Malicious files feed
The Malicious files feed contains executable files that are considered malicious. This feed recognizes and shares the following specifications about files:
•Hash (SHA1, MD5, and SHA256).
•Detection—The detection name defined by ESET (VBA/TrojanDownloader.Agent.GKT).
•Size_In_Bytes—The file size in bytes (1433600).
•File_Format—The file format based on a common UNIX utility file (PE32 executable (GUI) Intel 80386, for MS Windows). For more information, refer to this link.
JSON
Below is a snippet of a Malicious files feed in JSON format.
{ "count": 3, "countries": [ { "count": 2, "country": "United States", "region": "NORAM" }, { "count": 1, "country": "Ecuador", "region": "LATAM" } ], "file_name": "31113.html", "file_type": "text/plain", "first_seen": "2019-03-13 12:46:46 UTC", "md5": "29e476f594ed5e226b2c0c60c243fc9a", "sha1": "47b49ae4de0bf559a3be264df6b747584b0188d5", "sha256": "ce61716a17f8950e1d46a6230d0bc80e02d9a87796a683aa6c8532fbcb235ce5", "size": 1731, "ssdeep": "24:hAYkvfTol1MXPsRzqAXJ3UNSdV9O0W+bDxgb3ORWUjcHjvc6tjDxnILMFIiC1IdP:GYkvfToZkgRO07Ke5jcHooITIdk2", "threat": "JS/Exploit.Shellcode.A.gen trojan", "valid_to": "2020-10-23 06:38:34 UTC" } |
STIX 2.0
Below is a snippet of a Malicious files feed in STIX 2.0 format.
{ "type": "observed-data", "id": "observed-data--25cd0fbd-98ed-4199-8469-9c8f08704028", "created": "2020-10-21T06:38:34.000Z", "modified": "2020-10-21T06:38:34.000Z", "first_observed": "2019-03-13T12:46:46Z", "last_observed": "2020-10-21T06:38:34Z", "number_observed": 3, "objects": { "0": { "type": "file", "hashes": { "MD5": "29e476f594ed5e226b2c0c60c243fc9a", "SHA-1": "47b49ae4de0bf559a3be264df6b747584b0188d5", "SHA-256": "ce61716a17f8950e1d46a6230d0bc80e02d9a87796a683aa6c8532fbcb235ce5", "ssdeep": "24:hAYkvfTol1MXPsRzqAXJ3UNSdV9O0W+bDxgb3ORWUjcHjvc6tjDxnILMFIiC1IdP:GYkvfToZkgRO07Ke5jcHooITIdk2" }, "size": 1731, "name": "31113.html", "mime_type": "text/plain" } } } |
The following types of STIX domain objects are available for the Malicious files feed:
•Indicator—An Indicator of Comprise (IoC) to use for further blocking or investigation.
•Malware—Additional information about given hashes, which includes the detection name. This information is intended for manual investigation.
•Observed data—Additional information about the file.
•Relationship
