Malicious files feed
The Malicious files feed contains executable files that are considered malicious. This feed recognizes and shares the following specifications about files:
•Hash (SHA1, MD5, and SHA256).
•Detection—The name of the detection defined by ESET (VBA/TrojanDownloader.Agent.GKT).
•Size_In_Bytes—The size of the file in bytes (1433600).
•File_Format—The format of the file based on a common UNIX utility file (PE32 executable (GUI) Intel 80386, for MS Windows). For more information, refer to this link.
JSON
Below is a snippet of a Malicious files feed in JSON format.
{ "count": 3, "countries": [ { "count": 2, "country": "United States", "region": "NORAM" }, { "count": 1, "country": "Ecuador", "region": "LATAM" } ], "file_name": "31113.html", "file_type": "text/plain", "first_seen": "2019-03-13 12:46:46 UTC", "md5": "29e476f594ed5e226b2c0c60c243fc9a", "sha1": "47b49ae4de0bf559a3be264df6b747584b0188d5", "sha256": "ce61716a17f8950e1d46a6230d0bc80e02d9a87796a683aa6c8532fbcb235ce5", "size": 1731, "ssdeep": "24:hAYkvfTol1MXPsRzqAXJ3UNSdV9O0W+bDxgb3ORWUjcHjvc6tjDxnILMFIiC1IdP:GYkvfToZkgRO07Ke5jcHooITIdk2", "threat": "JS/Exploit.Shellcode.A.gen trojan", "valid_to": "2020-10-23 06:38:34 UTC" } |
STIX 2.0
Below is a snippet of a Malicious files feed in STIX 2.0 format.
{ "type": "observed-data", "id": "observed-data--25cd0fbd-98ed-4199-8469-9c8f08704028", "created": "2020-10-21T06:38:34.000Z", "modified": "2020-10-21T06:38:34.000Z", "first_observed": "2019-03-13T12:46:46Z", "last_observed": "2020-10-21T06:38:34Z", "number_observed": 3, "objects": { "0": { "type": "file", "hashes": { "MD5": "29e476f594ed5e226b2c0c60c243fc9a", "SHA-1": "47b49ae4de0bf559a3be264df6b747584b0188d5", "SHA-256": "ce61716a17f8950e1d46a6230d0bc80e02d9a87796a683aa6c8532fbcb235ce5", "ssdeep": "24:hAYkvfTol1MXPsRzqAXJ3UNSdV9O0W+bDxgb3ORWUjcHjvc6tjDxnILMFIiC1IdP:GYkvfToZkgRO07Ke5jcHooITIdk2" }, "size": 1731, "name": "31113.html", "mime_type": "text/plain" } } } |
The following types of STIX domain objects are available for the Malicious files feed:
•Indicator—An Indicator of Comprise (IoC) to use for further blocking or investigation.
•Malware—Additional information about given hashes, which includes the name of the detection. This information is intended for manual investigation.
•Observed data—Additional information about the file.
•Relationship: