HomeGuest Posts
TI Lookup: Real-World Use Cases
from a Malware Researcher
HomeGuest Posts
TI Lookup: Real-World Use Cases
from a Malware Researcher

Editor’s note: The current article is authored by Anna Pham (also known as RussianPanda), a threat intelligence researcher. You can find her latest research and insights on X, LinkedIn, and her blog.

ANY.RUN introduced Threat Intelligence Lookup in February 2024, followed by the YARA Search in April 2024. This article will explore both services and their use cases. 

How Threat Intelligence Lookup Works

Threat Intelligence Lookup allows users to search through the database of sandbox tasks by examining specific details such as:

  • Processes
  • Modules
  • Files
  • Network and registry activity

All of these are logged by the ANY.RUN sandbox.

The service helps users find critical information like IOCs (Indicators of compromise), events, sandbox reports, and other data corresponding to the search query. 

Figure 1: Main page of Threat Intelligence Lookup service  

The main page of the Threat Intelligence service provides a summary of the most common MITRE techniques used, malware threat statistics, and popular Suricata rules derived from submitted samples, offering valuable insight into current cyber threat trends. 

Figure 2: Threat Intelligence Lookup panel overview 

After navigating to the Lookup section you’ll be able to submit your search query using over 40 different search parameters.

Explore all search parameters available in TI Lookup in the following article. ANY.RUN also offers a comprehensive query guide for the TI Lookup once you’re on the platform. 

Let’s now look into a few use cases with some of TI Lookup’s key search parameters.

Test TI Lookup to see how it can benefit your threat investigations 

Request free trial

Searching for Stealers Reaching out to Telegram  

We can create a query to identify stealers reaching out to Telegram IPs, potentially exfiltrating sensitive data, using the “destinationIpAsn” and “threatName” parameters, as shown below, for the past three months or 180 days. You can also search within 60, 30, 14, 7, 3, or 1-day intervals and bookmark the search query for later use.

Here is the query:

Figure 3: Lookup for stealers reaching out to Telegram and the result overview 

The search results show the associated IPs, Events, Files, Tasks, Synchronization (events and mutexes created), and Network threats.  

Figure 4: Overview of the Files tab 

From the Files tab, users can extract indicators and save them in JSON format.

Figure 5: Static discovering of the PE file 

Note: You can export data from any category, such as IPs, Events, Tasks, etc., in JSON. Additionally, users can view binary characteristics with static analysis or download the binary itself. 

Figure 6: Network threats tab 

We can confirm the exfiltration activity via Telegram within the Network threats tab.

Start your first investigation in TI Lookup 

Request free trial

Looking for LummaC2 samples and C2s 

To identify LummaC2 samples and C2 domains, we can use Lumma’s domains that are known to end with “.shop/api” via the following query:

The dollar sign ($) in a search represents the end of a string. When used in a search pattern, it ensures that the search string must match the end of the text being evaluated. So, using $ in the pattern “.shop/api$” ensures that the URL ends exactly with .shop/api and no other characters follow. 

Figure 7: Search results for .shop/api$ 

From the search results, we identified 26 URLs and domains related to LummaC2, which can be exported and operationalized for further monitoring, blocking, or threat hunting within the security infrastructure. 

Figure 8: URLs and Domains findings 

Searching for URLs Used to Retrieve DLL Dependencies and Pivoting on the ASN 

We know that some stealers, such as Vidar Stealer, RecordBreaker (Raccoon Stealer v2), and StealC, use additional DLL dependencies like “softokn3.dll” and “mozglue.dll” to facilitate data exfiltration from browsers, so we can create a query to look for URLs delivering the DLLs: 

Figure 9: The output from running the query that searches for URLs retrieving the DLL dependencies 

From the results below, we can see the processes that initiated the connections to the URLs to retrieve the DLLs, along with the associated URLs, IP addresses, and the countries of origin for those IPs.

Additionally, we identified another pivot point with the ASN “1337team Limited”:

Figure 10: Results from pivoting on 1337team Limited ASN 

Pivoting on the ASN mentioned above revealed more events and IPs, some of which are associated with StealC, Redline, and Amadey activities.  

Searching for Interesting Samples Using MITRE  

Users can search for relevant samples using MITRE techniques or IDs. ANY.RUN provides predefined IDs and their definitions, eliminating the need to search for them elsewhere. 

Figure 11: Predefined MITRE IDs and their definitions 

We can look for phishing samples containing malicious QR codes via the following query, where T1566 is Phishing: 

Figure 12: Results from the search for phishing emails containing the QR code 

Now, we can spice up the query and look for phishing links containing the Cloudflare challenge that is commonly used by Tycoon 2FA and other phishing kits: 

Figure 13: Results from the search for phishing links containing the Cloudflare challenge  

The query can also be adjusted to show the phishing samples with URL submissions only instead of the file attachments using the threatLevel “malicious” to avoid false positives:

Figure 14: Searching for samples containing URLs instead of file attachment submissions 

Searching for samples using CommandLine 

We can search for Latrodectus downloader samples, which is known to drop the copy of itself under the “%AppData%\Custom_update\” path. We can leverage that knowledge to create a query that looks for command lines containing that path:

Figure 15: Results from the query to look for a specific file path within the command line to search for Latrodectus samples 

From the Synchronization tab, we notice the mutex “runnung” being used, so we can also leverage that to look for Latrodectus samples. 

Figure 16: Leveraging the mutex finding to find Latrodectus samples 

We can also leverage CommandLine to look for malicious PowerShell commands, for example, while looking for a RobotDropper, aka LegionLoader samples.

So, for the query, we are going to grab a snippet of the base64-encoded command, which partially decodes to “$w=new-object”:

We have 13 samples that match our query, all of which are true positives.  

Figure 17: Results from the query to look for RobotDropper using CommandLine search parameter 
Figure 18: Events tab overview from the search query 

Investigate cyber threats using TI Lookup 

Request free trial

Searching for Gh0stRAT Samples and C2s from a Specific Country  

We can also create a query that searches for Gh0stRAT samples and C2s using “destinationIPgeo” as one of the search parameters; this query looks for Gh0stRAT samples that connect to servers located in China:

Figure 19: Results from the query to look for Gh0stRAT samples that connect to servers based in China 

YARA Search 

In addition to the Threat Intelligence Lookup service, ANY.RUN offers YARA Search, enabling users to scan its database of collected and analyzed threat data using YARA rules, whether imported from the local machine or created on the fly. 

We can create a YARA rule to look for LummaC2 Stealer samples, and in under 10 seconds, we get the results, which is impressively fast. Users can also run multiple YARA scans in separate tabs.  

Figure 20: Results from YARA scan 

You can view the binary’s PE characteristics from the results, download it, and export the results in JSON format. 

Figure 21: Exported JSON results 

Conclusion 

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

ANY.RUN is making it easier for organizations to take a proactive and informed stance on cybersecurity, which is essential in our constantly evolving threat landscape.

Test ANY.RUN’s Threat Intelligence Lookup and YARA Search in a free trial →

Anna Pham
Senior Threat Intelligence researcher | + posts

Senior Threat Intelligence researcher by day and malware enthusiast by night.
Follow Anna on:
LinkedIn.

X.

Read her blog at russianpanda.com.

anna-pham
Anna Pham
Senior Threat Intelligence researcher
Senior Threat Intelligence researcher by day and malware enthusiast by night.
Follow Anna on:
LinkedIn.
X.
Read her blog at russianpanda.com.

What do you think about this post?

5 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

0 comments