What’s all this fuss about

This is the result of a never ending project that goes under the name of MalSilo.

Feeds here shared are provided on an ‘as is’ basis, enable automated blocking based on these indicators is not suggested if you don’t know what you are doing - you have been warned.

The system was publicly launched in 2019.02.03 and later updated to it’s 2.0 version on the 2020.01.27.

Which type of IOCs are we talking about?

Commodity infections, for which you get:

• Tags: file format, packer, etc.

• MITRE ATT&CK: maps samples behavior (@ run-time) to the MITRE framework

• Threat : name of the malware family or a generic equivalent (lokibot, keylogger, etc.)

• Common hashes: md5, sha1, sha256, sha512, ssdeep

• Drop sites: from where the malicious payload was retrieved

• Network traffic: network behavior of the malicious payload observed @ run-time

How many exports format do you provide?

Currently 7:

• master-dump: this is the master feed from where all the other exports below are generated
• url-list: csv format, covering all URLs observed during malware network activities - some metadata
• ip-list: same as the previous but for ipv4 addresses (covering tcp/udp + port) - some metadata
• domain-list: same as the previous but for domains - some metadata
• malsilo-dns: Suricata export -> DNS protocol
• malsilo-ip: Suricata export -> TCP/UDP protocol
• malsilo-url: Suricata export -> HTTP protocol

How fresh is the data?

At every run (twice per day) the latest 30 days are considered

Tracker status

Feeds

• master-feed | json
• ip-list | csv
• url-list | csv
• domain-list | csv
• malsilo-dns | Suricata
• malsilo-ip | Suricata
• malsilo-url | Suricata
• malsilo.rules.tar.gz | Suricata
• malsilo.rules.md5 | Suricata