Malicious Activity

DISCLAIMER: The following page contains links to third party websites which Inteller does not control nor inspect. Visit and use these sites at your own risk.
Cyber Crime Tracker [http://cybercrime-tracker.net]REPORT
Officially active from 2012, Cyber Crime Tracker monitors and tracks various malware families that are used to perpetrate cyber crimes, such as banking trojans and ransomware. It lists mainly malware C&Cs and file hashes of Zeus and Zeus-originated malware families. A blocklist is available (see "Blocklist Files" section on this index for a direct link)

IBM X-Force Exchange [https://exchange.xforce.ibmcloud.com/]REPORT
While the amount of options and information can get confusing, X-Force Exchange is a great tool for researching malicious activities based on an IP address, URL, vulnerability, binary MD5, or application name. The site provides a wealth of information on each result, along with a helpful risk indicator for a quick summary.

infosec.cert-pa.it [https://infosec.cert-pa.it/analyze/submission.html]REPORT
A site listing files analyzed by the team of Italian CERT-PA. The listing includes the type of file, its name and MD5 hash. Several blocklist files are also available. See "Blocklist Files" on this index for direct links.

malc0de [http://malc0de.com/database/]REPORT
A malware listing which mainly includes infection points. For each incident, the infection point URL, IP, network information and binary file MD5 are provided. It is possible to search the database, as well as open VirtusTotal reports for each listed malware. Blocklists are also available. See "Blocklist Files" on this index for the direct links.

malwaredomainlist.com [http://malwaredomainlist.com]REPORT
A long-running malware IOC listing, MDL provides a list of varies malware resources, including infection points, drops and C&Cs. Unfortuntely, it is no longer updated regularly.

Pastebin Dump [https://psbdmp.ws/dumps]REPORT
Pastebin Dump is a site which monitors Pastebin and identifies pastes containing data leaks. The site allows users to search whether or not their E-mail account has been spotted in any of the found leaks. More interestingly, the site provides a list of the leaks that they found, with links to the specific pastes included. The site also has a REST API that allows for easy extraction of dump data.

Ransomware Tracker [https://ransomwaretracker.abuse.ch/tracker/]REPORT
A tracker by abuse.ch of ransomware C&Cs, payment and distribution sites. The tracker lists ransomware such as TeslaCrypt, Locky, GlobeImposter, etc. and is updated on a regular basis. A blocklist is also available (See "Blocklist Files" section in this index for a direct link).

RiskIQ PassiveTotal Community Edition [https://community.riskiq.com/]REPORT
Security firm RiskIQ offers a free community edition for its platform PassiveTotal, which collects comprehensive information on every site, IP address and domain. It is possible to query the platform for IP address, host, domain, SSL Cert SHA-1 to retrieve information on the queried item. Furthermore, it is possible to provide an E-mail address as the query and receive a list of sites that were registered using that address (WHOIS). Threat intelligence information, if associated with the results of the query, is also provided. The platform enables exploration of web resources related to the query. PassiveTotal Community Edition is free and requires registration. A premium tier and API are also available.

Shodan Malware Hunter [https://www.shodan.io/search?query=category%3Amalware]REPORT
Shodan, the popular web scanner / device search engine includes a feature called "Malware Hunter", in which it detects certain malware families installed on scanned devices. When an infected device is detected, it is categorized under the "malware" category. A search on Shodan for this category reveals all the infected machines that were discovered. The use of Shodan requires an account. An API is available.

SSL Blacklist [https://sslbl.abuse.ch/blacklist/]REPORT
SSL Blacklist by abuse.ch offers various types of blacklists that enables blocking bad SSL traffic related to malware or botnet activities (e.g. botnet C&C traffic). The page contains links to several blocklist files related to bad SSL. See "Blocklist Files" on this index for direct links to the blocklist files. Additional files are available on the site but are not provided as their use may be problematic.

Threat Crowd [http://threatcrowd.org]REPORT
Threat Crowd is a site powered by AlienVault which provides the ability to search based on IP address, domain, E-mail or organization. A search provides available related information, such as WHOIS query results, as well as any indication of threats associated with the queried item, taken from AlienVault OTX. All information is provided in a visual graph view which enables the research of the results.

ThreatMiner [https://www.threatminer.org/]REPORT
ThreatMiner is a database of malware IOCs, including file samples, domains, hosts and E-mail addresses. While they only seem to be provide the last 10 entries, it is possible to query their database using an IP address, domain, E-mail address, and more, in order to see if they are part of a current or past malware campaign.

URLhaus [https://urlhaus.abuse.ch/browse/]REPORT
A site operated by abuse.ch enabling its users to submit malware URLs. Each submitted URL includes information about the malware and its payload. API is available, mainly for submitting new URLs, but also provides machine-readable lists to download. For a direct link of the block file, check the "Blocklist Files" section in this index.

VX Vault [http://vxvault.net/ViriList.php]REPORT
VX Vault is a free malware tracker, listing mainly injection points and the MD5 of the binaries they serve. It also offers an MD5 search option. A blocklist file is available with the 100 most recent injection point URLs published on the site (See "Blocklist Files" on this index for a direct link)

www.projecthoneypot.org [https://www.projecthoneypot.org/]REPORT
Project Honeypot tracks IP addresses associated with bad activity, specifically harvesters, spam servers, bad web hosts, and more. The site operates a DNSBL for mail servers to prevent spam. On their site, it is possible to see the top 25 malicious IP addresses. Registered users can see up to 50 of each category.

ZeusTracker [https://zeustracker.abuse.ch/monitor.php?filter=all]REPORT
One of the most popular malware trackers, ZeusTracker lists multiple malware resources (C&Cs, config files, drops, etc.) of the Zeus/Zbot malware family and other families that it has spawned. The site offers real-time tracking of known resources, plus a blocklist for easy consumption (see "Blocklist files" on this index for direct links)

Blocklist Files

Following are direct links to blocklist files in TXT, CSV or JSON format. The blocklist enable the easy integration with security and network appliances, such as firewalls and DNS servers. However, the items within these lists are often presented without any context.
abuse.ch ZeuS compromised URL blocklist [https://zeustracker.abuse.ch/blocklist.php?download=compromised]REPORT
TXT format

abuse.ch ZeuS IP blocklist [https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist]REPORT
TXT format

AlienVault Generic Reputation Blocklist [http://reputation.alienvault.com/reputation.generic]REPORT
A blocklist containing IP addresses of malicious hosts by AlienVault. CSV format.

Blocklist by cybercrime-tracker.net [http://cybercrime-tracker.net/all.php]REPORT
TXT format

blocklist.greensnow.co [https://blocklist.greensnow.co/greensnow.txt]REPORT
A blocklist provided by intelligence firm GreenSnow. The list includes IP addresses associated with attacks of any kind except for spam and is updated regularly. TXT format.

Blockrules by EmergingThreats [http://rules.emergingthreats.net/blockrules/]REPORT
List of block files in TXT format, including compromised IPs, botnet C&Cs and more

Booter Blacklist [http://booterblacklist.com/data/booterlist_latest.txt]REPORT
A blocklist file containing IP addresses associated with DDoS stressers and booters. TXT format.

CERT-PA Domains Blocklist [https://infosec.cert-pa.it/analyze/listdomains.txt]REPORT
A blocklist maintained by CERT-PA of domains associated with malicious activities. The file contains the results from the last 7 days. TXT format.

CERT-PA IP Blocklist [https://infosec.cert-pa.it/analyze/listip.txt]REPORT
A blocklist maintained by CERT-PA of IP addresses associated with malicious activities. The file contains the results from the last 30 days. TXT format.

CERT-PA URLs Blocklist [https://infosec.cert-pa.it/analyze/listurls.txt]REPORT
A blocklist maintained by CERT-PA of URLs associated with delivering malware (infection points). The file contains the results from the last 30 days. TXT format.

cinsscore.com [http://cinsscore.com/list/ci-badguys.txt]REPORT
A blocklist of suspicious IP addresses by IP reputation firm CINS. The list includes IP addresses that were deemed with low reputation, or that have been suspected of being malicious by other means. TXT format.

CIRCL MISP [https://www.circl.lu/doc/misp/feed-osint/]REPORT
A list of JSON-based threat intelligence files, provided by Computer Incident Response Center Luxembourg (CIRCL) as part of their Malware Information Sharing Platform (MISP). The files include items from a variety of types, including different types of structured IOC data, as well as links to relevant blog posts. May require some research for proper implementation.

Conficker Blocklist [http://www.cert.at/static/downloads/data/conficker/all_domains.txt]REPORT
A blocklist provided by CERT.at which includes hosts associated with the Conficker malware. TXT format.

DataPlane.org - sipinvitation Blocklist [https://dataplane.org/sipinvitation.txt]REPORT
A blocklist by DataPlane.org which consists of IP addresses that have been seen initiating a SIP INVITE operation to a remote host. These hosts may be SIP client cataloging or conducting various forms of telephony abuse. TXT format.

DataPlane.org - sipquery Blocklist [https://dataplane.org/sipquery.txt]REPORT
A blocklist by DataPlane.org which consists of IP addresses that have been seen initiating a SIP OPTIONS query to a remote host. These hosts may be SIP server cataloging or conducting various forms of telephony abuse. TXT format.

DataPlane.org - sipregistration Blocklist [https://dataplane.org/sipregistration.txt]REPORT
A blocklist by DataPlane.org which consists of IP addresses that have been seen initiating a SIP REGISTER operation to a remote host. These hosts may be SIP client cataloging or conducting various forms of telephony abuse. TXT format.

DataPlane.org - sshpwauth Blocklist [https://dataplane.org/sshpwauth.txt]REPORT
A blocklist provided by DataPlane.org which includes IP addresses that have been seen attempting to remotely login to a host using SSH password authentication. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks. TXT format.

DataPlane.org - VNC RFB Blocklist [https://dataplane.org/vncrfb.txt]REPORT
A blocklist by DataPlane.org which consists of IP addresses that has been seen initiating a VNC remote frame buffer (RFB) session to a remote host. These hosts may be VNC server cataloging or conducting various forms of remote access
abuse. TXT format.

DGA-Based C&Cs Actively Resolving (Domains) [http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt]REPORT
A blocklist of domains associated with DGA-Based (Domain Generation Algorithms) C&Cs which are actively resolving, provided by Bambenek consulting. TXT format.

DGA-Based C&Cs Actively Resolving (IPs) [http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt]REPORT
A blocklist of IP addresses associated with DGA-based (Domain Generation Algorithms) C&Cs which are actively resolving, provided by Bambenek consulting. TXT format.

DiamondFox IOCs [https://raw.githubusercontent.com/pan-unit42/iocs/master/diamondfox/diamondfox_panels.txt]REPORT
IOCs of DiamondFox modular malware. Updated daily by Unit 42. TXT format.

DNS-BH [http://mirror1.malwaredomains.com/files/domains.txt]REPORT
A blocklist file that is constantly updated with malicious domains, provided as part of the efforts of DNS-BH - Malware Domain Blocklist by RiskAnalytics. The blocklist includes phishing and malware related domains from various sources on the web.

dns-bh.sagadc.org [http://dns-bh.sagadc.org/dynamic_dns.txt]REPORT
Blocklist of listdynamic DNS providers. TXT format.

Dyre SSL IP Blocklist [https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.csv]REPORT
A blocklist file provided by abuse.ch which includes IP addresses associated with bad SSL traffic related to the Dyre malware.

Feodo IP Blocklist [https://feodotracker.abuse.ch/blocklist/?download=ipblocklist]REPORT
Blocklist file of Feodo Tracker by abuse.ch. TXT format.

hpHosts Malware Distribution Blocklist [https://hosts-file.net/emd.txt]REPORT
A blocklist file which lists hosts associated with sites distributing malware. Provided by hpHosts. TXT format.

inThreat feed [https://feeds.inthreat.com/osint/misp/]REPORT
A list of JSON files containing threat intelligence

labs.snort.org [http://labs.snort.org/feeds/ip-filter.blf]REPORT
List of suspicious IPs by Talos Intelligence

lists.blocklist.de [https://lists.blocklist.de/lists/all.txt]REPORT
Blocklist file by blocklist.de which includes all the IP addresses that have attacked one of their customers/servers in the last 48 hours. TXT format. Other lists with specific categories are available at http://www.blocklist.de/en/export.html

malc0de Host Blocklist [http://malc0de.com/bl/ZONES]REPORT
A blocklist provided by the site malc0de which includes the last 30 days of malicious hosts as observed by the site. The blocklist provided in the link is a bind zone file that is intended to be included in a running DNS server for a local network. A windows format of the same list is also available at http://malc0de.com/bl/BOOT

malc0de IP Blocklist [http://malc0de.com/bl/IP_Blacklist.txt]REPORT
A Blocklist provided by the site malc0de, which includes the last 30 days of malicious IP addresses collected by the site. TXT format.

POP3 gropers [https://home.nuug.no/~peter/pop3gropers.txt]REPORT
A blocklist file containing IP addresses associated with POP3 gropers. TXT format.

Ransomware Tracker Blocklist [https://ransomwaretracker.abuse.ch/feeds/csv/]REPORT
Blocklist file of Ransomware Tracker by abuse.ch. CSV format.

raw.githubusercontent.com [https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset]REPORT
A blocklist containing IP addresses associated with various types of attacks. The list is provided by FireHOL and is a composition of other IP lists from various sources.

Spamhaus DROP List [https://www.spamhaus.org/drop/drop.txt]REPORT
The Spamhaus DROP (Don't Route Or Peer) list is an advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP lists are a tiny subset of the Spamhaus' blocklist, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.

SSH Blacklist [http://www.nothink.org/blacklist/blacklist_ssh_day.txt]REPORT
A Blocklist file which includes IP addresses associated with malicious SSH activity, provided by nothink.org. TXT format.

SSL Fingerprint Blocklist [https://sslbl.abuse.ch/blacklist/sslblacklist.csv]REPORT
A blocklist file provided by abuse.ch which includes SSL certificate SHA1 fingerprints associated with bad SSL traffic related to malware or botnet activities (e.g. botnet C&C traffic).

SSL IP Blocklist [https://sslbl.abuse.ch/blacklist/sslipblacklist.csv]REPORT
A blocklist file provided by abuse.ch which includes IP addresses associated with bad SSL traffic related to malware or botnet activities (e.g. botnet C&C traffic).

Threat Crowd Domain Blocklist [https://www.threatcrowd.org/feeds/domains.txt]REPORT
A blocklist file provided by Threat Crowd which includes malicious domains observed by the site. TXT format.

Threat Crowd Hashes Blocklist [https://www.threatcrowd.org/feeds/hashes.txt]REPORT
A blocklist file provided by Threat Crowd which includes hashes of malicious files that were observed by the site. TXT format.

Threat Crowd IP Blocklist [https://www.threatcrowd.org/feeds/ips.txt]REPORT
A blocklist file provided by Threat Crowd which includes malicious IP addresses observed by the site. TXT format.

TOR Exist Nodes [https://www.dan.me.uk/torlist/?exit]REPORT
TXT format

URLhaus Blocklist [https://urlhaus.abuse.ch/downloads/text/]REPORT
Block file of URLhaus, a project operated by abuse.ch which enables users to report malwares. Other list types with additional content, such as STIX, CSV, etc. are available on the site as well.

VX Vault Blocklist [http://vxvault.net/URL_List.php]REPORT
A blocklist file by VX Vault which includes the last 100 URLs published on the site. TXT File.

www.botvrij.eu [http://www.botvrij.eu/data/feed-osint/]REPORT
A list of JSON files containing threat intelligence in the MISP format
  Familiar with a free or freemium resource that can help the work of intelligence professionals and isn't listed here? Suggest a site!

About Inteller

Inteller empowers web intelligence teams by providing them with proprietary technology that automates collection, processing and dissemination of intelligence based on multiple and diverse web-based sources, customized for every team's needs.
We help our customers scale their intelligence collection and analysis operations, provide better deliverables to their stakeholders, all the while optimizing their resources for efficient collection and analysis.
The Inteller platform’s unique modular design enables it to monitor a wide array of sources, including dark web, open source, social media and more, while providing a high level of customization.

Click here to learn more.

FOLLOW US
 
SHARE PAGE