What’s all this fuss about
This is the result of a never ending project that goes under the name of MalSilo.
Feeds here shared are provided on an ‘as is’ basis, enable automated blocking based on these indicators is not suggested if you don’t know what you are doing - you have been warned.
The system was publicly launched in 2019.02.03 and later updated to it’s 2.0 version on the 2020.01.27.
Which type of IOCs are we talking about?
Commodity infections, for which you get:
Tags: file format, packer, etc.
MITRE ATT&CK: maps samples behavior (@ run-time) to the MITRE framework
Threat: name of the malware family or a generic equivalent (
Common hashes: md5, sha1, sha256, sha512, ssdeep
Drop sites: from where the malicious payload was retrieved
Network traffic: network behavior of the malicious payload observed @ run-time
How many exports format do you provide?
master-dump: this is the master feed from where all the other exports below are generated
url-list: csv format, covering all URLs observed during malware network activities - some metadata
ip-list: same as the previous but for ipv4 addresses (covering tcp/udp + port) - some metadata
domain-list: same as the previous but for domains - some metadata
malsilo-dns: Suricata export -> DNS protocol
malsilo-ip: Suricata export -> TCP/UDP protocol
malsilo-url: Suricata export -> HTTP protocol
How fresh is the data?
At every run (twice per day) the latest 30 days are considered
|2019.12.20 2020.01.26||Core systems upgrade (HW / OS / Services[exports, and more])|
|2020.01.27||MalSilo 2.0, system back to normal operation + updated master-dump, ip-list and url-list formats + new domain-list export|
|2020.05.06||MalSilo 2.1, Suricata exports (ip, dns and url support)|
|2020.07.02||Suricata exports (ip, dns and url) bundled into a tar.gz pack|