def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://www.spamhaus.org/drop/"
paths = [
"drop.txt",
"edrop.txt",
"dropv6.txt",
]
for path in paths:
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
try:
if line[0] != ';':
if IPAddress(self.ioc) in IPNetwork(
line.split(" ")[0]):
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
except:
pass
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in SpamHaus feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "http://www.nothink.org/blacklist/"
paths = [
"blacklist_snmp_year.txt",
"blacklist_ssh_year.txt",
"blacklist_telnet_year.txt"
]
for path in paths:
try:
content = Cache(self.module_name, url, path, self.search_method).content
except NameError as e:
mod.display(self.module_name,
self.ioc,
"ERROR",
e)
return None
for line in content.split("\n"):
if self.ioc in line:
mod.display(self.module_name,
self.ioc,
"FOUND",
"%s%s" % (url, path))
return None
mod.display(self.module_name,
self.ioc,
"NOT_FOUND",
"Nothing found in nothink feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Search in FeodoTracker ...")
url = "https://feodotracker.abuse.ch/blocklist/?download="
paths = ["ipblocklist", "domainblocklist"]
if self.type == "IPv4":
path = paths[0]
elif self.type == "domain":
path = paths[1]
else:
mod.display(
self.module_name, self.ioc, "ERROR",
"This IOC is of an unrecognized type: %s" % (self.type))
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
if content.find(self.ioc) == -1:
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in FeodoTracker")
return None
else:
url_reponse = "https://feodotracker.abuse.ch/host/" + self.ioc
mod.display(self.module_name, self.ioc, "FOUND", url_reponse)
return None
def search(self):
mod.display(self.module_name, "", "INFO", "Search in URLhause ...")
url = "https://urlhaus.abuse.ch/downloads/"
paths = ["csv"]
try:
content = Cache(self.module_name, url, paths[0],
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
if content.find(self.ioc) == -1:
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in URLhause")
return None
else:
try:
reader = csv.reader(content.split('\n'), delimiter=',')
except:
mod.display(self.module_name, self.ioc, "ERROR",
"Could not parse CSV feed")
return None
for row in reader:
if self.ioc in row:
mod.display(self.module_name, self.ioc, "FOUND", row[-1])
return None
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://www.dshield.org/feeds/"
paths = [
"suspiciousdomains_Low.txt",
"suspiciousdomains_Medium.txt",
"suspiciousdomains_High.txt"
]
for path in paths:
try:
content = Cache(self.module_name, url, path, self.search_method).content
except NameError as e:
mod.display(self.module_name,
self.ioc,
"ERROR",
e)
return None
for line in content.split("\n"):
try:
if line[0] != '#':
if line.lower() == self.ioc.lower():
mod.display(self.module_name,
self.ioc,
"FOUND",
"%s%s" % (url, path))
return None
except:
pass
mod.display(self.module_name,
self.ioc,
"NOT_FOUND",
"Nothing found in dhsield feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://torstatus.blutmagie.de/"
paths = [
"ip_list_all.php/Tor_ip_list_ALL.csv",
"query_export.php/Tor_query_EXPORT.csv",
"ip_list_exit.php/Tor_ip_list_EXIT.csv"
]
for path in paths:
try:
content = Cache(self.module_name, url, path, self.search_method).content
except NameError as e:
mod.display(self.module_name,
self.ioc,
"ERROR",
e)
return None
if self.ioc in content:
mod.display(self.module_name,
self.ioc,
"FOUND",
"%s%s" % (url, path))
return None
mod.display(self.module_name,
self.ioc,
"NOT_FOUND",
"Nothing found in TorIps feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://openphish.com/"
paths = [
"feed.txt"
]
for path in paths:
try:
content = Cache(self.module_name, url, path, self.search_method).content
except NameError as e:
mod.display(self.module_name,
self.ioc,
"ERROR",
e)
return None
for line in content.split("\n"):
try:
midle = line.split("//")[-1].split("/")[0]
except:
midle = None
if self.type == "URL":
if self.ioc in line:
mod.display(self.module_name,
self.ioc,
"FOUND",
"%s%s" % (url, path))
return None
elif self.type == "IPv4" and validators.ipv4(midle):
if self.ioc == midle:
mod.display(self.module_name,
self.ioc,
"FOUND",
"%s%s" % (url, path))
return None
elif self.type == "domain" and validators.domain(midle):
if midle == self.ioc:
mod.display(self.module_name,
self.ioc,
"FOUND",
"%s%s" % (url, path))
return None
mod.display(self.module_name,
self.ioc,
"NOT_FOUND",
"Nothing found in openphish feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://zeustracker.abuse.ch/"
paths = [
"blocklist.php?download=baddomains",
"blocklist.php?download=ipblocklist",
"blocklist.php?download=compromised"
]
for path in paths:
if self.type == "URL":
try:
self.ioc = self.ioc.split("://")[1]
except:
pass
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
if path.split("=")[1] == "compromised":
if self.type == "URL":
if self.ioc == line:
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
return
else:
line = line.split("/")[0]
try:
line = line.split(":")[0]
except:
pass
if self.type == "domain" and validators.domain(line.strip()):
if line.strip() == self.ioc:
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
return None
elif self.type == "IPv4" and validators.ipv4(line.strip()):
if line.strip() == self.ioc:
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
return None
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in zeustracker feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://mirror1.malwaredomains.com/files/"
paths = ["immortal_domains.txt"]
for path in paths:
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
if line == self.ioc:
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
return None
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in malwaredomains feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "http://vxvault.net/"
paths = ["URL_List.php"]
for path in paths:
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
if self.ioc in line:
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
return None
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in vxvault feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://www.malwaredomainlist.com/hostslist/"
paths = ["hosts.txt"]
for path in paths:
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
if "127.0.0.1" in line:
if self.ioc == line.split(" ")[1].strip():
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
return None
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in malwaredomainlist feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://cybercrime-tracker.net/"
paths = ["all.php"]
if self.type == "URL":
self.ioc = self.ioc.split("//")[1]
for path in paths:
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
if self.ioc in line:
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
return None
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in Cybercrimetracker")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://sslbl.abuse.ch/blacklist/"
paths = ["sslblacklist.csv"]
for path in paths:
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
if self.ioc in line:
infos = line.split(',')
mod.display(self.module_name, self.ioc, "FOUND",
"%s | %s%s" % (infos[2], url, path))
return None
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in sslblacklist feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "http://hosts-file.malwareteks.com/"
paths = ["hosts.txt"]
for path in paths:
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
try:
if self.ioc == line.split("127.0.0.1")[1].strip():
mod.display(self.module_name, self.ioc, "FOUND",
"%s%s" % (url, path))
return None
except:
pass
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in MalwareTeks feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "http://malwaredomains.lehigh.edu/files/"
paths = ["domains.txt"]
for path in paths:
try:
content = Cache(self.module_name, url, path,
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
if line and line[0] != '#':
base = line.split("\t\t")[1]
if self.ioc == base.split("\t")[0]:
mod.display(
self.module_name, self.ioc, "FOUND",
"[%s] %s%s" % (base.split("\t")[1], url, path))
return None
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in lehigh feed")
def cache_search(self):
url = "https://malwareconfig.com/static/"
paths = ["C2_All.csv"]
try:
content = Cache(self.module_name, url, paths[0],
self.search_method).content
except:
return None
if content.find(self.ioc) == -1:
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in MalwareConfig")
return None
else:
try:
reader = csv.reader(content.split('\n'), delimiter=',')
except:
mod.display(self.module_name, self.ioc, "ERROR",
"Could not parse CSV feed")
return None
for row in reader:
if self.ioc in row:
mod.display(self.module_name, self.ioc, "FOUND", row[-2])
return None
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://ransomwaretracker.abuse.ch/feeds/"
paths = ["csv"]
try:
content = Cache(self.module_name, url, paths[0],
self.search_method).content
except NameError as e:
mod.display(self.module_name, self.ioc, "ERROR", e)
return None
for line in content.split("\n"):
try:
if self.ioc in line:
mod.display(
self.module_name, self.ioc,
"FOUND", "%s | %s%s" % (line.split(",")[2].replace(
'"', '', 2), url, paths[0]))
return None
except:
pass
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing found in RansomwareTracker feeds")
def search(self):
mod.display(self.module_name, "", "INFO", "Searching...")
url = "https://malshare.com/"
if "malshare_api_key" in self.config:
paths = [
"api.php?api_key=%s&action=details&hash=%s" %
(self.config["malshare_api_key"], self.ioc)
]
for path in paths:
try:
content = json.loads(
Cache(self.module_name, url, path,
self.search_method).content)
saved_urls = []
for malware_url in content["SOURCES"]:
saved_urls.append(malware_url.replace("http", "hxxp"))
if not saved_urls:
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing Found in Malshare feeds")
else:
mod.display(
self.module_name, self.ioc, "FOUND",
"https://malshare.com/sample.php?action=detail&hash="
% self.ioc)
return None
except NameError:
mod.display(self.module_name, self.ioc, "NOT_FOUND",
"Nothing Found in Malshare feeds")
except ValueError as e:
mod.display(self.module_name, self.ioc, "ERROR",
"Malshare connection status : %s" % e)
except:
mod.display(
self.module_name, self.ioc, "ERROR",
"Malshare's cache encountered an error while updating")
else:
mod.display(
self.module_name, self.ioc, "ERROR",
"You must have a malshare api key to use this module ")
return None