TI Lookup: Real-World Use Cases
from a Malware Researcher

Editor’s note: The current article is authored by Anna Pham (also known as RussianPanda), a threat intelligence researcher. You can find her latest research and insights on X, LinkedIn, and her blog.

ANY.RUN introduced Threat Intelligence Lookup in February 2024, followed by the YARA Search in April 2024. This article will explore both services and their use cases. 

How Threat Intelligence Lookup Works

Threat Intelligence Lookup allows users to search through the database of sandbox tasks by examining specific details such as:

• Processes
• Modules
• Files
• Network and registry activity

All of these are logged by the ANY.RUN sandbox.

The service helps users find critical information like IOCs (Indicators of compromise), events, sandbox reports, and other data corresponding to the search query. 

The main page of the Threat Intelligence service provides a summary of the most common MITRE techniques used, malware threat statistics, and popular Suricata rules derived from submitted samples, offering valuable insight into current cyber threat trends. 

After navigating to the Lookup section you’ll be able to submit your search query using over 40 different search parameters.

Explore all search parameters available in TI Lookup in the following article. ANY.RUN also offers a comprehensive query guide for the TI Lookup once you’re on the platform. 

Let’s now look into a few use cases with some of TI Lookup’s key search parameters.

Searching for Stealers Reaching out to Telegram  

We can create a query to identify stealers reaching out to Telegram IPs, potentially exfiltrating sensitive data, using the “destinationIpAsn” and “threatName” parameters, as shown below, for the past three months or 180 days. You can also search within 60, 30, 14, 7, 3, or 1-day intervals and bookmark the search query for later use.

Here is the query:

The search results show the associated IPs, Events, Files, Tasks, Synchronization (events and mutexes created), and Network threats.  

From the Files tab, users can extract indicators and save them in JSON format.

Note: You can export data from any category, such as IPs, Events, Tasks, etc., in JSON. Additionally, users can view binary characteristics with static analysis or download the binary itself. 

We can confirm the exfiltration activity via Telegram within the Network threats tab.

Looking for LummaC2 samples and C2s 

To identify LummaC2 samples and C2 domains, we can use Lumma’s domains that are known to end with “.shop/api” via the following query:

The dollar sign ($) in a search represents the end of a string. When used in a search pattern, it ensures that the search string must match the end of the text being evaluated. So, using $ in the pattern “.shop/api$” ensures that the URL ends exactly with .shop/api and no other characters follow. 

From the search results, we identified 26 URLs and domains related to LummaC2, which can be exported and operationalized for further monitoring, blocking, or threat hunting within the security infrastructure. 

Searching for URLs Used to Retrieve DLL Dependencies and Pivoting on the ASN 

We know that some stealers, such as Vidar Stealer, RecordBreaker (Raccoon Stealer v2), and StealC, use additional DLL dependencies like “softokn3.dll” and “mozglue.dll” to facilitate data exfiltration from browsers, so we can create a query to look for URLs delivering the DLLs: 

From the results below, we can see the processes that initiated the connections to the URLs to retrieve the DLLs, along with the associated URLs, IP addresses, and the countries of origin for those IPs.

Additionally, we identified another pivot point with the ASN “1337team Limited”:

Pivoting on the ASN mentioned above revealed more events and IPs, some of which are associated with StealC, Redline, and Amadey activities.  

Searching for Interesting Samples Using MITRE  

Users can search for relevant samples using MITRE techniques or IDs. ANY.RUN provides predefined IDs and their definitions, eliminating the need to search for them elsewhere. 

We can look for phishing samples containing malicious QR codes via the following query, where T1566 is Phishing: 

Now, we can spice up the query and look for phishing links containing the Cloudflare challenge that is commonly used by Tycoon 2FA and other phishing kits: 

The query can also be adjusted to show the phishing samples with URL submissions only instead of the file attachments using the threatLevel “malicious” to avoid false positives:

Searching for samples using CommandLine 

We can search for Latrodectus downloader samples, which is known to drop the copy of itself under the “%AppData%\Custom_update\” path. We can leverage that knowledge to create a query that looks for command lines containing that path:

From the Synchronization tab, we notice the mutex “runnung” being used, so we can also leverage that to look for Latrodectus samples. 

We can also leverage CommandLine to look for malicious PowerShell commands, for example, while looking for a RobotDropper, aka LegionLoader samples.

So, for the query, we are going to grab a snippet of the base64-encoded command, which partially decodes to “$w=new-object”:

We have 13 samples that match our query, all of which are true positives.  

Searching for Gh0stRAT Samples and C2s from a Specific Country  

We can also create a query that searches for Gh0stRAT samples and C2s using “destinationIPgeo” as one of the search parameters; this query looks for Gh0stRAT samples that connect to servers located in China:

YARA Search 

In addition to the Threat Intelligence Lookup service, ANY.RUN offers YARA Search, enabling users to scan its database of collected and analyzed threat data using YARA rules, whether imported from the local machine or created on the fly. 

We can create a YARA rule to look for LummaC2 Stealer samples, and in under 10 seconds, we get the results, which is impressively fast. Users can also run multiple YARA scans in separate tabs.  

You can view the binary’s PE characteristics from the results, download it, and export the results in JSON format. 

Conclusion 

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

ANY.RUN is making it easier for organizations to take a proactive and informed stance on cybersecurity, which is essential in our constantly evolving threat landscape.

Test ANY.RUN’s Threat Intelligence Lookup and YARA Search in a free trial →