Skip to main content

Intel471 Malware Indicator Feed

This Integration is part of the Intel471 Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports. This feed allows customers to block and gain an understanding of the latest crimeware campaigns and is for those that value timeliness, confidence (little to no false positives), and seek rich context and insight around the attacks they are seeing."

Configure Intel471 Indicator Feed in Cortex#

ParameterDescriptionRequired
Fetch indicatorsFalse
UsernameFalse
Indicator ReputationIndicators from this integration instance will be marked with this reputationFalse
Source ReliabilityReliability of the source providing the intelligence dataTrue
Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feedFalse
Indicator Expiration MethodFalse
Feed Expiration IntervalFalse
Feed Fetch IntervalFalse
Indicator TypeType of the indicator in the feed.True
Search by Threat Type"Search indicators by threat type (e.g. malware, bulletproof_hosting, proxy_service).
If empty, all threat types will be considered."
False
Malware Family"Search indicators by malware family (e.g. gozi_isfb, smokeloader, trickbot).
If empty, all malware families will be considered."
False
Search by confidenceSearch indicators by confidence. See detailed description of the confidence levels below.False
Free text indicator search (all fields included)False
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)How far back in time to go when performing the first fetch.False
TagsSupports CSV values.False
Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
Use system proxy settingsFalse
Trust any certificate (not secure)False
Create relationshipsCreate relationships between indicators as part of Enrichment.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

intel471-indicators-get-indicators#


Gets the feed indicators.

Base Command#

intel471-indicators-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of results to return. Default is 50. Will limit the result for each indicator type.Optional

Context Output#

There is no context output for this command.

Command Example#

!intel471-indicators-get-indicators limit=5

Human Readable Output#

Indicators#

valuetyperawJSON
https://example.comURLuid: 3cbf2c65f7d7b86c3276094b795e289a
threat: {"type": "malware", "uid": "2103dcd99080ee86a7808912f3ff4382", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.68"}}
expiration: 1622633644000
confidence: high
context: {"description": "qbot controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "https://example.com"}
intel_requirements: 1.3.4,
1.1.4
https://example.comURLuid: 46c4335a6e4f07cbc073754ce830b23b
threat: {"type": "malware", "uid": "355b864087900df6130bc1605ace1035", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.12"}}
expiration: 1622634181000
confidence: high
context: {"description": "qbot controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "https://example.com"}
intel_requirements: 1.3.4,
1.1.4
https://example.comURLuid: 3ac312ba14bb661ac165ff9b06a4de51
threat: {"type": "malware", "uid": "22e7a5f41d4f3cc5c704758ffa505556", "data": {"malware_family_profile_uid": "20eb1f82621001883ea0c2085aff5729", "family": "lokibot", "version": "1.8"}}
expiration: 1622636921000
confidence: high
context: {"description": "lokibot controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "https://example.com"}
intel_requirements: 1.1.5,
1.1.6
https://example.comURLuid: 3c2b4db3d8016f7ad1e97821d6f58cff
threat: {"type": "malware", "uid": "2103dcd99080ee86a7808912f3ff4382", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.68"}}
expiration: 1622637063000
confidence: high
context: {"description": "qbot controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "https://example.com"}
intel_requirements: 1.3.4,
1.1.4
http://example.comURLuid: f2509c1f7c725e2ffa6ae8e93f3dd4da
threat: {"type": "malware", "uid": "2beba14b4653bf651e1dee439b1caf48", "data": {"malware_family_profile_uid": "dbdf04e70d844c5d9373f9069998bbcb", "family": "formbook", "version": "4.1"}}
expiration: 1622637530000
confidence: high
context: {"description": "formbook controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "http://example.com"}
intel_requirements: 1.1.5,
1.1.6
d55d6ffe62778604b95c4af57bbd25010a26869668516e1139865d907b4177a7Fileuid: ed7e66db788ccdef60c0a30f37da66e2
threat: {"type": "malware", "uid": "456c1d6b360423fffff2bff49d0662eb", "data": {"malware_family_profile_uid": "456c1d6b360423fffff2bff49d0662eb", "family": "cobaltstrike"}}
expiration: 1651577888000
confidence: medium
context: {"description": "core component downloaded by cobaltstrike malware family"}
mitre_tactics: stage_capabilities
indicator_type: file
indicator_data: {"file": {"md5": "c274ce1427910a47d7acbfcb36f8e5c9", "sha1": "2479bdbd4f4a5b04e995eccc477ed44d7bbabf43", "sha256": "d55d6ffe62778604b95c4af57bbd25010a26869668516e1139865d907b4177a7", "type": "DATA", "size": 180854, "download_url": "https://api.intel471.com/v1/download/malwareIntel/d55d6ffe62778604b95c4af57bbd25010a26869668516e1139865d907b4177a7.zip"}}
intel_requirements: 1.1
ba1a42a7875ba307126d3f470617107973b8557756d08b386c1d9e2fbdfe3f0fFileuid: 2a930e90451169755fe2b65620a28364
threat: {"type": "malware", "uid": "183ee6a5aec804f5df69eea69edddce0", "data": {"malware_family_profile_uid": "886b44916f8e62d9a9da5f7a8b143fb8", "family": "smokeloader", "version": "2020"}}
expiration: 1651578048000
confidence: medium
context: {"description": "executable downloaded by smokeloader malware family"}
mitre_tactics: command_and_control
indicator_type: file
indicator_data: {"file": {"md5": "0d0fec0f2a6af96ad0a7d0d3c96cb98d", "sha1": "223f50da553a39823c8b731fbc68f72471cb5152", "sha256": "ba1a42a7875ba307126d3f470617107973b8557756d08b386c1d9e2fbdfe3f0f", "type": "PEEXE_x64", "size": 5613568, "download_url": "https://api.intel471.com/v1/download/malwareIntel/ba1a42a7875ba307126d3f470617107973b8557756d08b386c1d9e2fbdfe3f0f.zip"}}
intel_requirements: 1.1.5,
1.1.6
1d96205e9fd00d5dd4a57e101eee21f47d850c505d592998c5ea12ff867e1865Fileuid: df7c2e16d384f1fbfe09e3fafab93fa6
threat: {"type": "malware", "uid": "183ee6a5aec804f5df69eea69edddce0", "data": {"malware_family_profile_uid": "886b44916f8e62d9a9da5f7a8b143fb8", "family": "smokeloader", "version": "2020"}}
expiration: 1651578052000
confidence: medium
context: {"description": "executable downloaded by smokeloader malware family"}
mitre_tactics: command_and_control
indicator_type: file
indicator_data: {"file": {"md5": "9bcb6653def44687d0d8f971ca5d0cf5", "sha1": "b900e03a9770a4345f1276c198843a5b2bc02223", "sha256": "1d96205e9fd00d5dd4a57e101eee21f47d850c505d592998c5ea12ff867e1865", "type": "PEEXE_x86", "size": 771072, "download_url": "https://api.intel471.com/v1/download/malwareIntel/1d96205e9fd00d5dd4a57e101eee21f47d850c505d592998c5ea12ff867e1865.zip"}}
intel_requirements: 1.1.5,
1.1.6
26e9bac9d285ba198b272999ae48e7049eb7847c2d37c142b79931779130df8bFileuid: 35faa35978b8ee7f3a32c0f83291163d
threat: {"type": "malware", "uid": "4bff756d3eacb5066dbdeebdaf3f9aeb", "data": {"malware_family_profile_uid": "b38ef686caf0103866339452d3d1c4fb", "family": "dridex", "version": "2.165"}}
expiration: 1651578060000
confidence: medium
context: {"description": "web_inject plugin downloaded by dridex malware family"}
mitre_tactics: stage_capabilities
indicator_type: file
indicator_data: {"file": {"md5": "8a72d4c069d724bcf70ccde3148df130", "sha1": "398484e2c3bd11f2e8bff37614db4cc5943b966d", "sha256": "26e9bac9d285ba198b272999ae48e7049eb7847c2d37c142b79931779130df8b", "type": "PEDLL_x64", "size": 614400, "download_url": "https://api.intel471.com/v1/download/malwareIntel/26e9bac9d285ba198b272999ae48e7049eb7847c2d37c142b79931779130df8b.zip"}}
intel_requirements: 1.3.4,
1.1.4
055c7a3ecbc64032aa4e08d3e9954183a216ae085e1a25cd85108414534aa92dFileuid: fec667f3d059f9635a231e4b57bd18f8
threat: {"type": "malware", "uid": "355b864087900df6130bc1605ace1035", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.12"}}
expiration: 1651578135000
confidence: high
context: {"description": "sample of qbot malware family"}
mitre_tactics: command_and_control
indicator_type: file
indicator_data: {"file": {"md5": "5a8d0dd7df9a2f5996dbbb3d62303a4c", "sha1": "62b32aa8e61ff1e66d55fee4649b9aef52d50e60", "sha256": "055c7a3ecbc64032aa4e08d3e9954183a216ae085e1a25cd85108414534aa92d", "type": "PEDLL_x86", "size": 1004032, "download_url": "https://api.intel471.com/v1/download/malwareIntel/055c7a3ecbc64032aa4e08d3e9954183a216ae085e1a25cd85108414534aa92d.zip"}}
intel_requirements: 1.3.4,
1.1.4
x.x.x.xIPuid: e71f7b0300d6bc37fd4cb27fd03c98ed
threat: {"type": "malware", "uid": "2103dcd99080ee86a7808912f3ff4382", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.68"}}
expiration: 1622633644000
confidence: medium
context: {"description": "qbot controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.3.4,
1.1.4
x.x.x.xIPuid: 09ae761c2a9cbaaa6210129a3c89474a
threat: {"type": "malware", "uid": "355b864087900df6130bc1605ace1035", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.12"}}
expiration: 1622634181000
confidence: medium
context: {"description": "qbot controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.3.4,
1.1.4
x.x.x.xIPuid: fdc225adafa78bae33ca9651bbfcc36e
threat: {"type": "malware", "uid": "22e7a5f41d4f3cc5c704758ffa505556", "data": {"malware_family_profile_uid": "20eb1f82621001883ea0c2085aff5729", "family": "lokibot", "version": "1.8"}}
expiration: 1622636921000
confidence: medium
context: {"description": "lokibot controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.1.5,
1.1.6
x.x.x.xIPuid: a9a3a50497dc52eee69be35cffd22b5c
threat: {"type": "malware", "uid": "2103dcd99080ee86a7808912f3ff4382", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.68"}}
expiration: 1622637063000
confidence: medium
context: {"description": "qbot controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.3.4,
1.1.4
x.x.x.xIPuid: c4e482756324c8020ea96beda15db0cc
threat: {"type": "malware", "uid": "12699e2e6873f0e319e2db36e28f6262", "data": {"malware_family_profile_uid": "886b44916f8e62d9a9da5f7a8b143fb8", "family": "smokeloader", "version": "2019"}}
expiration: 1622639358000
confidence: medium
context: {"description": "smokeloader controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.1.5,
1.1.6