{"id":8417,"date":"2024-07-29T12:11:06","date_gmt":"2024-07-29T12:11:06","guid":{"rendered":"\/cybersecurity-blog\/?p=8417"},"modified":"2024-10-04T13:17:30","modified_gmt":"2024-10-04T13:17:30","slug":"malconf-in-ti-lookup","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/","title":{"rendered":"Collect and Use IOCs from Malware Configs <br> in TI Lookup\u00a0"},"content":{"rendered":"\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/how-we-process-iocs\/\" target=\"_blank\" rel=\"noreferrer noopener\">Indicators of compromise<\/a> (IOCs) are essential for proactive cybersecurity. They help you identify and respond to threats effectively. However, getting high-quality IOCs can be difficult, as the best source for this data is the malware\u2019s code, analyzing which often requires hours of intensive work.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> sandbox users know that config-extracted indicators can be easily found in <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>MalConf<\/em> reports<\/a>.&nbsp;<\/p>\n\n\n\n<p>Now, these are also available through <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Quick Brief on TI Lookup&nbsp;<\/h2>\n\n\n\n<p>Threat Intelligence Lookup from ANY.RUN is a service with continuously updated threat data pulled from millions of sandbox analysis sessions. &nbsp;<\/p>\n\n\n\n<p>It receives the latest information on phishing and malware samples uploaded to ANY.RUN\u2019s <em><a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malconf_in_lookup&amp;utm_term=290724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">Public submissions<\/a> <\/em>database by our international community of 400,000 security professionals.&nbsp;<\/p>\n\n\n\n<p>Whether you are investigating an incident or hunting for emerging threats, TI Lookup allows you to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Search through the latest malware and phishing threat data\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Refine your searches using over 40 different parameters and combinations + wildcards&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get results quickly, each with a corresponding sandbox session&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> with a built-in rule editor&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integrate with your security systems using API&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>With TI Lookup, you can improve your cybersecurity efforts with precise and actionable IOCs. This not only helps in identifying current threats but also aids in predicting and preventing future attacks.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Access IOCs Extracted from Malware Configurations in TI Lookup&nbsp;<\/h2>\n\n\n\n<p>TI Lookup now includes indicators of compromise that our analyst team has manually extracted from malware configurations of reversed-engineered samples.&nbsp;<\/p>\n\n\n\n<p>Currently, you can access config-extracted IOCs for 79 malware families. Each of these is labeled with the &#8220;<strong>malconf<\/strong>&#8221; tag, making them easy to identify.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s explore a few use cases to show you how the new feature works.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nSee how ANY.RUN\u2019s <span class=\"highlight\">TI Lookup<\/span> can help your team&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malconf_in_lookup&#038;utm_term=290724&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nRequest a free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Malnconf Use Cases in TI Lookup&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Case 1: Finding C2 Domains of Remcos <\/h3>\n\n\n\n<p>With TI Lookup, you can find \u201cmalconf\u201d indicators for a certain malware family. Use this combined search query to find C2 domains for <a href=\"https:\/\/any.run\/malware-trends\/remcos\" target=\"_blank\" rel=\"noreferrer noopener\">Remcos<\/a>:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-125\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"125\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522threatName:%255C%2522remcos%255C%2522%2520AND%2520domainName:%255C%2522%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522threatName:%255C%2522remcos%255C%2522%2520AND%2520domainName:%255C%2522%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"threatName:&quot;remcos&quot; AND domainName:&quot;&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">threatName:&quot;remcos&quot; AND domainName:&quot;&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-125'>\ntable#wpdtSimpleTable-125{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-125 td, table.wpdtSimpleTable125 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The service lists over 250 domains found in sandbox sessions featuring Remcos. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/1-1024x576.png\" alt=\"\" class=\"wp-image-8429\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/1-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/1-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/1-740x416.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/1.png 1395w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">&#8220;malconf&#8221; domains<\/figcaption><\/figure><\/div>\n\n\n<p>At the top, we can see domains labeled with the \u201cmalconf\u201d tag.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Case 2:  Discovering More AsyncRAT Indicators <\/h3>\n\n\n\n<p>We can also start with IOCs from a <em>Config<\/em> report provided by the sandbox.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s say we want to investigate an IP address found in the configuration of an <a href=\"https:\/\/app.any.run\/tasks\/47826c4c-9998-42ae-b849-9f415c477bbe\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malconf_in_lookup&amp;utm_term=290724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">AsyncRAT sample<\/a>.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"506\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2-1024x506.png\" alt=\"\" class=\"wp-image-8430\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2-1024x506.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2-768x379.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2-1536x759.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2-740x366.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/2.png 1605w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">AsyncRAT&#8217;s extracted config in ANY.RUN sandbox<\/figcaption><\/figure><\/div>\n\n\n<p>We can submit the following search query to TI Lookup:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-126\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"126\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522destinationIP:%255C%252237.120.233.226%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522destinationIP:%255C%252237.120.233.226%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"destinationIP:&quot;37.120.233.226&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">destinationIP:&quot;37.120.233.226&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-126'>\ntable#wpdtSimpleTable-126{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-126 td, table.wpdtSimpleTable126 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The service returns events, files, destination ports, and sandbox sessions related to the indicator.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/3-1024x574.png\" alt=\"\" class=\"wp-image-8431\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/3-1024x574.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/3-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/3-768x430.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/3-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/3-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/3-740x415.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/3.png 1387w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">TI Lookup search yields 55 analysis session with the malicious IP<\/figcaption><\/figure><\/div>\n\n\n<p>This can help us collect hash sums and other IOCs belonging to malware, as well as to find other malware families used by attackers.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Case 3: Investigating a Vidar URL&nbsp;<\/h3>\n\n\n\n<p>URLs are another type of indicator we can get from a sandbox <em>Config<\/em> report to search for more threat information via TI Lookup. &nbsp;<\/p>\n\n\n\n<p>Let\u2019s pull a URL from a <a href=\"https:\/\/app.any.run\/tasks\/acbfdc3d-28fe-42da-8af4-9d1eb73f536e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malconf_in_lookup&amp;utm_term=290724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">Vidar analysis session<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"978\" height=\"649\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/4.png\" alt=\"\" class=\"wp-image-8432\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/4.png 978w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/4-300x199.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/4-768x510.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/4-370x246.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/4-270x179.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/4-740x491.png 740w\" sizes=\"(max-width: 978px) 100vw, 978px\" \/><figcaption class=\"wp-element-caption\">A URL found in Vidar&#8217;s extracted config in ANY.RUN sandbox<\/figcaption><\/figure><\/div>\n\n\n<p>With it, we can create the following query:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-127\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"127\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522url:%255C%2522https:\/\/t.me\/armad2a%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522url:%255C%2522https:\/\/t.me\/armad2a%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"url:&quot;https:\/\/t.me\/armad2a&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">url:&quot;https:\/\/t.me\/armad2a&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-127'>\ntable#wpdtSimpleTable-127{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-127 td, table.wpdtSimpleTable127 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Using TI Lookup, we can discover more samples with indicators and see that Vidar is often deployed through PrivateLoader.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/5-1024x578.png\" alt=\"\" class=\"wp-image-8433\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/5-1024x578.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/5-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/5-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/5-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/5-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/5-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/5.png 1387w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Search results for Vidar&#8217;s URL query<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malconf_in_lookup&amp;utm_term=290724&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malconf_in_lookup&amp;utm_term=290724&amp;utm_content=linktotiplans\/\" target=\"_blank\" rel=\"noreferrer noopener\">Try Threat Intelligence Lookup for free \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Indicators of compromise (IOCs) are essential for proactive cybersecurity. They help you identify and respond to threats effectively. However, getting high-quality IOCs can be difficult, as the best source for this data is the malware\u2019s code, analyzing which often requires hours of intensive work.&nbsp; ANY.RUN sandbox users know that config-extracted indicators can be easily found [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8427,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[57,10,40],"class_list":["post-8417","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-anyrun","tag-cybersecurity","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Collect and Use IOCs from Malware Configs  in TI Lookup\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"See how you can use Threat Intelligence Lookup to collect and utilize indicators of compromise extracted from malware configurations.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Collect and Use IOCs from Malware Configs in TI Lookup\u00a0\",\"datePublished\":\"2024-07-29T12:11:06+00:00\",\"dateModified\":\"2024-10-04T13:17:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/\"},\"wordCount\":645,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware behavior\"],\"articleSection\":[\"Service Updates\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/\",\"name\":\"Collect and Use IOCs from Malware Configs in TI Lookup\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-07-29T12:11:06+00:00\",\"dateModified\":\"2024-10-04T13:17:30+00:00\",\"description\":\"See how you can use Threat Intelligence Lookup to collect and utilize indicators of compromise extracted from malware configurations.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Service Updates\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Collect and Use IOCs from Malware Configs in TI Lookup\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Collect and Use IOCs from Malware Configs  in TI Lookup\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"See how you can use Threat Intelligence Lookup to collect and utilize indicators of compromise extracted from malware configurations.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Collect and Use IOCs from Malware Configs in TI Lookup\u00a0","datePublished":"2024-07-29T12:11:06+00:00","dateModified":"2024-10-04T13:17:30+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/"},"wordCount":645,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware behavior"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/","url":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/","name":"Collect and Use IOCs from Malware Configs in TI Lookup\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-07-29T12:11:06+00:00","dateModified":"2024-10-04T13:17:30+00:00","description":"See how you can use Threat Intelligence Lookup to collect and utilize indicators of compromise extracted from malware configurations.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"Collect and Use IOCs from Malware Configs in TI Lookup\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8417"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8417"}],"version-history":[{"count":11,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8417\/revisions"}],"predecessor-version":[{"id":9102,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8417\/revisions\/9102"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8427"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}