{"id":7020,"date":"2024-02-13T08:22:34","date_gmt":"2024-02-13T08:22:34","guid":{"rendered":"\/cybersecurity-blog\/?p=7020"},"modified":"2024-09-20T12:15:16","modified_gmt":"2024-09-20T12:15:16","slug":"ti-lookup-use-case","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/","title":{"rendered":"ANY.RUN TI Lookup: a Phishing Case Study"},"content":{"rendered":"\n<p>At ANY.RUN, we\u2019ve recently <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">released<\/a> our new Threat Intelligence Lookup service.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This tool opens up incredible opportunities for leveraging our extensive threat intelligence database more effectively. In this article, we aim to demonstrate how <strong>our advanced search capabilities can help you respond to security incidents more quickly and accurately<\/strong>.&nbsp;<\/p>\n\n\n\n<p><strong>In this article, we\u2019re going to walk you through a realistic example of a phishing attack<\/strong>. But before we dive into the specifics, let\u2019s quickly recap: what is ANY.RUN Threat Intelligence Lookup and who is this service for?&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is ANY.RUN Threat Intelligence Lookup?&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN Threat Intelligence Lookup is a contextual search service available online and through an API. It works by indexing and analyzing data from millions of public interactive analysis sessions, also called simply \u201ctasks,\u201d which our community of over 300,000 researchers and 300 enterprises runs in the ANY.RUN sandbox.&nbsp;<\/p>\n\n\n\n<p>The main goal of this tool is to help your security team connect an isolated indicator to a specific threat.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1-1024x566.png\" alt=\"\" class=\"wp-image-7021\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/pic1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Search results show that IP \u201c185.216.70.238\u201d&nbsp; is linked to RisePro malware&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>For example, if you spot an unfamiliar IP in your network logs, figuring out its nature might take a while. However, it&#8217;s likely that this IP has already been recorded in a sandbox task. By querying for this IP in the Threat Intelligence Lookup, you can quickly find linked analysis sessions. <\/p>\n\n\n\n<p>In many cases, this is enough to identify the malware family by name. You&#8217;ll also get related details such as ports, URLs, and file hashes in the search results.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nANY.RUN Threat Intelligence: Search for linked IOCs using <span class=\"highlight\"> over 30 fields<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/\" rel=\"noopener\" target=\"_blank\">\nContact sales\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Of course, besides IPs you can use many other parameters to query our Threat Intelligence database. <strong>There are over 30 parameters in total to help you build queries as wide or as specific as you need.<\/strong> Here are some of them:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IOCs:<\/strong> file hashes, URLs&nbsp;<\/li>\n\n\n\n<li><strong>Events:<\/strong> command line, registry path.&nbsp;<\/li>\n\n\n\n<li><strong>Threat details: <\/strong>Suricata messages or Suricata id&nbsp;<\/li>\n\n\n\n<li>And many others&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>For a full list of supported parameters, read our <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup introduction post<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Phishing attack: setting the stage for our case study&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s get back to the case study and outline the scenario our security team is facing.&nbsp;<\/p>\n\n\n\n<p>(Note: This case study is based on our real-world experience, but it does not reflect a specific attack on our clients or anyone else.)&nbsp;<\/p>\n\n\n\n<p>The security team received an alert from an employee about a possible phishing attempt. The employee downloaded an Office attachment from an email, and despite observing odd behavior, followed instructions to enable Macros. In hindsight, it triggered an alarm, which led to the report.&nbsp;<\/p>\n\n\n\n<p>Now, it&#8217;s up to the security analysts to examine the employee&#8217;s workstation, which may have been compromised.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Explaining a Suspicious Command Line&nbsp;&nbsp;<\/h3>\n\n\n\n<p>As usual in situations like this, let&#8217;s begin by examining the logs from the intrusion detection and response (IDR) system.&nbsp;<\/p>\n\n\n\n<p>By going through these logs we come across a highlighted PowerShell process, with the term <strong>$codigo<\/strong> in the command line.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The term <strong>$codigo<\/strong> seems unfamiliar, but what exactly could it be? An analyst lacking access to Threat Intelligence Lookup might turn to a generic internet search to answer this question, which could either be time-consuming, or unfruitful, or both.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Fortunately, we have a better tool at our disposal: <strong>Threat Intelligence Lookup.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-video aligncenter\"><video controls src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/Video-1-small.mp4\"><\/video><figcaption class=\"wp-element-caption\">ImagePath:&#8221;powershell&#8221; AND CommandLine:&#8221;$codigo&#8221;<\/figcaption><\/figure>\n\n\n\n<p>By searching with the query <strong>ImagePath:&#8221;powershell&#8221; AND CommandLine:&#8221;$codigo&#8221;<\/strong>, as the video above shows, we uncover numerous command lines from tasks containing the <strong>$codigo <\/strong>keyword. By exploring the <strong>Events tab<\/strong>, we get a more detailed view of these command lines and notice that some tasks are tagged with &#8220;<strong>stegocampaign<\/strong>.&#8221;&nbsp;<\/p>\n\n\n\n<p>This indicates the workstation might have been compromised by a cyberattack. However, we need more detailed information to identify the specific malware family involved.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet a demo of <span class=\"highlight\">Threat Intelligence Lookup<\/span> from our team&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" rel=\"noopener\" target=\"_blank\">\nGet demo\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Identifying the Malware Family&nbsp;<\/h3>\n\n\n\n<p>We&#8217;re making progress but need to refine our search. Another hint from the IDR logs is that the suspected infected machine connected to port 2404, which isn&#8217;t typically used in our network infrastructure.&nbsp;<\/p>\n\n\n\n<p>To incorporate this new information, we&#8217;ll adjust our query as follows: <strong>ImagePath:&#8221;powershell&#8221; AND CommandLine:&#8221;$codigo&#8221; AND DestinationPort:&#8221;2404&#8243;.<\/strong>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-video aligncenter\"><video controls src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/video-2-small.mp4\"><\/video><figcaption class=\"wp-element-caption\">ImagePath:&#8221;powershell&#8221; AND CommandLine:&#8221;$codigo&#8221; AND DestinationPort:&#8221;2404&#8243;<\/figcaption><\/figure>\n\n\n\n<p>As the video above shows, this updated search gives us fewer tasks but most of them are clearly linked to the Remcos malware family. Remcos, a well-known Remote Access Trojan and it frequently uses PowerShell, which matches the symptoms we found earlier.&nbsp;<\/p>\n\n\n\n<p>Threat Intelligence Lookup also displays malicious IP addresses that were discovered in the tasks. We can use these IPs to investigate further and better understand the malware&#8217;s behavior.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nBundle <span class=\"highlight\">ANY.RUN TI Lookup and sandbox<\/span> to get best price&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/\" rel=\"noopener\" target=\"_blank\">\nContact sales\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Using IP address to investigate Remcos&nbsp;<\/h3>\n\n\n\n<p>To confirm that we\u2019re dealing with Remcos, we&#8217;ll write a query that merges a network rule name with the IP address linked to port 2404. Also, we&#8217;ll refine our search to show only tasks from the last 7 days. It will look like this: <strong>RuleName:&#8221;remcos&#8221; AND DestinationIp:&#8221;107.172.31.178&#8243;<\/strong>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-video aligncenter\"><video controls src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/Video-3-small.mp4\"><\/video><figcaption class=\"wp-element-caption\">RuleName:&#8221;remcos&#8221; AND DestinationIp:&#8221;107.172.31.178&#8243;<\/figcaption><\/figure>\n\n\n\n<p>The query returns one task linked to the specified IP tagged with Remcos. At this point, we can conclusively identify Remcos as the malware on the infected workstation.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-video aligncenter\"><video controls src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/Video-4-small.mp4\"><\/video><figcaption class=\"wp-element-caption\">Let&#8217;s open the task in the ANY.RUN sandbox<\/figcaption><\/figure>\n\n\n\n<p>But let\u2019s not stop here. By opening this sandbox task we can dissect all malicious TTPs associated with Remcos, utilizing ANY.RUN\u2019s MITRE ATT&amp;CK Matrix. We can also examine the details of malicious processes initiated by the malware.\u00a0<\/p>\n\n\n\n<p>We can then collect IOCs provided by the sandbox, with options to download a report in HTML or JSON formats to configure firewalls, SIEM and SOAR systems against this Remcos variant.&nbsp;<\/p>\n\n\n\n<p>This illustrates just one of the many ways ANY.RUN&#8217;s Threat Intelligence Lookup can be a critical asset for cybersecurity analysts.\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Introducing Threat Intelligence Lookup: Phishing Use Case\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/KgoPJnI2f2M?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>If you want the ultimate benefit, consider using ANY.RUN sandbox and Threat Intelligence Lookup together.<\/p>\n\n\n\n<p>We\u2019re also offering a trial with 20 search queries for existing ANY.RUN clients, who have purchased Searcher plan or above. Reach out to our sales team to gain access to the trial, find out more about the platform, or discuss pricing options.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=lookupusecase&amp;utm_content=linktolookup&amp;utm_term=130224\" target=\"_blank\" rel=\"noreferrer noopener\">\u0421ontact sales \u2192&nbsp;<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>At ANY.RUN, we\u2019ve recently released our new Threat Intelligence Lookup service.&nbsp;&nbsp; This tool opens up incredible opportunities for leveraging our extensive threat intelligence database more effectively. In this article, we aim to demonstrate how our advanced search capabilities can help you respond to security incidents more quickly and accurately.&nbsp; In this article, we\u2019re going to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7027,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[57,10,40],"class_list":["post-7020","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-training","tag-anyrun","tag-cybersecurity","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>ANY.RUN TI Lookup: a Phishing Case Study - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Explore a realistic scenario of investigating a phishing attack using ANY.RUN&#039;s Threat Intelligence Lookup.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"y.shvetsov\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/\"},\"author\":{\"name\":\"y.shvetsov\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"ANY.RUN TI Lookup: a Phishing Case Study\",\"datePublished\":\"2024-02-13T08:22:34+00:00\",\"dateModified\":\"2024-09-20T12:15:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/\"},\"wordCount\":1108,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware behavior\"],\"articleSection\":[\"Analyst Training\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/\",\"name\":\"ANY.RUN TI Lookup: a Phishing Case Study - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-02-13T08:22:34+00:00\",\"dateModified\":\"2024-09-20T12:15:16+00:00\",\"description\":\"Explore a realistic scenario of investigating a phishing attack using ANY.RUN's Threat Intelligence Lookup.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analyst Training\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/training\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"ANY.RUN TI Lookup: a Phishing Case Study\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"y.shvetsov\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g\",\"caption\":\"y.shvetsov\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/y-shvetsov\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ANY.RUN TI Lookup: a Phishing Case Study - ANY.RUN&#039;s Cybersecurity Blog","description":"Explore a realistic scenario of investigating a phishing attack using ANY.RUN's Threat Intelligence Lookup.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/","twitter_misc":{"Written by":"y.shvetsov","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/"},"author":{"name":"y.shvetsov","@id":"https:\/\/any.run\/"},"headline":"ANY.RUN TI Lookup: a Phishing Case Study","datePublished":"2024-02-13T08:22:34+00:00","dateModified":"2024-09-20T12:15:16+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/"},"wordCount":1108,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware behavior"],"articleSection":["Analyst Training"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/","url":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/","name":"ANY.RUN TI Lookup: a Phishing Case Study - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-02-13T08:22:34+00:00","dateModified":"2024-09-20T12:15:16+00:00","description":"Explore a realistic scenario of investigating a phishing attack using ANY.RUN's Threat Intelligence Lookup.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-use-case\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Analyst Training","item":"https:\/\/any.run\/cybersecurity-blog\/category\/training\/"},{"@type":"ListItem","position":3,"name":"ANY.RUN TI Lookup: a Phishing Case Study"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"y.shvetsov","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g","caption":"y.shvetsov"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/y-shvetsov\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7020"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7020"}],"version-history":[{"count":6,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7020\/revisions"}],"predecessor-version":[{"id":8865,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7020\/revisions\/8865"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7027"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7020"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}