Exploring the Wide Range of Projects Provided by abuse.ch

Exploring the Wide Range of Projects Provided by abuse.ch

abuse.ch is providing community driven threat intelligence on cyber threats with a strong focus on malware and botnets. It is a collection of following projects:

MalwareBazaar

MalwareBazaar is a place where your can get malware samples which is shared by malware researchers for infosec community.

What it offers?

  • Latest & Old malware samples.

Feodo Tracker

Feodo Tracker is place where you can get latest malicious botnet C2 servers IP associated with Emotet, Dridex, TrickBot, QakBot and BazarLoader.

What it offers?

  • Latest IP addresses of botnet C2 servers (Set of infected computers).

  • Latest IOCs (Indicators Of Compromise) of C2 servers. Use it with your SIEM for more accurate detection.

  • Latest Ruleset for Suricata & Snort to detect and/or block network connections toward C2 servers.

SSL Blacklist

SSL Blacklist (SSLBL) detects malicious SSL connections, by identifying and blacklisting SSL certificates used by C2 servers. It also identifies JA3 fingerprints that helps you to detect & block malware C2 communication on the TCP layer.

What it offers?

  • List of SHA1 fingerprints of malicious SSL certificates.

  • Get list of JA3 fingerprint to find malware in your network.

  • SSL Certificate & JA3 Ruleset for Suricata.

ThreatFox

ThreatFox shares indicators of compromise (IOCs) associated with malware with the infosec community.

What it offers?

  • A structured database for IOCs.

  • Search IOCs of different threat using different operations. For example: malware:CobaltStrike, threat_type:cc_skimming, etc.

YARAify

YARAify allows anyone to scan suspicious files such as malware samples or process dumps against a large repository of YARA rules.

What it offers?

  • Scan suspicious file with ClaimAV antivirus.

  • Unpack PE executables or DLL files.

  • YARAhub, a structured database for yara rules.

  • Search yara rule using different operators. For example: yara:MALWARE_Win_Zegost, md5:bf130acead582841f356719dd6d29e98, etc.

URLhaus

URLhaus shares malicious URLs that are being used for malware distribution. Its Malware Database gives you the latest data on domains registered as phishing or as spam with the goal of sharing malicious URLs that are being used for malware distribution.

What it offers?

  • Updated database for malicious URLs

  • It generates a ClamAV signature database which gets updated once per minute for real time detection.

  • Search malicious URL using different operators. For example: filetype:doc, tag:elf etc.

All these 6 abuse.ch project provides API for automating the process. Maybe use these for your next project?