{"id":737,"date":"2020-09-16T08:22:00","date_gmt":"2020-09-16T08:22:00","guid":{"rendered":"http:\/\/blog.susp.io\/?p=737"},"modified":"2022-12-21T06:56:35","modified_gmt":"2022-12-21T06:56:35","slug":"indicators-tags","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/","title":{"rendered":"Indicators and Tags Used in ANY.RUN"},"content":{"rendered":"\n<p>If you have been using our malware hunting service for a while, you have probably seen tags and indicators that appear during the analysis. Usually, these interface elements are quite self-explanatory, however, some of them might not be immediately obvious.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/09\/Tag-Screenshot-1-1024x469.png\" alt=\"Interface ANY.RUN\" class=\"wp-image-991\"\/><\/figure>\n\n\n\n<p>Every tag and indicator that appears on the screen carries important information, that\u2019s why it is crucial to understand each one. Let\u2019s go over the most commonly used tags and indicators that researchers come across during studies.&nbsp;<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tags in ANY.RUN<\/h2>\n\n\n\n<p>We use tags to highlight malware types and software features. Tags can also be used to search in public submissions to find similar samples are analyses. Let\u2019s divide tags into multiple groups to add a little structure and make memorizing them a little easier.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Malware and Malware Family Tags<\/h3>\n\n\n\n<p>These are the most obvious tags that you should already be familiar with at this point. They highlight to which family a malware sample belongs, or point at the malware name.<br><\/p>\n\n\n\n<p>Here are some examples of malware family tags:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>trojan<\/li><li>stealer<\/li><li>keylogger<\/li><li>loader<\/li><li>ransomware<\/li><li>installer<\/li><li>and others<\/li><\/ul>\n\n\n\n<p>And here are some examples of malware name tags that you will see when working with ANY.RUN:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>azorult<\/li><li>bladabindi<\/li><li>dharma<\/li><li>dreambot<\/li><li>emotet<\/li><li>gandcrab<\/li><li>and more<\/li><\/ul>\n\n\n\n<p>We are not going to list every tag here, because there are over 400 of them. However, keep in mind that when an analysis or a sample is marked with a tag from this group, this is a clear and certain indication that you are dealing with a malicious program.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Macros Tags<\/h3>\n\n\n\n<p>While tags from the previous group are a definite indication that a program is malicious, some tag groups show that you should approach a sample with suspicion. One such group is macros tags:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>macros<\/li><li>macros-on-close<\/li><li>macros-on-open<\/li><\/ul>\n\n\n\n<p>A macro is a user-defined rule or action algorithm. Macros are typically used to perform routine actions in Microsoft Office files. When launching a macro, the user starts a predefined chain of actions within the program. This could be interactions with the menus, mouse clicks, and virtual keyboard presses.<br><\/p>\n\n\n\n<p>A macro on itself is completely legitimate and could be harmless. In fact, it probably won\u2019t be an overstatement to say that all advanced users of programs like Microsoft Office use macros daily. However, for a security researcher, a macro is a clear red flag. It is no secret that hackers have been using macros to secretly install malware on targeted machines for years.<br><\/p>\n\n\n\n<p>Note, that the <em>macros-on-close<\/em> tag indicates that the macro executes when the user closes the document, while <em>macros-on-open <\/em>executes when the user opens the file.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The OLE Tag<\/h3>\n\n\n\n<p>A similar tag to macros is the <em>ole-embedded tag.<\/em><br><\/p>\n\n\n\n<p>Object Linking &amp; Embedding or OLE is a proprietary technology developed by Microsoft. OLE enables users to create embedded links to documents or objects in a file. The technology works similarly to macros and can also be used with malicious intent.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Potentially Unwanted Programs (PUP) Tags<\/h3>\n\n\n\n<p>Potentially unwanted programs are those that the user wilfully installs, disregarding that the program is of no use. An example of a PUP is adware or other spam-related software that comes bundled with a program which the user actually wants.<br><\/p>\n\n\n\n<p>Software like this can be used to gain remote control over a system or simply show ads. However, these tags are also important for malware analysis.<br><\/p>\n\n\n\n<p>This group includes the following tags:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>lavasoft<\/li><li>pup<\/li><li>teamviewer<\/li><li>unwanted<\/li><li>pua<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Maldoc Tags<\/h3>\n\n\n\n<p>A Maldoc is a short term for a malicious document. Hackers have been using infected documents to spread malware for a while now. However, cybercriminals are constantly changing and improving their lures.<br><\/p>\n\n\n\n<p>In ANY.RUN, we have created around 50 maldocs and classified them by similarity. Different malicious docs are known to spread specified malware samples, however, since threat actors constantly modify their attack vectors maldocs rarely stay the same for long.<br><\/p>\n\n\n\n<p>When you encounter the maldoc tag, you can be one hundred percent certain that you are dealing with a malicious document. Some of the most commonly encountered maldoc tags are:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>maldoc-21<\/li><li>maldoc-47<\/li><li>emotet-doc<\/li><li>ta505<\/li><\/ul>\n\n\n\n<p><em>The Emotet-doc <\/em>tag indicates a file that spreads the Emotet Trojan, while the <em>ta505 <\/em>tag points at maldocs that are used by the \u0442\u0430505 cybergang, who spread Dridex, Flawedammyy, and Trickbot malware.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Phishing Tags<\/h3>\n\n\n\n<p>These are the tags that indicate documents and websites that can mislead users by their appearance and thus steal personal information. Some commons examples of tags from this group are:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>phish-pdf<\/li><li>phish-microsoft<\/li><li>phish-onedrive<\/li><li>phish-outlook<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CVE Tags<\/h3>\n\n\n\n<p>CVE or Common Vulnerabilities and Exposures is a term that describes a record format for known vulnerabilities in a public database. Each CVE entry contains a number, description, and a set of links to references and useful resources. In ANY.RUN, CVE tags are added to malware that can utilize the corresponding vulnerabilities. Some examples of common tags in this category are:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>CVE-2017-11882&nbsp;<\/li><li>CVE-2018-4878&nbsp;<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">The Obfuscated Tag<\/h3>\n\n\n\n<p>Code obfuscation is a practice of deliberately creating code that is hardly readable by humans intending to hide the true intent of the program or code logic. As such, the <em>obfuscated<\/em> tag points at programs that employ this practice.<br><\/p>\n\n\n\n<p>By itself, code obfuscation is not illegal and sometimes it is even used for security purposes. However, since it is also commonly used by threat actors any sample marked with this tag is suspicious at the least.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Exploit Tag<\/h3>\n\n\n\n<p>An exploit is a code that uses a known vulnerability or a weak spot in the cyber defense. Exploits are usually created with malicious intent, however, they can also be written by cybersecurity professionals for penetration testing.&nbsp;&nbsp;<br><\/p>\n\n\n\n<p>Exploits can be utilized to infiltrate a network, gain elevated access, or drop malware onto infected machines.&nbsp;<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Generated-doc Tag&nbsp;<\/h3>\n\n\n\n<p>This tag indicates documents that were generated by a program. A common trait of such documents is that timestamps for file creation, editing, and adding information are identical, which would be completely impossible if the file was created by a human. After all, we can only perform these actions consequently. A lot of malware samples create files and directories, which means that security researchers should pay additional attention to automatically-generated files.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Opendir Tag<\/h3>\n\n\n\n<p>Many websites today contain directories that are open by mistake or by design. Unfortunately, open directories often become compromised by criminals. Threat actors use them to spread malicious content or store stolen data.<br><\/p>\n\n\n\n<p>Tasks that are marked with this tag may contain a malicious document. Additional, it can be a good idea to search open directories for signs of malware or analyze their content to determine what kind of data a certain malware sample may be stealing.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators in ANY.RUN<\/h2>\n\n\n\n<p>Along with tags, <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-house&amp;utm_content=indicators\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"ANY.RUN (opens in a new tab)\">ANY.RUN<\/a> also uses a set of visual indicators. These are icons that provide important information during analysis. Indicators can show events, execution stages, and processes. Here is a full list of indicators that the service uses:<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/tagindicator.png\" alt=\"ANY.RUN Indicators\" class=\"wp-image-752\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Memorizing the tags and indicators listed in this article will help to streamline the workflow and make malware analysis with <a href=\"https:\/\/any.run\/\">ANY.RUN<\/a> even faster. Since ANY.RUN has to use hundreds of tags to list every known malware family and strain there is a lot to keep in mind.&nbsp;<br><\/p>\n\n\n\n<p>That\u2019s why if you still feel uncertain about a certain tag or icon, don\u2019t hesitate to contact our support team or message us through our social media pages and we will be happy to explain everything in detail.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you have been using our malware hunting service for a while, you have probably seen tags and indicators that appear during the analysis. Usually, these interface elements are quite self-explanatory, however, some of them might not be immediately obvious. Every tag and indicator that appears on the screen carries important information, that\u2019s why it [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3135,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[42,43],"class_list":["post-737","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-instructions","tag-indicators","tag-tags"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Indicators &amp; Tags in analysis - ANY.RUN Blog<\/title>\n<meta name=\"description\" content=\"Every tag and indicator that appears on the screen carries important information. Let\u2019s go over the most commonly used while malware analysis.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Indicators and Tags Used in ANY.RUN\",\"datePublished\":\"2020-09-16T08:22:00+00:00\",\"dateModified\":\"2022-12-21T06:56:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/\"},\"wordCount\":1249,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"Indicators\",\"Tags\"],\"articleSection\":[\"Instructions on ANY.RUN\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/\",\"name\":\"Indicators & Tags in analysis - ANY.RUN Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2020-09-16T08:22:00+00:00\",\"dateModified\":\"2022-12-21T06:56:35+00:00\",\"description\":\"Every tag and indicator that appears on the screen carries important information. Let\u2019s go over the most commonly used while malware analysis.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Guest Posts\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/guest-posts\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Indicators and Tags Used in ANY.RUN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Indicators & Tags in analysis - ANY.RUN Blog","description":"Every tag and indicator that appears on the screen carries important information. Let\u2019s go over the most commonly used while malware analysis.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Indicators and Tags Used in ANY.RUN","datePublished":"2020-09-16T08:22:00+00:00","dateModified":"2022-12-21T06:56:35+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/"},"wordCount":1249,"commentCount":3,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["Indicators","Tags"],"articleSection":["Instructions on ANY.RUN"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/","url":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/","name":"Indicators & Tags in analysis - ANY.RUN Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2020-09-16T08:22:00+00:00","dateModified":"2022-12-21T06:56:35+00:00","description":"Every tag and indicator that appears on the screen carries important information. Let\u2019s go over the most commonly used while malware analysis.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/indicators-tags\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Guest Posts","item":"https:\/\/any.run\/cybersecurity-blog\/category\/guest-posts\/"},{"@type":"ListItem","position":3,"name":"Indicators and Tags Used in ANY.RUN"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/737"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=737"}],"version-history":[{"count":1,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/737\/revisions"}],"predecessor-version":[{"id":3816,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/737\/revisions\/3816"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3135"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}