A repository to extract cryptocoin addresses and other indicators of compromise from binaries.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



Extracting metadata and hardcoded Indicators of Compromise from ransomware, in a scalable, efficient, way with cuckoo integrations. Ideally, is run during cuckoo dynamic analysis, on folders where changes occur, but can also be used for static analysis on large collections of ransomware.

From the tools folder: pip install -r requirements.txt

After that: python coinlector.py will run the code across all files in the directoy and provide feedback on the ETC.

Currently we are testing for: +Bitcoin Addresses +Monero Addresses +Bitcoin Cash Address +Domains +Email Addresses +Onion Addresses

chaisingcoin.py gathers basic info on amounts recieved in BTC, by accounts gathered, based on the output of coinlector.py. eventcoin.py make IoCs of BTC addresses for a MISP instance, based on the output of coinlector.py. Can easily be extended to include other IoCs such as URLs or XMR accounts.