022-03-29T07:02:38.114000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 341, 'modified_text': '37 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '624155ab63c04888ff86f565', "
 "'name': 'feodotracker-0-20220328', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-04T00:01:44.993000', 'created': "
 "'2022-03-28T06:28:59.582000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 2, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 341, 'modified_text': '38 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6240085db6c53cbc0ab1b4eb', "
 "'name': 'feodotracker-0-20220327', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-03T00:00:55.161000', 'created': "
 "'2022-03-27T06:46:53.652000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '39 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '623efad4d76871ab1edad105', "
 "'name': 'feodotracker-0-20220326', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-04-02T00:04:50.405000', 'created': "
 "'2022-03-26T11:36:52.602000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '40 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '623afb5ef6276fc9b737b2c9', "
 "'name': 'feodotracker-0-20220323', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-03-30T00:00:10.458000', 'created': "
 "'2022-03-23T10:50:06.252000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '43 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6239ff37cda86ba9dabbe1cc', "
 "'name': 'feodotracker-0-20220322', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-03-29T00:03:34.773000', 'created': "
 "'2022-03-22T16:54:15.293000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '44 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '62382a0b212a53ecbb03abf5', "
 "'name': 'feodotracker-0-20220321', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-03-28T00:01:22.803000', 'created': "
 "'2022-03-21T07:32:27.129000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 1, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 340, 'modified_text': '45 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}, {'id': '6236a7e441bade8a29c72d3f', "
 "'name': 'feodotracker-0-20220320', 'description': 'Data from "
 "https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.csv', "
 "'modified': '2022-03-27T00:00:39.057000', 'created': "
 "'2022-03-20T04:04:52.565000', 'tags': [], 'references': [], 'public': 1, "
 "'adversary': '', 'targeted_countries': [], 'malware_families': [], "
 "'attack_ids': [], 'industries': [], 'TLP': 'white', 'cloned_from': None, "
 "'export_count': 4, 'upvotes_count': 0, 'downvotes_count': 0, 'votes_count': "
 "0, 'locked': False, 'pulse_source': 'api', 'validator_count': 0, "
 "'comment_count': 0, 'follower_count': 0, 'vote': 0, 'author': {'username': "
 "'ZENDataGE', 'id': '94417', 'avatar_url': "
 "'https://otx.alienvault.com/assets/images/default-avatar.png', "
 "'is_subscribed': False, 'is_following': False}, 'indicator_type_counts': {}, "
 "'indicator_count': 0, 'is_author': False, 'is_subscribing': None, "
 "'subscriber_count': 339, 'modified_text': '46 days ago ', 'is_modified': "
 "True, 'groups': [], 'in_group': False, 'threat_hunter_scannable': False, "
 "'threat_hunter_has_agents': 1, 'related_indicator_type': 'IPv4', "
 "'related_indicator_is_active': 0}], 'references': "
 "['https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/', "
 "'2021-09-21-Curriculo-IOCs.txt', "
 "'https://github.com/whichbuffer/Conti-Ransomware-IOC/blob/main/Conti%20IOC.txt', "
 "'https://www.cisa.gov/uscert/ncas/alerts/aa21-265a', 'blacklist_ip.backup', "
 "'https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A.stix.xml'], "
 "'related': {'alienvault': {'adversary': [], 'malware_families': [], "
 "'industries': []}, 'other': {'adversary': [], 'malware_families': [], "
 "'industries': []}}}, 'false_positive': [], 'validation': [], 'asn': 'AS55699 "
 "pt. cemerlang multimedia', 'city_data': True, 'city': 'Bandung', 'region': "
 "'JB', 'continent_code': 'AS', 'country_code3': 'IDN', 'country_code2': 'ID', "
 "'subdivision': 'JB', 'latitude': -6.9217, 'postal_code': None, 'longitude': "
 "107.6071, 'accuracy_radius': 1, 'country_code': 'ID', 'country_name': "
 "'Indonesia', 'dma_code': 0, 'charset': 0, 'area_code': 0, 'flag_url': "
 "'/assets/images/flags/id.png', 'flag_title': 'Indonesia', 'sections': "
 "['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', "
 "'nids_list', 'http_scans']}")

Type: 'ipv4', Provider: VirusTotal, severity: high

Details

{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'positives': 3, 'detected_urls': ['https://103.101.104.229/'], 'detected_downloaded_samples': [], 'detected_communicating_samples': []}

Reference:

https://www.virustotal.com/vtapi/v2/ip-address/report

Raw Results

Raw results from provider...
("{'asn': 55699, 'undetected_urls': [], 'undetected_downloaded_samples': "
 "[{'date': '2020-08-11 18:53:02', 'positives': 0, 'total': 76, 'sha256': "
 "'121b87095769137ba3fe1d689efe8af43088ab95d1c9cf5669188fde2e9d5fab'}, "
 "{'date': '2021-05-25 16:43:33', 'positives': 0, 'total': 74, 'sha256': "
 "'78342a0905a72ce44da083dcb5d23b8ea0c16992ba2a82eece97e033d76ba3d3'}, "
 "{'date': '2021-02-17 11:39:22', 'positives': 0, 'total': 73, 'sha256': "
 "'0649170d63ef807fcca55a7e225518cda7310e15f559ad29882ebd421cf1d757'}], "
 "'detected_downloaded_samples': [], 'response_code': 1, 'as_owner': 'PT. "
 "Cemerlang Multimedia', 'detected_referrer_samples': [], 'verbose_msg': 'IP "
 "address in dataset', 'country': 'ID', 'undetected_referrer_samples': "
 "[{'date': '2022-04-04 09:13:29', 'positives': 0, 'total': 73, 'sha256': "
 "'66afc65465caf9f41dd93812284419cba60cb4d3d608d6b77f37842de7a5f5a3'}], "
 "'detected_urls': [{'url': 'https://103.101.104.229/', 'positives': 3, "
 "'total': 92, 'scan_date': '2022-05-03 15:12:47'}, {'url': "
 "'http://103.101.104.229:443/', 'positives': 3, 'total': 93, 'scan_date': "
 "'2022-04-08 06:02:57'}, {'url': 'http://103.101.104.229/', 'positives': 6, "
 "'total': 93, 'scan_date': '2022-01-04 04:47:05'}, {'url': "
 "'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.BBC33AC9D1F14F9D3B2D30F78F7E2337/5/file', "
 "'positives': 11, 'total': 91, 'scan_date': '2021-10-08 18:40:17'}, {'url': "
 "'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.BBC33AC9D1F14F9D3B2D30F78F7E2337/5/file/', "
 "'positives': 11, 'total': 91, 'scan_date': '2021-10-08 18:00:01'}, {'url': "
 "'https://103.101.104.229/sat1/FJLSEDAUV_W617601.DCE7336137D8E3B3B80B3BACBB3613B9/5/file', "
 "'positives': 10, 'total': 90, 'scan_date': '2021-09-03 23:10:06'}, {'url': "
 "'https://103.101.104.229/sat1/FJLSEDAUV_W617601.DCE7336137D8E3B3B80B3BACBB3613B9/5/file/', "
 "'positives': 10, 'total': 90, 'scan_date': '2021-09-03 22:44:25'}, {'url': "
 "'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.B383523BCAF4474453EBB9379CF35FC2/5/file', "
 "'positives': 10, 'total': 90, 'scan_date': '2021-09-02 07:10:06'}, {'url': "
 "'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.B383523BCAF4474453EBB9379CF35FC2/5/file/', "
 "'positives': 10, 'total': 90, 'scan_date': '2021-09-02 06:43:31'}, {'url': "
 "'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.0379BB767548B14B97BF79F8BB75F087/5/file', "
 "'positives': 8, 'total': 88, 'scan_date': '2021-06-21 04:20:10'}, {'url': "
 "'https://103.101.104.229/mod2/ANALYST0-2D1671_W512600.0379BB767548B14B97BF79F8BB75F087/5/file/', "
 "'positives': 7, 'total': 88, 'scan_date': '2021-06-21 03:59:55'}], "
 "'detected_communicating_samples': [{'date': '2021-09-01 02:13:54', "
 "'positives': 50, 'total': 74, 'sha256': "
 "'dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e'}, "
 "{'date': '2021-06-20 12:51:53', 'positives': 48, 'total': 75, 'sha256': "
 "'be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad'}], "
 "'undetected_communicating_samples': [], 'resolutions': []}")

Creating a Map with the IP addresses

In [30]:
# Getting the geo result for one ip
msticpy.settings.refresh_config()
iplocation = GeoLiteLookup()

loc_result, ip_entity = iplocation.lookup_ip(ip_address = '203.76.105.227')
display(ip_entity[0])
Latest local Maxmind City Database present is older than 30 days. Attempting to download new database to C:\Users\thomasroccia\.msticpy
Downloading and extracting GeoLite DB archive from MaxMind....
Extraction complete. Local Maxmind city DB: C:\Users\thomasroccia\.msticpy\GeoLite2-City.mmdb.19544.tar.gz

ipaddress

{ 'Address': '203.76.105.227',
  'Location': { 'City': 'Dhaka',
                'CountryCode': 'BD',
                'CountryName': 'Bangladesh',
                'Latitude': 23.7908,
                'Longitude': 90.4109,
                'State': 'Dhaka Division',
                'TimeGenerated': datetime.datetime(2022, 5, 12, 0, 22, 45, 503996),
                'Type': 'geolocation'},
  'TimeGenerated': datetime.datetime(2022, 5, 12, 0, 22, 45, 503996),
  'Type': 'ipaddress'}
In [31]:
# Creating the map using the folium module
iploc = []

for ip in ip_intel["Ioc"]:
    loc_result, ip_entity = iplocation.lookup_ip(ip_address = ip)
    iploc += ip_entity

folium_map = FoliumMap(zoom_start = 2)
folium_map.add_ip_cluster(ip_entities = iploc, color = 'red')
folium_map.center_map()
folium_map
Out[31]:
Make this Notebook Trusted to load map: File -> Trust Notebook

URL Intelligence

In [32]:
# Filtering URL
url_intel = ioc_df.loc[(ioc_df['IoCType'] == "url")]
url_intel
Out[32]:
IoCType Observable SourceIndex Input
26 url https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2Ftrack%3FHTMLtrackVer... 335 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F...
27 url https://hura.me/no-ref.php?url=http://wwwapps.ups.com/WebTracking/track?HTMLtrackVersion=5.0&loc... 335 1Z9918AW3591558812 <https://hura.me/no-ref.php?url=http%3A%2F%2Fwwwapps.ups.com%2FWebTracking%2F...
41 url https://dyncheck.com/scan/id/fbcb147447b24f5c583f710fafc5b214#collapse_info 514 +] Written in Jscript can be used as .js or .vbs\n[+] Small size (14 KB ~)\n[+] Support for all ...
42 url https://dyncheck.com/scan/id/84b7fe1b0f95031d2e5eaedf9fa2dbe2#collapse_info 514 +] Written in Jscript can be used as .js or .vbs\n[+] Small size (14 KB ~)\n[+] Support for all ...
46 url https://prnt.sc/wh26pt 516 Panel:\n\nhttps://prnt.sc/wh26qd\nhttps://prnt.sc/wh26rb\nhttps://prnt.sc/wh26pt
... ... ... ... ...
3984 url https://temp.sh/HXmZA/СникzarBackdoorок 60165 https://temp.sh/HXmZA/%D0%A1%D0%BD%D0%B8%D0%BazarBackdoor%D0%BE%D0%BA%20%D1%8D%D0%BA%D1%80%D0%B0...
4027 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/f3... 60643 Hey ! how come they decipher Fail ZGQB3V6qmIWHLAwDH4dw4ijjACAknqMO2vvVBERGCICHODV86ciJyer49HHhAb...
4029 url https://continews.click/uImgrfqk_WARNING 60646 https://continews.click/uImgrfqk_WARNING
4030 url https://send.exploit.in/download/8bcac089623fcf96/#Kr27VSxYFrdmUHELZDJF1w 60658 https://send.exploit.in/download/8bcac089623fcf96/#Kr27VSxYFrdmUHELZDJF1w
4032 url https://www.angelantoni.com 60682 https://www.angelantoni.com - here is their website

672 rows × 4 columns

In [33]:
# Saving to csv file
url_intel.to_csv("IOC\\urlintel.csv")
In [34]:
# Sorting the value
url_intel.sort_values('Observable', ascending = True)
Out[34]:
IoCType Observable SourceIndex Input
1811 url file://157.230.60.143/download.jpg 21267 [07/27/2021 19:01:56] <rozteka> https://www.ired.team/offensive-security/initial-access/netntlmv...
3875 url ftp://5.183.95.6/uploads/Team_D/ 58179 ADo, can you crypt ftp://5.183.95.6/uploads/Team_D/
233 url ftp://himemsys:antiDen4ik@ 3118 kramer> rdp rdp://SERVER-AGM\ella:!QA@WS#ED4rfv@5.141.22.50\n\nftp://himemsys:antiDen4ik@@188.93...
2148 url http://(IP)/TAG/TEST_W639600.1234A242341C6D1A25B3F315D688968E/84/ 29277 На запрос вида \ncurl -X POST -F 'data=dXNlcg==|IE||||1240428288|1240428288|dXNlcg==|IE|demdex.n...
1380 url http://109.230.199.73/209.dll 15237 http://109.230.199.73/209.dll\nhttp://109.230.199.73/209x64.exe
... ... ... ... ...
1241 url https://www.zoominfo.com/c/xerox-corporation/194101651 12123 Доброе утро бро , заразили xerox \nи ticket master https://www.zoominfo.com/c/ticketmaster-enter...
1880 url https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion 21800 https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion\nganesh: fp6fqpVxlrYsorC5...
1255 url https://xzu6o2ni3hplvpmx.onion 12638 for HORSE\nrobotbander@jabb.im\n4815162342@jabb.im\nsheppard@jabber.ru\nsectorzero@jabb.im\n\n\n...
1355 url https://yadi.sk/d/ySGgFr0ksqAp3Q 14870 [09:41:53] <mango> https://yadi.sk/d/ySGgFr0ksqAp3Q - examples of web artist's work
1859 url https://youtu.be/9gLHycT1RzU 21705 https://youtu.be/9gLHycT1RzU

672 rows × 4 columns

Extracting url containing specific extension

In [35]:
# It could be interesting to filter to dll, jpg, exe, onion
url_intel[url_intel['Observable'].str.contains(".exe|.dll|.jpg|.zip|.7z|.rar|.png")]
Out[35]:
IoCType Observable SourceIndex Input
221 url https://help4windows.com/windows_7_shell32_dll.shtml 3064 https://help4windows.com/windows_7_shell32_dll.shtml
373 url https://oividaluxuosa.com/ke/miami.dll 5275 https://oividaluxuosa.com/ke/miami.dll , 3k copies with some neutral names so that the def does ...
564 url https://privatlab.com/s/v/nRl7zbAAjltBeLbRqrax 6661 Check if it works\nhttps://privatlab.com/s/v/nRl7zbAAjltBeLbRqrax\n123123
600 url https://emploimed.com/netr.dll 7147 1st link https://emploimed.com/netr.dll
602 url https://www.ottenbourg.com/chester.dll 7149 2nd link https://www.ottenbourg.com/chester.dll
728 url https://anonfiles.com/Hai0P8t1uc/Dolfs_rar 7742 https://anonfiles.com/Hai0P8t1uc/Dolfs_rar\npass - AF2gAS2ggd
778 url https://atlantisprojects.ca/cheryasd.dll 8169 https://atlantisprojects.ca/cheryasd.dll
783 url https://parkisolutions.com/nerugin.dll 8197 https://parkisolutions.com/nerugin.dll
942 url http://109.230.199.73/k.exe 9765 <off> http://109.230.199.73/k.exe\n[13.05.2021 08:33:36] <off> http://109.230.199.73/k.dll\n[13....
943 url http://109.230.199.73/k.dll 9765 <off> http://109.230.199.73/k.exe\n[13.05.2021 08:33:36] <off> http://109.230.199.73/k.dll\n[13....
1211 url http://ozpve456vdzplanabllomqi6lfx67nlrrthquvcsrfxv7z3jreurmfqd.onion 11755 http://ozpve456vdzplanabllomqi6lfx67nlrrthquvcsrfxv7z3jreurmfqd.onion\nadmin\n[{/.)B4xcE3v=fd6
1293 url http://i.prntscr.com/qMqzmSbHSS_QdlEUONrHZw.png 13636 http://i.prntscr.com/qMqzmSbHSS_QdlEUONrHZw.png
1380 url http://109.230.199.73/209.dll 15237 http://109.230.199.73/209.dll\nhttp://109.230.199.73/209x64.exe
1381 url http://109.230.199.73/209x64.exe 15237 http://109.230.199.73/209.dll\nhttp://109.230.199.73/209x64.exe
1674 url https://bradiolum.top/aprel.dll 19733 now again on the command dll flies error\nhttps://bradiolum.top/aprel.dll\n\nhttps://auk64p35qeb...
1811 url file://157.230.60.143/download.jpg 21267 [07/27/2021 19:01:56] <rozteka> https://www.ired.team/offensive-security/initial-access/netntlmv...
2452 url http://31.14.*0.220/230*17*.dll,StartW 33028 http://31.14.*0.220/230*17*.dll,StartW
2495 url https://temp.sh/fJXCc/1.rar 33474 Готово. \n[20:42:06] <bentley> pass: kJHDF273yubfjsbdf973uiwhgjsnkgb3oiygbhjsbdgkjhb \n[20:42:13...
2502 url http://bergmeitli.ch/2.dll 33631 altmann-dias.com/1.dll\nhttp://bergmeitli.ch/2.dll
2509 url http://195.149.87.59/2_https_x64.dll 33801 http://195.149.87.59/1_http_x64.dll\nhttp://195.149.87.59/2_https_x64.dll\n\nStartW
2510 url http://195.149.87.59/1_http_x64.dll 33801 http://195.149.87.59/1_http_x64.dll\nhttp://195.149.87.59/2_https_x64.dll\n\nStartW
2601 url https://temp.sh/jDpqP/1.rar 36060 https://temp.sh/jDpqP/1.rar
2767 url https://temp.sh/copeR/tmp.zip 39915 ADo, can I have a new crypt, please, the last build is already burning with something https://te...
2843 url https://temp.sh/bctPM/f3cfb349.7z 41688 https://temp.sh/bctPM/f3cfb349.7z
2863 url http://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad.onion/private/168xavj5/M5kuzP_sa... 42663 http://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad.onion/private/168xavj5/M5kuzP_sa...
3074 url http://root@195.149.87.59/var/www/html/bec_http_111_x86-1637769956-T12B123Z_32-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3075 url http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769859-T0B1Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3076 url https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770072-T12B123Z_64-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3077 url http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769920-T12B123Z_64-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3078 url https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770087-T0B123Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3079 url https://root@195.149.87.59/var/www/html/pe_https_111_x64-1637770298-T0B123Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3080 url http://root@195.149.87.59/var/www/html/bec_http_111_x86-1637769886-T12B1Z_32-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3081 url http://root@195.149.87.59/var/www/html/pe_http_111_x64-1637770246-T0Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3082 url http://root@195.149.87.59/var/www/html/pe_http_111_x64-1637770240-T0B123Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3083 url http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769933-T0B123Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3084 url https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770080-T12B1Z_32-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3085 url http://root@195.149.87.59/var/www/html/pe_http_111_x64-1637770256-T0B1Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3086 url http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3087 url https://root@195.149.87.59/var/www/html/pe_https_111_x64-1637770347-T0Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3088 url https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770051-T0B1Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3089 url http://root@195.149.87.59/var/www/html/bec_http_111_x86-1637769971-T0B123Z_32-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3090 url https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770033-T12B1Z_64-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3091 url https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770126-T0B123Z_32-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3092 url https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770066-T12Z_32-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3093 url https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770112-T12B123Z_32-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3094 url http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769815-T12Z_64-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3095 url https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770017-T12Z_64-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3096 url http://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769837-T12B1Z_64-cr.dll 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3097 url https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770089-T0Z_32-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3098 url https://root@195.149.87.59/var/www/html/bec_https_111_x86-1637770099-T0B1Z_32-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3099 url https://root@195.149.87.59/var/www/html/pe_https_111_x64-1637770356-T0B1Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3100 url https://root@195.149.87.59/var/www/html/bec_https_111_x64-1637770042-T0Z_64-cr.exe 48140 111\nexe - bec\nhttp://root@195.149.87.59/var/www/html/bec_http_111_x64-1637769849-T0Z_64-cr.exe...
3129 url http://198.244.193.210/images/wolf.png 48567 http://198.244.193.210/images/wolf.png
3133 url https://temp.sh/FwsSg/1.rar 48950 https://temp.sh/FwsSg/1.rar
3134 url https://195.149.87.59/bec_https_555_x86-1638188794-T12B123Z_32-cr.dll 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3135 url http://195.149.87.59/bec_http_111_x86-1638187422-T0B123Z_32-cr.exe 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3136 url https://195.149.87.59/bec_https_111_x64-1638188186-T0B123Z_64-cr.exe 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3137 url https://195.149.87.59/bec_https_111_x64-1638188048-T12B123Z_64-cr.dll 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3138 url http://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3139 url http://195.149.87.59/bec_http_555_x64-1638187557-T12B123Z_64-cr.dll 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3140 url https://195.149.87.59/bec_https_111_x86-1638188296-T12B123Z_32-cr.dll 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3141 url https://195.149.87.59/bec_https_111_x86-1638188430-T0B123Z_32-cr.exe 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3142 url http://195.149.87.59/bec_http_111_x86-1638187295-T12B123Z_32-cr.dll 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3143 url http://195.149.87.59/bec_http_111_x64-1638187173-T0B123Z_64-cr.exe 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3144 url https://195.149.87.59/bec_https_555_x64-1638188681-T0B123Z_64-cr.exe 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3145 url https://195.149.87.59/bec_https_555_x64-1638188562-T12B123Z_64-cr.dll 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3146 url http://195.149.87.59/bec_http_555_x64-1638187720-T0B23Z_64-cr.exe 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3147 url http://195.149.87.59/bec_http_555_x86-1638187956-T0B23Z_32-cr.exe 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3148 url http://195.149.87.59/bec_http_111_x64-1638187035-T12B123Z_64-cr.dll 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3149 url https://195.149.87.59/bec_https_555_x86-1638188919-T0B123Z_32-cr.exe 48952 555\nhttp://195.149.87.59/bec_http_555_x86-1638187809-T12B123Z_32-cr.dll\nhttp://195.149.87.59/b...
3412 url https://i.imgur.com/aEnyme5.png 52565 https://i.imgur.com/aEnyme5.png
3439 url https://shell.com/path/?dll 52759 on the topic of hosting appinstaller + appxbundle + dll files nearby - I managed to do it last n...
3443 url https://some/some/1.dll 52898 - if we write in .appinstaller\n Uri="https://srcdatastorage.z13.web.core.windows.net/jaj...
3444 url https://srcdatastorage.z13.web.core.windows.net/jajnedhneb.appxbundle?param1=https://some/some/1... 52898 - if we write in .appinstaller\n Uri="https://srcdatastorage.z13.web.core.windows.net/jaj...
3467 url https://shell.com/file.appinstaller&activationUri=custom-params:?data=https://host.com/1.dll 53153 ms-appinstaller:?source=https://shell.com/file.appinstaller&activationUri=custom-params:?data=ht...
3468 url https://host.com/1.dll 53156 &activationUri=custom-params:?data=https://host.com/1.dll
3477 url https://shell.com/file.appinstaller&activationUri=custom-params:?data=https://host2.com/file.dll 53373 everything works for me)\n\nin short, the scheme is as follows:\nin html land in this link:\n <a...
3519 url https://privatlab.com/s/v/EJawrarkp6Iwxd2AzBgb 54653 https://privatlab.com/s/v/EJawrarkp6Iwxd2AzBgb
3659 url https://temp.sh/ueksm/222.7z 56679 https://temp.sh/ueksm/222.7z
3983 url https://temp.sh/HXmZA/%D0%A1%D0%BD%D0%B8%D0%BazarBackdoor%D0%BE%D0%BA%20%D1%8D%D0%BA%D1%80%D0%B0... 60165 https://temp.sh/HXmZA/%D0%A1%D0%BD%D0%B8%D0%BazarBackdoor%D0%BE%D0%BA%20%D1%8D%D0%BA%D1%80%D0%B0...

Extracting onion domains

In [37]:
url_intel[url_intel['Observable'].str.contains(".onion")]
Out[37]:
IoCType Observable SourceIndex Input
287 url https://43oxsnqlub6aydymkwpn3agaaj7u2qexx4vwybgrwug46c6yldhuheid.onion/crpanel/ 4306 https://43oxsnqlub6aydymkwpn3agaaj7u2qexx4vwybgrwug46c6yldhuheid.onion/crpanel/
741 url https://dnog7cgicmkrvugrfxexo34gikjbr54sd5skxj4r42aj4tuy2hjsw6qd.onion 7860 Ready to access the admin panel (storage)\n[19:09:18] <bentley> https://dnog7cgicmkrvugrfxexo34g...
936 url http://epyclq65gskclmpu.onion:1337 9751 http://epyclq65gskclmpu.onion:1337 - our file cleaner. will be on the SIA bransomwarechain
1211 url http://ozpve456vdzplanabllomqi6lfx67nlrrthquvcsrfxv7z3jreurmfqd.onion 11755 http://ozpve456vdzplanabllomqi6lfx67nlrrthquvcsrfxv7z3jreurmfqd.onion\nadmin\n[{/.)B4xcE3v=fd6
1218 url http://crdclub4wraumez4.onion/ 11827 a cow was sold http://korovka32xc3t5cg.onion support@korovka.name and a card like http://crdclub...
1219 url http://korovka32xc3t5cg.onion 11827 a cow was sold http://korovka32xc3t5cg.onion support@korovka.name and a card like http://crdclub...
1255 url https://xzu6o2ni3hplvpmx.onion 12638 for HORSE\nrobotbander@jabb.im\n4815162342@jabb.im\nsheppard@jabber.ru\nsectorzero@jabb.im\n\n\n...
1321 url http://i5rxdyozq7uyotqtmcj4hxq7modmxklejqysurqsf5ixhzw444jynvyd.onion/adminjx1p8zu25dr4ae7o.php?... 14250 http://i5rxdyozq7uyotqtmcj4hxq7modmxklejqysurqsf5ixhzw444jynvyd.onion/adminjx1p8zu25dr4ae7o.php?...
1675 url https://auk64p35qebertdsh576avhnswxdprft3kpmvsm5sixxof6bsbgryxqd.onion/logpost/more_ex/D1F299F1B... 19733 now again on the command dll flies error\nhttps://bradiolum.top/aprel.dll\n\nhttps://auk64p35qeb...
1880 url https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion 21800 https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion\nganesh: fp6fqpVxlrYsorC5...
1954 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/ 23069 Here is the Tor for now http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/
2136 url http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/50513/ 28827 http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/50513/
2137 url http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/55956/ 28828 http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/55956/
2157 url https://mb5fbvx72fbod2hkirfecc5nh7lwq6ke7xocn7j2u7raiwbytvevpbad.onion/begemot/dero.git 29668 [core]\nrepositoryformatversion=0\nfilemode=true\nbar = false\nlogallrefupdates=true\n[branch "m...
2158 url https://mb5fbvx72fbod2hkirfecc5nh7lwq6ke7xocn7j2u7raiwbytvevpbad.onion/begemot/dero.git/» 29669 (base) begemot@big-comp:~/erl/dero/.git$ git push\nfatal: «https://mb5fbvx72fbod2hkirfecc5nh7lwq...
2353 url http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/56486/ 32626 http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/56486/
2354 url http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/56793/ 32627 http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion/threads/56793/
2621 url https://ojdglzhrquash4igbx6e6wlthe3si4biabcpfopiw33uohvaufjgipad.onion 36952 https://ojdglzhrquash4igbx6e6wlthe3si4biabcpfopiw33uohvaufjgipad.onion
2794 url https://6yp2jljwgdxmwy4uxfaxbkjgm2txlxxb5akxn43cyaz3cjo2gqd65yid.onion 40183 jups 111111\nhttps://6yp2jljwgdxmwy4uxfaxbkjgm2txlxxb5akxn43cyaz3cjo2gqd65yid.onion
2863 url http://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad.onion/private/168xavj5/M5kuzP_sa... 42663 http://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad.onion/private/168xavj5/M5kuzP_sa...
2866 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/6z3vSKVI_DEWEtech 42840 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/6z3vSKVI_DEWEtech
2867 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/gWu2p5H1_TTC 42850 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/gWu2p5H1_TTC
2878 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/Xa3Uo9Gk_KISTERS 43520 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/Xa3Uo9Gk_KISTERS
2908 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/QIpblFS3_Harness_IP 44194 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/QIpblFS3_Harness_IP
2926 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/ilUCk6R9_FRONTIER_SOFTWARE 44954 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/ilUCk6R9_FRONTIER_SOFTWARE
2993 url http://czb6edlp7gsar4u5crxccldjkjn36p35fro7c7gck7wjumcrzq4efgid.onion/zeh7dkwfdxw99tdk/ 46844 http://czb6edlp7gsar4u5crxccldjkjn36p35fro7c7gck7wjumcrzq4efgid.onion/zeh7dkwfdxw99tdk/
3010 url http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ 47381 http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
3030 url http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/support/fb5b77a7313635e3bc... 47685 <mango> <porovozik> I have a question about this mesh bro\nhttp://continewsnv5otx5kaoje7krkto2qb...
3031 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/fFM9yCUN_Hutt 47685 <mango> <porovozik> I have a question about this mesh bro\nhttp://continewsnv5otx5kaoje7krkto2qb...
3073 url https://m5px4n6r2jruhun3g2bp2uhj7d7w37dqglp34uvn5uhbz5n2tticgyad.onion/ 48135 https://m5px4n6r2jruhun3g2bp2uhj7d7w37dqglp34uvn5uhbz5n2tticgyad.onion/
3104 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/9301xDIc_TRI-COUNTY_ELECTR... 48167 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/9301xDIc_TRI-COUNTY_ELECTR...
3105 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/9ekt1FhM_RLD_Associates 48168 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/9ekt1FhM_RLD_Associates
3108 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/S8NBp5rV_BSCR 48172 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/S8NBp5rV_BSCR
3110 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/beNVUGLs_Spencer_Gifts_LLC 48213 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/beNVUGLs_Spencer_Gifts_LLC...
3121 url http://czb6edlp7gsar4u5crxccldjkjn36p35fro7c7gck7wjumcrzq4efgid.onion/zeh7dkwfdxw99tdk/#/chat/55... 48513 http://czb6edlp7gsar4u5crxccldjkjn36p35fro7c7gck7wjumcrzq4efgid.onion/zeh7dkwfdxw99tdk/#/chat/55...
3153 url http://crypmix4m5iunofa25mpmiihdb56oaqg57tvrebqatc6otn3w65qhlid.onion/ 49123 http://crypmix4m5iunofa25mpmiihdb56oaqg57tvrebqatc6otn3w65qhlid.onion/
3309 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/ 51836 http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/
3325 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chatList 52154 http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chatList
3456 url http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/NJv9nz4fcgefhEIiAcajtSgi4E... 52993 (01:29:20) cybergangster@q3mcco35auwcstmt.onion/1410513075163984878338200: ADo\n(01:29:38) cyber...
3482 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/wqKecF1B_The_Briad_Group 53652 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/wqKecF1B_The_Briad_Group
3483 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/e3... 53699 eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav...
3484 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/c3... 53699 eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav...
3485 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/b6... 53699 eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav...
3486 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/f8... 53699 eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav...
3487 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/b5... 53699 eAfzfvt1WG6pViE5AMqFcEL8QDIZpTLHXshEMZH4WzNo9BNF2jWQ9Ez8esMtYZfK <http://l66orrehfw4hovqme625bav...
3495 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/GV8PuAI7_LAVI 53828 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/GV8PuAI7_LAVI
3510 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/gQ1ZfJba_Shutterfly_Inc 54466 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/gQ1ZfJba_Shutterfly_Inc
3608 url http://22q6iu4dmoex3xv5vdiceqzc2bkrc6262cak5ylp3vwauqw3zaxpuyad.onion/zeh7dkwfdxw99tdk/ 56064 http://22q6iu4dmoex3xv5vdiceqzc2bkrc6262cak5ylp3vwauqw3zaxpuyad.onion/zeh7dkwfdxw99tdk/
3609 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/zTnGsBmj_Acuity_Brands 56135 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/zTnGsBmj_Acuity_Brands
3612 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/4OlU3tF0_Minto_Group 56324 http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/4OlU3tF0_Minto_Group
3619 url http://pj3n6aix4l5lqoorwu5qbolmhwpqyabwpifdvn2w5qiznlqqayzmegid.onion/note/1U1kjIG12IiVvlWmhLlDX... 56494 http://pj3n6aix4l5lqoorwu5qbolmhwpqyabwpifdvn2w5qiznlqqayzmegid.onion/note/1U1kjIG12IiVvlWmhLlDX...
3671 url http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/vOjdyhnt7ADeB867Pg5e1ANOWX... 56924 http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/vOjdyhnt7ADeB867Pg5e1ANOWX...
3672 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk 56948 http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk
3683 url https://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/ 57015 https://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/
3887 url https://6k2zmzhc2wjs3u7rjykzuas2mtsd3w7va3alafnkzfiehmq2g3jrlmqd.onion/ 58308 https://6k2zmzhc2wjs3u7rjykzuas2mtsd3w7va3alafnkzfiehmq2g3jrlmqd.onion/
3888 url https://6k2zmzhc2wjs3u7rjykzuas2mtsd3w7va3alafnkzfiehmq2g3jrlmqd.onion/note/1aPrgVchSA1Ay1TWQmnx... 58309 https://6k2zmzhc2wjs3u7rjykzuas2mtsd3w7va3alafnkzfiehmq2g3jrlmqd.onion/note/1aPrgVchSA1Ay1TWQmnx...
3925 url http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/PygiWNjS_Financial_Horizon... 58649 ADo Financial Horizons Group! We are Conti Group. We want to inform that your company local netw...
4027 url http://l66orrehfw4hovqme625bavlpz7m2achabov3iyqy76cai44oao6neqd.onion/zeh7dkwfdxw99tdk/#/chat/f3... 60643 Hey ! how come they decipher Fail ZGQB3V6qmIWHLAwDH4dw4ijjACAknqMO2vvVBERGCICHODV86ciJyer49HHhAb...

Extracting Prnt

In [39]:
url_intel[url_intel['Observable'].str.contains("prntscr.com|prnt.sc")]
Out[39]:
IoCType Observable SourceIndex Input
46 url https://prnt.sc/wh26pt 516 Panel:\n\nhttps://prnt.sc/wh26qd\nhttps://prnt.sc/wh26rb\nhttps://prnt.sc/wh26pt
47 url https://prnt.sc/wh26rb 516 Panel:\n\nhttps://prnt.sc/wh26qd\nhttps://prnt.sc/wh26rb\nhttps://prnt.sc/wh26pt
48 url https://prnt.sc/wh26qd 516 Panel:\n\nhttps://prnt.sc/wh26qd\nhttps://prnt.sc/wh26rb\nhttps://prnt.sc/wh26pt
243 url https://prnt.sc/10ni7xz 3370 https://prnt.sc/10ni7xz broa what is it?
535 url https://prnt.sc/11cdg8c 6368 https://prnt.sc/11cdg8c
555 url https://prnt.sc/11h59lg 6578 now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad...
556 url https://prnt.sc/11h4zwh 6578 now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad...
557 url https://prnt.sc/11h4w3v 6578 now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad...
558 url https://prnt.sc/11h5bqx-gmail 6578 now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad...
559 url https://prnt.sc/11h58ex 6578 now I’ve made an emphasis on spam, I’m sending it to collect cc from a fake epla, now I’ve remad...
1293 url http://i.prntscr.com/qMqzmSbHSS_QdlEUONrHZw.png 13636 http://i.prntscr.com/qMqzmSbHSS_QdlEUONrHZw.png
1465 url https://prnt.sc/16x133m 15672 https://prnt.sc/16x133m
1545 url https://prnt.sc/180y0u9 16788 https://prnt.sc/180y0u9\n\nand this is in PM I communicate with the encoder\nhttps://prnt.sc/180...
1546 url https://prnt.sc/180y5tl 16788 https://prnt.sc/180y0u9\n\nand this is in PM I communicate with the encoder\nhttps://prnt.sc/180...
1547 url https://prnt.sc/180y8tl 16788 https://prnt.sc/180y0u9\n\nand this is in PM I communicate with the encoder\nhttps://prnt.sc/180...
1662 url https://prnt.sc/1b5gj8j 19588 + file stealer\nhttps://prnt.sc/1b5gj8j\nlike this\nHe drag and drop works\nGenerating an execut...
2183 url https://prnt.sc/1ri6dev 30371 https://prnt.sc/1ri6dev
3981 url https://prnt.sc/26xz312 60138 hello\nDinov threw off mmme yesterday but I did not start\n https://prnt.sc/26xz312\n\nlook - I ...

Bitcoin Tracking

In [40]:
btc_intel = ioc_df.loc[(ioc_df['IoCType'] == "btc")]
btc_intel.head(10)
Out[40]:
IoCType Observable SourceIndex Input
4071 btc bc1q3efl4m2jcr6gk32usxnfyrxh294sr8plmpe3ye 806 bc1q3efl4m2jcr6gk32usxnfyrxh294sr8plmpe3ye
4072 btc 1MxtwUpH4cWAz4en4kqVNzAdx5gpk9etUC 1131 hello, the bitcoins are over, in total 6 new servers, two vpn subscriptions, an ipvanish subscri...
4073 btc bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3 1606 bc1qnf6drcfl786d70wlhfytyr5xg3qqgknlsh8dc3
4074 btc 17mc4Qm7ka9jhQEUB5LTxP3gW3tsDYUJGQ 1608 hello, the cue ball is over, in total 8 new servers, two vpn subscriptions, and 18 renewals have...
4075 btc bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv 1669 bc1qy2083z665ux68zda3tfuh5xed2493uaj8whdwv
4076 btc 172KVKhMqL5CU1HN884RbArzu5DDL5hwE3 1680 172KVKhMqL5CU1HN884RbArzu5DDL5hwE3\n\n0.01523011
4077 btc bc1qc39qwc3nl2eyh2cu4ct6tyh9zqzp9ye993c0y2 1716 bc1qc39qwc3nl2eyh2cu4ct6tyh9zqzp9ye993c0y2
4078 btc 1LLRL4vZajTtpjuBh5VpBD8zUg73CHUsq3 1772 1LLRL4vZajTtpjuBh5VpBD8zUg73CHUsq3
4079 btc 1Q6SsW88b94a4P3Rxtfr4pRxvhqqJAWvEc 2868 hello, cue ball is over, in total there are two av licenses, three new servers, three vpn subscr...
4080 btc 12YQDqmq3t6bCKPKMRWFmqrju4UMXbcqvF 4561 hello, the beats are over, in total 4 new servers, 3 vpn subscriptions, ipvaninsh subscription a...
In [41]:
# Visualizing transaction for a single BTC address
your_btc_address = 'bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6' # Genesis Block
transactions_url = 'https://blockchain.info/rawaddr/' + your_btc_address
df_btc = pd.read_json(transactions_url)
df_btc
Out[41]:
hash160 address n_tx n_unredeemed total_received total_sent final_balance txs
0 31b2fe08ed09d4fdcffe051d1ea8452544801703 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 8 0 229800000 229800000 0 {'hash': '2b4c26e565d0be930ae6e817b703b1aa6ba731da7ba4705e81c2bb5d7ecfb967', 'ver': 1, 'vin_sz':...
1 31b2fe08ed09d4fdcffe051d1ea8452544801703 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 8 0 229800000 229800000 0 {'hash': '336e8d542047377aa13fb73e41a8e59cf5feba9b2b646547a04cdb2a57472eed', 'ver': 1, 'vin_sz':...
2 31b2fe08ed09d4fdcffe051d1ea8452544801703 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 8 0 229800000 229800000 0 {'hash': 'e5954c3d0552fa10abf9a9639ea3949ef154dccbe5fbecdd6e1afd34fb9dfd60', 'ver': 2, 'vin_sz':...
3 31b2fe08ed09d4fdcffe051d1ea8452544801703 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 8 0 229800000 229800000 0 {'hash': 'a6409ef7e1e99baad3ec7ae1063be56820f870db79da91244d82eac79ff922b5', 'ver': 2, 'vin_sz':...
4 31b2fe08ed09d4fdcffe051d1ea8452544801703 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 8 0 229800000 229800000 0 {'hash': 'bde120466b01e79ac3874033655a91aac0f0753ffaa8b2ebe804663d160418d5', 'ver': 1, 'vin_sz':...
5 31b2fe08ed09d4fdcffe051d1ea8452544801703 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 8 0 229800000 229800000 0 {'hash': '60c05b7fc440a8c321510866a32d6bc29c78686b22283d5ef0ffc97cd4a91912', 'ver': 2, 'vin_sz':...
6 31b2fe08ed09d4fdcffe051d1ea8452544801703 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 8 0 229800000 229800000 0 {'hash': 'ed559bc70719af3706623a3db2ed921c3e5dce84b2ec61a201cfb0181e85393a', 'ver': 1, 'vin_sz':...
7 31b2fe08ed09d4fdcffe051d1ea8452544801703 bc1qxxe0uz8dp820mnl7q5w3a2z9y4zgq9cr6smlf6 8 0 229800000 229800000 0 {'hash': '74066e28cfed92b06ead14059fcab65e825a302cc036096a31869bf5e8b8a1c0', 'ver': 2, 'vin_sz':...

Pivoting through the IOCs using VirusTotal

Loading Modules

In [44]:
# Loading the VT API key
from msticpy.common.provider_settings import get_provider_settings
from msticpy.sectools.vtlookupv3 import VTLookupV3, VTEntityType
import nest_asyncio
vt_key = get_provider_settings("TIProviders")["VirusTotal"].args["AuthKey"]

# Instantiate vt_lookup object
vt_lookup = VTLookupV3(vt_key)
nest_asyncio.apply()

Extracting information from an IP

In [45]:
# Instantiate vt_lookup object
IP = "109.230.199.73"
ip_relation = vt_lookup.lookup_ioc_relationships(observable = IP, vt_type = 'ip_address', relationship = 'downloaded_files')
ip_relation
Out[45]:
index target_type target source source_type relationship_type
0 0 file cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 109.230.199.73 ip_address downloaded_files
1 1 file 889e89b7c88b217f02e2b8ee54f7ee142aeb3fd60a1bd002482664a1dc8ba4ae 109.230.199.73 ip_address downloaded_files
2 2 file a738cf48df8b168e783a8728baac0d208298361a696ef219de01faeba030316f 109.230.199.73 ip_address downloaded_files
3 3 file 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 109.230.199.73 ip_address downloaded_files
4 4 file d2c9f693a2080c6382a0a29d74a1b5cb13a1deeb5dbe7ff1427a669ddf66f59e 109.230.199.73 ip_address downloaded_files
5 5 file 37ce6b6f7a4026a69784ee202283bb4d9f13651b84cb1abaec0ca4f359514a0b 109.230.199.73 ip_address downloaded_files
6 6 file a4dc4dd1ddb449490d236dd1cbf087fbdf7f923616a9948bf32b28eff03e57c9 109.230.199.73 ip_address downloaded_files
7 7 file 61ca39fe6ad7c054484810ba7ca1f292efab2399a5607f42006d088302f07efc 109.230.199.73 ip_address downloaded_files
8 8 file fe52c23ae690d0dcf2bda89c7ed75f798d2d94beaabed014de5b76159f336f5e 109.230.199.73 ip_address downloaded_files
9 9 file 83e285b9347fd74af8cb9c1962f584191325a98b50b2a6df6738aacd0c8054db 109.230.199.73 ip_address downloaded_files
10 10 file 1bad6b8cf97131fceab8543e81f7757195fbb1d36b376ee994ad1cf17699c464 109.230.199.73 ip_address downloaded_files

Obtaining more details about a specific hash

In [46]:
hash_details = vt_lookup.get_object("cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58", "file")
hash_details
Out[46]:
id type type_description tlsh vhash trid creation_date names last_modification_date type_tag capabilities_tags size authentihash times_submitted last_submission_date meaningful_name downloadable sha256 type_extension tags crowdsourced_ids_results last_analysis_date unique_sources first_submission_date sha1 ... last_analysis_results.Fortinet.method last_analysis_results.Fortinet.engine_update last_analysis_results.AVG.category last_analysis_results.AVG.engine_name last_analysis_results.AVG.engine_version last_analysis_results.AVG.result last_analysis_results.AVG.method last_analysis_results.AVG.engine_update last_analysis_results.Cybereason.category last_analysis_results.Cybereason.engine_name last_analysis_results.Cybereason.engine_version last_analysis_results.Cybereason.result last_analysis_results.Cybereason.method last_analysis_results.Cybereason.engine_update last_analysis_results.Panda.category last_analysis_results.Panda.engine_name last_analysis_results.Panda.engine_version last_analysis_results.Panda.result last_analysis_results.Panda.method last_analysis_results.Panda.engine_update sigma_analysis_stats.high sigma_analysis_stats.medium sigma_analysis_stats.critical sigma_analysis_stats.low context_attributes
0 cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file Win32 DLL T110049E14B2A914FBEE6A82B984935611B07174624338DFEF03A4C375DE0E7E15A3EF25 115076651d155d15555az43=z55 [{'file_type': 'Win64 Executable (generic)', 'probability': 48.7}, {'file_type': 'Win16 NE execu... 2021-06-28 19:55:54+00:00 [197.dll, iduD2A1.tmp] 2022-03-10 07:02:37+00:00 pedll [] 181248 0d10a35c1bed8d5a4516a2e704d43f10d47ffd2aabd9ce9e04fb3446f62168bf 1 2021-06-28 22:02:34+00:00 197.dll True cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 dll [assembly, invalid-rich-pe-linker-version, detect-debug-environment, long-sleeps, 64bits, pedll] [{'rule_category': 'non-standard-protocol', 'alert_severity': 'medium', 'rule_msg': 'DELETED BAD... 2021-11-11 00:50:52+00:00 1 2021-06-28 22:02:34+00:00 ddf0214fbf92240bc60480a37c9c803e3ad06321 ... blacklist 20211110 malicious AVG 21.1.5827.0 Win64:DropperX-gen [Drp] blacklist 20211110 type-unsupported Cybereason 1.2.449 None blacklist 20210330 malicious Panda 4.6.4.2 Trj/CI.A blacklist 20211110 0 1 1 0 None

1 rows × 538 columns

Get relationship for a specific hash

In [47]:
contacted_domain = vt_lookup.lookup_ioc_relationships(observable = "cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58",  vt_type = 'file', relationship = 'contacted_domains')
contacted_domain
Out[47]:
index target_type target source source_type relationship_type
0 0 domain 125.21.88.13.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains
1 1 domain 130.155.190.20.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains
2 2 domain 137.90.64.13.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains
3 3 domain 150.32.88.40.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains
4 4 domain 197.161.181.107.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains
5 5 domain 83.188.255.52.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains
6 6 domain zizodream.com cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains

Get relationship for multiple hashes

In [48]:
multiple_result = vt_lookup.lookup_iocs_relationships(ip_relation, relationship = 'contacted_domains')
multiple_result
Out[48]:
index target_type target source source_type relationship_type id type first_submission_date size type_description meaningful_name last_submission_date times_submitted
0 0.0 domain 125.21.88.13.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
1 1.0 domain 130.155.190.20.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
2 2.0 domain 137.90.64.13.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
3 3.0 domain 150.32.88.40.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
4 4.0 domain 197.161.181.107.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
5 5.0 domain 83.188.255.52.in-addr.arpa cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
6 6.0 domain zizodream.com cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
0 0.0 domain krinsop.com 889e89b7c88b217f02e2b8ee54f7ee142aeb3fd60a1bd002482664a1dc8ba4ae file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
0 NaN NaN NaN NaN NaN NaN a738cf48df8b168e783a8728baac0d208298361a696ef219de01faeba030316f file Not found Not found Not found Not found Not found Not found
0 0.0 domain 1.155.190.20.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
1 1.0 domain 106.89.54.20.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
2 2.0 domain 152.68.35.23.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
3 3.0 domain 226.101.242.52.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
4 4.0 domain 234.151.42.104.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
5 5.0 domain 41.69.35.23.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
6 6.0 domain 48.193.43.104.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
7 7.0 domain 80.69.35.23.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
8 8.0 domain 83.188.255.52.in-addr.arpa 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
9 9.0 domain prda.aadg.msidentity.com 21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868 file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
0 NaN NaN NaN NaN NaN NaN d2c9f693a2080c6382a0a29d74a1b5cb13a1deeb5dbe7ff1427a669ddf66f59e file Not found Not found Not found Not found Not found Not found
0 NaN NaN NaN NaN NaN NaN 37ce6b6f7a4026a69784ee202283bb4d9f13651b84cb1abaec0ca4f359514a0b file Not found Not found Not found Not found Not found Not found
0 NaN NaN NaN NaN NaN NaN a4dc4dd1ddb449490d236dd1cbf087fbdf7f923616a9948bf32b28eff03e57c9 file Not found Not found Not found Not found Not found Not found
0 0.0 domain fanklez.com 61ca39fe6ad7c054484810ba7ca1f292efab2399a5607f42006d088302f07efc file contacted_domains NaN NaN NaN NaN NaN NaN NaN NaN
0 NaN NaN NaN NaN NaN NaN fe52c23ae690d0dcf2bda89c7ed75f798d2d94beaabed014de5b76159f336f5e file Not found Not found Not found Not found Not found Not found
0 NaN NaN NaN NaN NaN NaN 83e285b9347fd74af8cb9c1962f584191325a98b50b2a6df6738aacd0c8054db file Not found Not found Not found Not found Not found Not found
0 NaN NaN NaN NaN NaN NaN 1bad6b8cf97131fceab8543e81f7757195fbb1d36b376ee994ad1cf17699c464 file Not found Not found Not found Not found Not found Not found

Conclusion

This blog outlines how Python can be used to find valuable threat intelligence from data sets such as chat logs. It also presents details on how processing data using the MSTICPy library can be useful for enriching and hunting within environments, as well as collecting additional threat context. This notebook can be adapted for your own purpose or for other data source.