Intel471 Malware Indicator Feed
Intel471 Feed Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports. This feed allows customers to block and gain an understanding of the latest crimeware campaigns and is for those that value timeliness, confidence (little to no false positives), and seek rich context and insight around the attacks they are seeing."
#
Configure Intel471 Indicator Feed in CortexParameter | Description | Required |
---|---|---|
Fetch indicators | False | |
Username | False | |
Indicator Reputation | Indicators from this integration instance will be marked with this reputation | False |
Source Reliability | Reliability of the source providing the intelligence data | True |
Traffic Light Protocol Color | The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed | False |
Indicator Expiration Method | False | |
Feed Expiration Interval | False | |
Feed Fetch Interval | False | |
Indicator Type | Type of the indicator in the feed. | True |
Search by Threat Type | "Search indicators by threat type (e.g. malware, bulletproof_hosting, proxy_service). If empty, all threat types will be considered." | False |
Malware Family | "Search indicators by malware family (e.g. gozi_isfb, smokeloader, trickbot). If empty, all malware families will be considered." | False |
Search by confidence | Search indicators by confidence. See detailed description of the confidence levels below. | False |
Free text indicator search (all fields included) | False | |
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | How far back in time to go when performing the first fetch. | False |
Tags | Supports CSV values. | False |
Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | False |
Use system proxy settings | False | |
Trust any certificate (not secure) | False | |
Create relationships | Create relationships between indicators as part of Enrichment. | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
intel471-indicators-get-indicatorsGets the feed indicators.
#
Base Commandintel471-indicators-get-indicators
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of results to return. Default is 50. Will limit the result for each indicator type. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!intel471-indicators-get-indicators limit=5
#
Human Readable Output#
Indicators
value type rawJSON https://example.com URL uid: 3cbf2c65f7d7b86c3276094b795e289a
threat: {"type": "malware", "uid": "2103dcd99080ee86a7808912f3ff4382", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.68"}}
expiration: 1622633644000
confidence: high
context: {"description": "qbot controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "https://example.com"}
intel_requirements: 1.3.4,
1.1.4https://example.com URL uid: 46c4335a6e4f07cbc073754ce830b23b
threat: {"type": "malware", "uid": "355b864087900df6130bc1605ace1035", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.12"}}
expiration: 1622634181000
confidence: high
context: {"description": "qbot controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "https://example.com"}
intel_requirements: 1.3.4,
1.1.4https://example.com URL uid: 3ac312ba14bb661ac165ff9b06a4de51
threat: {"type": "malware", "uid": "22e7a5f41d4f3cc5c704758ffa505556", "data": {"malware_family_profile_uid": "20eb1f82621001883ea0c2085aff5729", "family": "lokibot", "version": "1.8"}}
expiration: 1622636921000
confidence: high
context: {"description": "lokibot controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "https://example.com"}
intel_requirements: 1.1.5,
1.1.6https://example.com URL uid: 3c2b4db3d8016f7ad1e97821d6f58cff
threat: {"type": "malware", "uid": "2103dcd99080ee86a7808912f3ff4382", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.68"}}
expiration: 1622637063000
confidence: high
context: {"description": "qbot controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "https://example.com"}
intel_requirements: 1.3.4,
1.1.4http://example.com URL uid: f2509c1f7c725e2ffa6ae8e93f3dd4da
threat: {"type": "malware", "uid": "2beba14b4653bf651e1dee439b1caf48", "data": {"malware_family_profile_uid": "dbdf04e70d844c5d9373f9069998bbcb", "family": "formbook", "version": "4.1"}}
expiration: 1622637530000
confidence: high
context: {"description": "formbook controller URL"}
mitre_tactics: command_and_control
indicator_type: url
indicator_data: {"url": "http://example.com"}
intel_requirements: 1.1.5,
1.1.6d55d6ffe62778604b95c4af57bbd25010a26869668516e1139865d907b4177a7 File uid: ed7e66db788ccdef60c0a30f37da66e2
threat: {"type": "malware", "uid": "456c1d6b360423fffff2bff49d0662eb", "data": {"malware_family_profile_uid": "456c1d6b360423fffff2bff49d0662eb", "family": "cobaltstrike"}}
expiration: 1651577888000
confidence: medium
context: {"description": "core component downloaded by cobaltstrike malware family"}
mitre_tactics: stage_capabilities
indicator_type: file
indicator_data: {"file": {"md5": "c274ce1427910a47d7acbfcb36f8e5c9", "sha1": "2479bdbd4f4a5b04e995eccc477ed44d7bbabf43", "sha256": "d55d6ffe62778604b95c4af57bbd25010a26869668516e1139865d907b4177a7", "type": "DATA", "size": 180854, "download_url": "https://api.intel471.com/v1/download/malwareIntel/d55d6ffe62778604b95c4af57bbd25010a26869668516e1139865d907b4177a7.zip"}}
intel_requirements: 1.1ba1a42a7875ba307126d3f470617107973b8557756d08b386c1d9e2fbdfe3f0f File uid: 2a930e90451169755fe2b65620a28364
threat: {"type": "malware", "uid": "183ee6a5aec804f5df69eea69edddce0", "data": {"malware_family_profile_uid": "886b44916f8e62d9a9da5f7a8b143fb8", "family": "smokeloader", "version": "2020"}}
expiration: 1651578048000
confidence: medium
context: {"description": "executable downloaded by smokeloader malware family"}
mitre_tactics: command_and_control
indicator_type: file
indicator_data: {"file": {"md5": "0d0fec0f2a6af96ad0a7d0d3c96cb98d", "sha1": "223f50da553a39823c8b731fbc68f72471cb5152", "sha256": "ba1a42a7875ba307126d3f470617107973b8557756d08b386c1d9e2fbdfe3f0f", "type": "PEEXE_x64", "size": 5613568, "download_url": "https://api.intel471.com/v1/download/malwareIntel/ba1a42a7875ba307126d3f470617107973b8557756d08b386c1d9e2fbdfe3f0f.zip"}}
intel_requirements: 1.1.5,
1.1.61d96205e9fd00d5dd4a57e101eee21f47d850c505d592998c5ea12ff867e1865 File uid: df7c2e16d384f1fbfe09e3fafab93fa6
threat: {"type": "malware", "uid": "183ee6a5aec804f5df69eea69edddce0", "data": {"malware_family_profile_uid": "886b44916f8e62d9a9da5f7a8b143fb8", "family": "smokeloader", "version": "2020"}}
expiration: 1651578052000
confidence: medium
context: {"description": "executable downloaded by smokeloader malware family"}
mitre_tactics: command_and_control
indicator_type: file
indicator_data: {"file": {"md5": "9bcb6653def44687d0d8f971ca5d0cf5", "sha1": "b900e03a9770a4345f1276c198843a5b2bc02223", "sha256": "1d96205e9fd00d5dd4a57e101eee21f47d850c505d592998c5ea12ff867e1865", "type": "PEEXE_x86", "size": 771072, "download_url": "https://api.intel471.com/v1/download/malwareIntel/1d96205e9fd00d5dd4a57e101eee21f47d850c505d592998c5ea12ff867e1865.zip"}}
intel_requirements: 1.1.5,
1.1.626e9bac9d285ba198b272999ae48e7049eb7847c2d37c142b79931779130df8b File uid: 35faa35978b8ee7f3a32c0f83291163d
threat: {"type": "malware", "uid": "4bff756d3eacb5066dbdeebdaf3f9aeb", "data": {"malware_family_profile_uid": "b38ef686caf0103866339452d3d1c4fb", "family": "dridex", "version": "2.165"}}
expiration: 1651578060000
confidence: medium
context: {"description": "web_inject plugin downloaded by dridex malware family"}
mitre_tactics: stage_capabilities
indicator_type: file
indicator_data: {"file": {"md5": "8a72d4c069d724bcf70ccde3148df130", "sha1": "398484e2c3bd11f2e8bff37614db4cc5943b966d", "sha256": "26e9bac9d285ba198b272999ae48e7049eb7847c2d37c142b79931779130df8b", "type": "PEDLL_x64", "size": 614400, "download_url": "https://api.intel471.com/v1/download/malwareIntel/26e9bac9d285ba198b272999ae48e7049eb7847c2d37c142b79931779130df8b.zip"}}
intel_requirements: 1.3.4,
1.1.4055c7a3ecbc64032aa4e08d3e9954183a216ae085e1a25cd85108414534aa92d File uid: fec667f3d059f9635a231e4b57bd18f8
threat: {"type": "malware", "uid": "355b864087900df6130bc1605ace1035", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.12"}}
expiration: 1651578135000
confidence: high
context: {"description": "sample of qbot malware family"}
mitre_tactics: command_and_control
indicator_type: file
indicator_data: {"file": {"md5": "5a8d0dd7df9a2f5996dbbb3d62303a4c", "sha1": "62b32aa8e61ff1e66d55fee4649b9aef52d50e60", "sha256": "055c7a3ecbc64032aa4e08d3e9954183a216ae085e1a25cd85108414534aa92d", "type": "PEDLL_x86", "size": 1004032, "download_url": "https://api.intel471.com/v1/download/malwareIntel/055c7a3ecbc64032aa4e08d3e9954183a216ae085e1a25cd85108414534aa92d.zip"}}
intel_requirements: 1.3.4,
1.1.4x.x.x.x IP uid: e71f7b0300d6bc37fd4cb27fd03c98ed
threat: {"type": "malware", "uid": "2103dcd99080ee86a7808912f3ff4382", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.68"}}
expiration: 1622633644000
confidence: medium
context: {"description": "qbot controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.3.4,
1.1.4x.x.x.x IP uid: 09ae761c2a9cbaaa6210129a3c89474a
threat: {"type": "malware", "uid": "355b864087900df6130bc1605ace1035", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.12"}}
expiration: 1622634181000
confidence: medium
context: {"description": "qbot controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.3.4,
1.1.4x.x.x.x IP uid: fdc225adafa78bae33ca9651bbfcc36e
threat: {"type": "malware", "uid": "22e7a5f41d4f3cc5c704758ffa505556", "data": {"malware_family_profile_uid": "20eb1f82621001883ea0c2085aff5729", "family": "lokibot", "version": "1.8"}}
expiration: 1622636921000
confidence: medium
context: {"description": "lokibot controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.1.5,
1.1.6x.x.x.x IP uid: a9a3a50497dc52eee69be35cffd22b5c
threat: {"type": "malware", "uid": "2103dcd99080ee86a7808912f3ff4382", "data": {"malware_family_profile_uid": "d9b8af17f349af0718badc314ce6b4bd", "family": "qbot", "version": "0402.68"}}
expiration: 1622637063000
confidence: medium
context: {"description": "qbot controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.3.4,
1.1.4x.x.x.x IP uid: c4e482756324c8020ea96beda15db0cc
threat: {"type": "malware", "uid": "12699e2e6873f0e319e2db36e28f6262", "data": {"malware_family_profile_uid": "886b44916f8e62d9a9da5f7a8b143fb8", "family": "smokeloader", "version": "2019"}}
expiration: 1622639358000
confidence: medium
context: {"description": "smokeloader controller IPv4"}
mitre_tactics: command_and_control
indicator_type: ipv4
indicator_data: {"address": "x.x.x.x"}
intel_requirements: 1.1.5,
1.1.6