MalwareInfrastructureHunter (MIH)

This repository contains the code of MalwareInfrastructureHunter (MIH). This code presents the ability for you to add your own Censys queries and extract malware infrastructure (other hosts), as also to search for reputation of these identified hosts (VirusTotal,AbuseIPDB) and also to identify files communicating with these hosts (VirusTotal)

Introduction

In continuation of the article: Cyber Threat Intelligence Pivoting: From a single alert to multiple IoCs, MIH is an effort to automate the process of identifying further malware infrastructure. The idea for the creation of this script was inspired by Openhunting.io.

Usage:

1. Add your API keys and secrets (Censys, VirusTotal, AbuseIPDB), and your Censys searches in the information.py file since those are mandatory for MIH to work.
2. Run the file from the command line by using the options you prefer:

Examples:

By default this search for DCRat infrastructure is given (more can be explored from here):

Example 1: If we search without any command line argument: python3 .\mih.py

Then the list of identified hosts through the Censys search will appear:

Censys Search Name: DcRat
Censys Search Query: services.tls.certificates.leaf_data.subject_dn="CN=DcRat*"
-----------------------  
45.12.221.10                                                                   
158.69.40.137                                                                  
223.26.57.5                                                                    
103.243.26.65                                                                  
1.242.139.44                                                                   
139.155.92.118                                                                 
82.66.185.138                                                                  
77.91.124.111                                                                  
27.147.169.101                                                                 
154.12.254.215                                                                 
156.237.223.133                                                                
42.192.132.36                                                                  
88.99.214.187                                                                  
119.91.99.194                                                                  
156.240.108.178                                                                
5.180.106.191                                                                  
112.213.101.35                                                                 
156.237.223.134                                                                
156.240.108.109                                                                
185.213.25.37                                                                  
112.213.101.67                                                                 
139.180.143.50                                                                 
156.237.223.132
141.95.84.40
172.111.138.100
192.99.10.207
103.17.185.70
202.63.172.63
159.100.22.58
111.173.89.100
43.249.8.44
193.84.248.185
178.33.94.35
43.139.194.112
124.222.213.129
121.36.30.6
45.11.47.195
156.240.108.145
120.78.139.3
103.143.80.140
156.237.223.130
124.248.69.70
47.94.241.76
124.248.69.71
156.237.223.131
112.213.101.73
103.140.251.156
202.162.109.198
91.92.240.198
52.188.84.174

Example 2: If we search for reputation and communicating files with this command line: python3 .\mih.py --files --reputation

We get this sample of results:

Censys Search Name: DcRat
Censys Search Query: services.tls.certificates.leaf_data.subject_dn="CN=DcRat*"
-----------------------  
-------
Reputation info for: 77.91.124.111
VirusTotal info: ----- (13.01% Malicious)
Tags: []
Suspicious Detections: 1
Malicious Detections: 13
Harmless Detections: 56
Undetected Detections: 18
AbuseIPDB info: ----- abuseConfidenceScore: 0
Domain: stark-industries.solutions
Usage: Data Center/Web Hosting/Transit
countryCode: FI
lastReportedAt: 2023-08-02T11:30:48+00:00
isWhitelisted: False
isTor: False
--------------------------------------------------------------------------------------------
VirusTotal Communicating Files
------------------------------
Communicating Files for: 77.91.124.111
File: 0
VirusTotal info: ----- (51.00% Malicious)
Suggested Threat Label: trojan.msil/stealer
Names: ['Wextract', 'WEXTRACT.EXE            .MUI', 'y6393212.exe']
SHA256: 000bac5d6513d032d49811fc9329edbc0eab52606f37d70cd2c5a41f6ed4fbe2
Tags: ['peexe', 'spreader']
Suspicious Detections: 0
Malicious Detections: 51
Harmless Detections: 0
Undetected Detections: 20
-------
File: 1
VirusTotal info: ----- (59.00% Malicious)
Suggested Threat Label: trojan.deyma/stealer
Names: ['Wextract', 'WEXTRACT.EXE            .MUI', '000edd06cbd5c2a07384d239fbb8fcb51df5a7d7a5fbe81629057e73ba33bc5a.exe', '831623d9a83531a572325d5ccb7e333a.virus']
SHA256: 000edd06cbd5c2a07384d239fbb8fcb51df5a7d7a5fbe81629057e73ba33bc5a
Tags: ['peexe', 'spreader']
Suspicious Detections: 0
Malicious Detections: 59
Harmless Detections: 0
Undetected Detections: 12
-------
File: 2
VirusTotal info: ----- (54.00% Malicious)
Suggested Threat Label: trojan.msil/convagent
Names: ['Wextract', 'WEXTRACT.EXE            .MUI', 'z8787836.exe']
SHA256: 004f327e558436dae95b78cc837b001ad53acc91a35b7f5447d7b9653b3a37e5
Tags: ['peexe', 'spreader']
Suspicious Detections: 0
Malicious Detections: 54
Harmless Detections: 0
Undetected Detections: 15
-------
File: 3
VirusTotal info: ----- (55.00% Malicious)
Suggested Threat Label: trojan.msil/stealer
Names: ['Wextract', 'WEXTRACT.EXE            .MUI', 'x4594513.exe']
SHA256: 004fd5d9b78671720f0d59d68c3b80c517fc31ac83e969311df973f579b01ef1
Tags: ['peexe', 'spreader']
Suspicious Detections: 0
Malicious Detections: 55
Harmless Detections: 0
Undetected Detections: 16

Feedback

This is the first version of the script. There are going to be additions. If you have any suggestion feel free to open an issue or/and contribute to this repository.