Indicators of Compromise (IOCs) are key forensic data points used to detect security breaches. They include file hashes, suspicious IP addresses, domain names, URLs, specific email addresses, unusual file names, registry changes, unexpected processes, and abnormal network traffic patterns. These elements help identify malicious activity and are crucial for timely detection and response to cybersecurity threats.
Security analysts can search this vast database (2 TB) using over 40 parameters and wildcards to find specific threats. The service provides quick results, each linked to a corresponding sandbox analysis session, allowing for in-depth investigation.
It supports the creation and integration of YARA rules with security systems via API, which empowers security professionals to identify current threats, generate precise Indicators of Compromise (IOCs), and predict and prevent future attacks.
“malconf” domains
Prioritizing results with the “malconf” label highlights domains extracted directly from malware configurations, significantly increasing the likelihood of uncovering active command-and-control infrastructure used by Remcos attacks.
If the sandbox report reveals an IP address within the AsyncRAT configuration, analysts can utilize TI Lookup for investigation.
It can include historical sightings in malware samples, connections to known bad actors, and associated domain names, which empowers investigators to determine the IP’s role in the AsyncRAT campaign and identify broader threats.
TI Lookup identified 55 analysis sessions associated with the malicious IP. By examining these sessions, they can extract hash sums and other indicators of compromise related to the malware.
TI Lookup search yields 55 analysis session with the malicious IP
It will enable the identification of the malware family and potentially uncover additional threats employed by the attackers through correlation with related events, files, destination ports, and sandbox sessions linked to the indicator.
In the example, the query “url:”[https(:)//t.me/ armad2a](https (:)//t.me/ armad2a)”” is used to search for indicators associated with the provided URL.
The results from TI Lookup can reveal additional samples containing similar indicators, potentially providing insights into the broader threat landscape.
Analyze Suspicious Files and URLs in ANY.RUN
The service automatically detects and lists all activities across network traffic, registry, file system, and processes and extracts indicators of compromise.
