This repository contains the code of MalwareInfrastructureHunter (MIH). This code presents the ability for you to add your own Censys queries and extract malware infrastructure (other hosts), as also to search for reputation of these identified hosts (VirusTotal,AbuseIPDB) and also to identify files communicating with these hosts (VirusTotal)
In continuation of the article: Cyber Threat Intelligence Pivoting: From a single alert to multiple IoCs, MIH is an effort to automate the process of identifying further malware infrastructure. The idea for the creation of this script was inspired by Openhunting.io.
- Add your API keys and secrets (Censys, VirusTotal, AbuseIPDB), and your Censys searches in the information.py file since those are mandatory for MIH to work.
- Run the file from the command line by using the options you prefer:
By default this search for DCRat infrastructure is given (more can be explored from here):
Example 1: If we search without any command line argument:
python3 .\mih.py
Then the list of identified hosts through the Censys search will appear:
Censys Search Name: DcRat
Censys Search Query: services.tls.certificates.leaf_data.subject_dn="CN=DcRat*"
-----------------------
45.12.221.10
158.69.40.137
223.26.57.5
103.243.26.65
1.242.139.44
139.155.92.118
82.66.185.138
77.91.124.111
27.147.169.101
154.12.254.215
156.237.223.133
42.192.132.36
88.99.214.187
119.91.99.194
156.240.108.178
5.180.106.191
112.213.101.35
156.237.223.134
156.240.108.109
185.213.25.37
112.213.101.67
139.180.143.50
156.237.223.132
141.95.84.40
172.111.138.100
192.99.10.207
103.17.185.70
202.63.172.63
159.100.22.58
111.173.89.100
43.249.8.44
193.84.248.185
178.33.94.35
43.139.194.112
124.222.213.129
121.36.30.6
45.11.47.195
156.240.108.145
120.78.139.3
103.143.80.140
156.237.223.130
124.248.69.70
47.94.241.76
124.248.69.71
156.237.223.131
112.213.101.73
103.140.251.156
202.162.109.198
91.92.240.198
52.188.84.174
Example 2: If we search for reputation and communicating files with this command line:
python3 .\mih.py --files --reputation
We get this sample of results:
Censys Search Name: DcRat
Censys Search Query: services.tls.certificates.leaf_data.subject_dn="CN=DcRat*"
-----------------------
-------
Reputation info for: 77.91.124.111
VirusTotal info: ----- (13.01% Malicious)
Tags: []
Suspicious Detections: 1
Malicious Detections: 13
Harmless Detections: 56
Undetected Detections: 18
AbuseIPDB info: ----- abuseConfidenceScore: 0
Domain: stark-industries.solutions
Usage: Data Center/Web Hosting/Transit
countryCode: FI
lastReportedAt: 2023-08-02T11:30:48+00:00
isWhitelisted: False
isTor: False
--------------------------------------------------------------------------------------------
VirusTotal Communicating Files
------------------------------
Communicating Files for: 77.91.124.111
File: 0
VirusTotal info: ----- (51.00% Malicious)
Suggested Threat Label: trojan.msil/stealer
Names: ['Wextract', 'WEXTRACT.EXE .MUI', 'y6393212.exe']
SHA256: 000bac5d6513d032d49811fc9329edbc0eab52606f37d70cd2c5a41f6ed4fbe2
Tags: ['peexe', 'spreader']
Suspicious Detections: 0
Malicious Detections: 51
Harmless Detections: 0
Undetected Detections: 20
-------
File: 1
VirusTotal info: ----- (59.00% Malicious)
Suggested Threat Label: trojan.deyma/stealer
Names: ['Wextract', 'WEXTRACT.EXE .MUI', '000edd06cbd5c2a07384d239fbb8fcb51df5a7d7a5fbe81629057e73ba33bc5a.exe', '831623d9a83531a572325d5ccb7e333a.virus']
SHA256: 000edd06cbd5c2a07384d239fbb8fcb51df5a7d7a5fbe81629057e73ba33bc5a
Tags: ['peexe', 'spreader']
Suspicious Detections: 0
Malicious Detections: 59
Harmless Detections: 0
Undetected Detections: 12
-------
File: 2
VirusTotal info: ----- (54.00% Malicious)
Suggested Threat Label: trojan.msil/convagent
Names: ['Wextract', 'WEXTRACT.EXE .MUI', 'z8787836.exe']
SHA256: 004f327e558436dae95b78cc837b001ad53acc91a35b7f5447d7b9653b3a37e5
Tags: ['peexe', 'spreader']
Suspicious Detections: 0
Malicious Detections: 54
Harmless Detections: 0
Undetected Detections: 15
-------
File: 3
VirusTotal info: ----- (55.00% Malicious)
Suggested Threat Label: trojan.msil/stealer
Names: ['Wextract', 'WEXTRACT.EXE .MUI', 'x4594513.exe']
SHA256: 004fd5d9b78671720f0d59d68c3b80c517fc31ac83e969311df973f579b01ef1
Tags: ['peexe', 'spreader']
Suspicious Detections: 0
Malicious Detections: 55
Harmless Detections: 0
Undetected Detections: 16
This is the first version of the script. There are going to be additions. If you have any suggestion feel free to open an issue or/and contribute to this repository.