# AbuseCH Data Scraper

## Feodo Blacklist

> Feodo Tracker is a project of abuse.ch with the goal of sharing botnet C&C servers associated with the Feodo malware family (Dridex, Emotet/Heodo). It offers various blocklists, helping network owners to protect their users from Dridex and Emotet/Heodo.

Reference: https://feodotracker.abuse.ch/

In [1]:
from pprint import pprint
from abusech.feodo import Feodo
feodo = Feodo()

### IpAddress Blocklists

> Dridex, Heodo (aka Emotet) and TrickBot botnet command&control servers (C&Cs) reside on compromised servers and servers that have been rent and setup by the botnet herder itself for the sole purpose of botnet hosting. Feodo Tracker offers a blocklist of IP addresses that are associated with such botnet C&Cs that can be used to detect and block botnet C2 traffic from infected machines towards the internet. An IP address will only get added to the blocklist if it responds with a valid botnet C2 response. However, a botnet C2 may become offline later. 

Reference: https://feodotracker.abuse.ch/blocklist/#ip-blocklist

In [2]:
ip_blocklists = feodo.get_ip_blacklist()
pprint(ip_blocklists[0:2])

[IPAddress(first_seen=datetime.datetime(2019, 11, 23, 4, 42, 31), ipaddress='5.182.211.61', port=447, last_seen=datetime.datetime(2019, 11, 25, 0, 0), family='trickbot'),
 IPAddress(first_seen=datetime.datetime(2019, 11, 23, 1, 4, 46), ipaddress='81.177.180.252', port=447, last_seen=datetime.datetime(2019, 11, 25, 0, 0), family='trickbot')]


### Aggressive IpAddress Blocklist

> Strongly recommend you to not use the aggressive version of the Botnet C2 IP blocklist as it definitely will cause false positives. If you want to get maximum protection and don't care about false positives, use the blacklist below

Reference: https://feodotracker.abuse.ch/blocklist/#ip-blocklist

In [3]:
ip_blocklists = feodo.get_ip_aggressive()
pprint(ip_blocklists[0:2])

[IPAddress(first_seen=datetime.datetime(2019, 11, 23, 4, 42, 31), ipaddress='5.182.211.61', port=447, last_seen=None, family='heodo'),
 IPAddress(first_seen=datetime.datetime(2019, 11, 23, 1, 4, 46), ipaddress='81.177.180.252', port=447, last_seen=None, family='heodo')]


### Get Malware Hashes

> Feodo Tracker publishes a list of hashes (MD5) associated with Dridex and Emotet/Heodo malware samples.

Reference: https://feodotracker.abuse.ch/blocklist/#malware-hashes

In [4]:
malware = feodo.get_malware_hashes()
pprint(malware[0:2])

[Malware(first_seen=datetime.datetime(2019, 11, 25, 5, 30, 58), md5='c96bc127c7acc1e4f9c280ef90f3fe4d', family='heodo'),
 Malware(first_seen=datetime.datetime(2019, 11, 25, 5, 30, 53), md5='64f64cb51b62bf37719590a4a5ba64eb', family='heodo')]


### Get IpAddress Details

> You are currently viewing the database entry for the TrickBot botnet command&control server (C&C) 5.182.211.61. 
You can get additional information about this C&C here, such as first seen, last seen and associated malware 
samples.

Reference: https://feodotracker.abuse.ch/browse/host/5.182.211.61/

In [5]:
ip_details = feodo.get_ipaddress_details('81.177.180.252')
pprint(ip_details)

{'count': 1,
 'details': {'asn_id': 8342,
             'asn_name': 'rtcomm-as',
             'family': 'trickbot',
             'first_seen': datetime.datetime(2019, 11, 23, 1, 4, 46),
             'host_name': None,
             'last_online': datetime.date(2019, 11, 25),
             'last_seen': datetime.datetime(2019, 11, 25, 4, 56, 35),
             'spamhaus_sbl': None},
 'hashes': [{'family': 'trickbot',
             'ipaddress': '81.177.180.252',
             'md5': '15026fde691c9401499b04b1f78b5ef7',
             'port': 447,
             'timestamp': datetime.datetime(2019, 11, 25, 5, 51, 51),
             'virustotal': None}]}
