abuse.ch is providing community driven threat intelligence on cyber threats with a strong focus on malware and botnets. It is a collection of following projects:
MalwareBazaar
MalwareBazaar is a place where your can get malware samples which is shared by malware researchers for infosec community.
What it offers?
- Latest & Old malware samples.
Feodo Tracker
Feodo Tracker is place where you can get latest malicious botnet C2 servers IP associated with Emotet, Dridex, TrickBot, QakBot and BazarLoader.
What it offers?
Latest IP addresses of botnet C2 servers (Set of infected computers).
Latest IOCs (Indicators Of Compromise) of C2 servers. Use it with your SIEM for more accurate detection.
Latest Ruleset for Suricata & Snort to detect and/or block network connections toward C2 servers.
SSL Blacklist
SSL Blacklist (SSLBL) detects malicious SSL connections, by identifying and blacklisting SSL certificates used by C2 servers. It also identifies JA3 fingerprints that helps you to detect & block malware C2 communication on the TCP layer.
What it offers?
List of SHA1 fingerprints of malicious SSL certificates.
Get list of JA3 fingerprint to find malware in your network.
SSL Certificate & JA3 Ruleset for Suricata.
ThreatFox
ThreatFox shares indicators of compromise (IOCs) associated with malware with the infosec community.
What it offers?
A structured database for IOCs.
Search IOCs of different threat using different operations. For example:
malware:CobaltStrike
,threat_type:cc_skimming
, etc.
YARAify
YARAify allows anyone to scan suspicious files such as malware samples or process dumps against a large repository of YARA rules.
What it offers?
Scan suspicious file with ClaimAV antivirus.
Unpack PE executables or DLL files.
YARAhub, a structured database for yara rules.
Search yara rule using different operators. For example:
yara:MALWARE_Win_Zegost
,md5:bf130acead582841f356719dd6d29e98
, etc.
URLhaus
URLhaus shares malicious URLs that are being used for malware distribution. Its Malware Database gives you the latest data on domains registered as phishing or as spam with the goal of sharing malicious URLs that are being used for malware distribution.
What it offers?
Updated database for malicious URLs
It generates a ClamAV signature database which gets updated once per minute for real time detection.
Search malicious URL using different operators. For example:
filetype:doc
,tag:elf
etc.
All these 6 abuse.ch project provides API for automating the process. Maybe use these for your next project?