{"id":9046,"date":"2024-10-02T11:31:42","date_gmt":"2024-10-02T11:31:42","guid":{"rendered":"\/cybersecurity-blog\/?p=9046"},"modified":"2026-02-26T12:57:12","modified_gmt":"2026-02-26T12:57:12","slug":"threat-intelligence-use-cases","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/","title":{"rendered":"TI Lookup:  Real-World Use Cases <br>from a Malware Researcher"},"content":{"rendered":"\n<p><em>Editor\u2019s note: The current article is authored by Anna Pham<\/em> (<em>also known as RussianPanda), a threat intelligence researcher. You can find her latest research and insights on <a href=\"https:\/\/x.com\/RussianPanda9xx\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>, <a href=\"https:\/\/www.linkedin.com\/in\/anna-p-868921105\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and her <a href=\"https:\/\/russianpanda.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">blog<\/a>.<\/em><\/p>\n\n\n\n<p>ANY.RUN introduced <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> in February 2024, followed by the <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> in April 2024. This article will explore both services and their use cases.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Threat Intelligence Lookup Works<\/h2>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> allows users to search through the database of sandbox tasks by examining specific details such as: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Processes<\/li>\n\n\n\n<li>Modules<\/li>\n\n\n\n<li>Files<\/li>\n\n\n\n<li>Network and registry activity<\/li>\n<\/ul>\n\n\n\n<p>All of these are logged by the <a href=\"https:\/\/any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a>. <\/p>\n\n\n\n<p>The service helps users find critical information like IOCs (Indicators of compromise), events, sandbox reports, and other data corresponding to the search query.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"495\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-1024x495.png\" alt=\"\" class=\"wp-image-9047\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-1024x495.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-300x145.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-768x371.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-1536x742.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-2048x990.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-370x179.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-270x130.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1-740x358.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>1<\/em>: Main page of Threat Intelligence Lookup service&nbsp;&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The main page of the <a href=\"https:\/\/intelligence.any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence<\/a> service provides a summary of the most common <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE<\/a> techniques used, malware threat statistics, and popular <a href=\"https:\/\/any.run\/cybersecurity-blog\/detection-with-suricata-ids\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata rules<\/a> derived from submitted samples, offering valuable insight into current cyber threat trends.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2-1024x600.png\" alt=\"\" class=\"wp-image-9048\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2-1536x901.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2-740x434.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2.png 1772w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>2<\/em>: Threat Intelligence Lookup panel overview&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After navigating to the <a href=\"https:\/\/intelligence.any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">Lookup section<\/a> you&#8217;ll be able to submit your search query using over 40 different search parameters. <\/p>\n\n\n\n<p>Explore all search parameters available in TI Lookup in <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-search-parameters\/\" target=\"_blank\" rel=\"noreferrer noopener\">the following article.<\/a> ANY.RUN also offers a comprehensive query guide for the TI Lookup once you&#8217;re on the platform.\u00a0<\/p>\n\n\n\n<p>Let\u2019s now look into a few use cases with some of TI Lookup&#8217;s key search parameters.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTest <span class=\"highlight\">TI Lookup<\/span> to see how it can benefit your threat investigations&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=ti_use_cases_from_researcher&#038;utm_term=021024&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nRequest free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Searching for Stealers Reaching out to Telegram&nbsp;&nbsp;<\/h2>\n\n\n\n<p>We can create a query to identify <a href=\"https:\/\/any.run\/malware-trends\/stealer\" target=\"_blank\" rel=\"noreferrer noopener\">stealers<\/a> reaching out to <a href=\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\" target=\"_blank\" rel=\"noreferrer noopener\">Telegram<\/a> IPs, potentially exfiltrating sensitive data, using the \u201c<em>destinationIpAsn<\/em>\u201d and \u201c<em>threatName<\/em>\u201d parameters, as shown below, for the past three months or 180 days. You can also search within 60, 30, 14, 7, 3, or 1-day intervals and bookmark the search query for later use.<\/p>\n\n\n\n<p>Here is the query:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-180\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"180\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIpAsn:%255C%2522Telegram%25C2%25A0Messenger%25C2%25A0Inc%255C%2522%25C2%25A0AND%25C2%25A0threatName:%255C%2522stealer%255C%2522%25C2%25A0AND%25C2%25A0threatName:%255C%2522exfiltration%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIpAsn:%255C%2522Telegram%25C2%25A0Messenger%25C2%25A0Inc%255C%2522%25C2%25A0AND%25C2%25A0threatName:%255C%2522stealer%255C%2522%25C2%25A0AND%25C2%25A0threatName:%255C%2522exfiltration%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"destinationIpAsn:&quot;Telegram Messenger Inc&quot; AND threatName:&quot;stealer&quot; AND threatName:&quot;exfiltration&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">destinationIpAsn:&quot;Telegram Messenger Inc&quot; AND threatName:&quot;stealer&quot; AND threatName:&quot;exfiltration&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-180'>\ntable#wpdtSimpleTable-180{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-180 td, table.wpdtSimpleTable180 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"851\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image3-1024x851.png\" alt=\"\" class=\"wp-image-9049\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image3-1024x851.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image3-300x249.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image3-768x638.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image3-370x307.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image3-270x224.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image3-740x615.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image3.png 1513w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>3<\/em>: Lookup for stealers reaching out to Telegram and the result overview&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The search results show the associated IPs, Events, Files, Tasks, Synchronization (events and <a href=\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">mutexes<\/a> created), and <a href=\"https:\/\/any.run\/cybersecurity-blog\/suricata-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Network threats<\/a>.\u00a0\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"850\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image4-1024x850.jpeg\" alt=\"\" class=\"wp-image-9050\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image4-1024x850.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image4-300x249.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image4-768x638.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image4-370x307.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image4-270x224.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image4-740x614.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image4.jpeg 1515w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>4<\/em>: Overview of the Files tab&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>From the Files tab, users can extract indicators and save them in JSON format. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"723\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5-1024x723.png\" alt=\"\" class=\"wp-image-9051\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5-1024x723.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5-300x212.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5-768x542.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5-1536x1084.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5-370x261.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5-270x191.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5-740x522.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image5.png 1796w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>5<\/em>: Static discovering of the PE file&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><strong>Note:<\/strong> You can export data from any category, such as IPs, Events, Tasks, etc., in JSON. Additionally, users can view binary characteristics with static analysis or download the binary itself.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"875\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image6-1024x875.jpeg\" alt=\"\" class=\"wp-image-9052\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image6-1024x875.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image6-300x256.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image6-768x656.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image6-370x316.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image6-270x231.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image6-740x632.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image6.jpeg 1387w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>6<\/em>: Network threats tab&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can confirm the exfiltration activity via Telegram within the Network threats tab.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStart your first investigation in <span class=\"highlight\">TI Lookup<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=ti_use_cases_from_researcher&#038;utm_term=021024&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nRequest free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Looking for LummaC2 samples and C2s&nbsp;<\/h2>\n\n\n\n<p>To identify <a href=\"https:\/\/any.run\/malware-trends\/lumma\" target=\"_blank\" rel=\"noreferrer noopener\">LummaC2<\/a> samples and C2 domains, we can use Lumma&#8217;s domains that are known to end with \u201c.shop\/api\u201d via the following query:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-181\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"181\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522.shop\/api$%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522.shop\/api$%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"url:&quot;.shop\/api$&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">url:&quot;.shop\/api$&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-181'>\ntable#wpdtSimpleTable-181{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-181 td, table.wpdtSimpleTable181 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The dollar sign ($) in a search represents the end of a string. When used in a search pattern, it ensures that the search string must match the end of the text being evaluated. So, using $ in the pattern \u201c.shop\/api$\u201d ensures that the URL ends exactly with <em>.shop\/api<\/em> and no other characters follow.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"871\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image7-1024x871.png\" alt=\"\" class=\"wp-image-9053\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image7-1024x871.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image7-300x255.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image7-768x653.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image7-370x315.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image7-270x230.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image7-740x629.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image7.png 1399w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>7<\/em>: Search results for .shop\/api$&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>From the search results, we identified 26 URLs and domains related to LummaC2, which can be exported and operationalized for further monitoring, blocking, or threat hunting within the security infrastructure.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"753\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8-1024x753.jpeg\" alt=\"\" class=\"wp-image-9054\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8-1024x753.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8-300x221.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8-768x565.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8-370x272.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8-270x198.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8-740x544.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8-80x60.jpeg 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image8.jpeg 1397w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>8<\/em>: URLs and Domains findings&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Searching for URLs Used to Retrieve DLL Dependencies and Pivoting on the ASN&nbsp;<\/h2>\n\n\n\n<p>We know that some stealers, such as <a href=\"https:\/\/any.run\/malware-trends\/vidar\" target=\"_blank\" rel=\"noreferrer noopener\">Vidar<\/a> Stealer, RecordBreaker (<a href=\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Raccoon Stealer<\/a> v2), and <a href=\"https:\/\/any.run\/malware-trends\/stealer\" target=\"_blank\" rel=\"noreferrer noopener\">StealC<\/a>, use additional DLL dependencies like \u201csoftokn3.dll\u201d and \u201cmozglue.dll\u201d to facilitate data exfiltration from browsers, so we can create a query to look for URLs delivering the DLLs:\u00a0<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-182\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"182\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522softokn3.dll$%255C%2522%25C2%25A0and%25C2%25A0url:%255C%2522mozglue.dll$%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522softokn3.dll$%255C%2522%25C2%25A0and%25C2%25A0url:%255C%2522mozglue.dll$%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"url:&quot;softokn3.dll$&quot; and url:&quot;mozglue.dll$&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">url:&quot;softokn3.dll$&quot; and url:&quot;mozglue.dll$&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-182'>\ntable#wpdtSimpleTable-182{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-182 td, table.wpdtSimpleTable182 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"487\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-1024x487.png\" alt=\"\" class=\"wp-image-9055\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-1024x487.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-768x366.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-1536x731.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-2048x975.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-370x176.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image9-1-740x352.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>9<\/em>: The output from running the query that searches for URLs retrieving the DLL dependencies&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>From the results below, we can see the processes that initiated the connections to the URLs to retrieve the DLLs, along with the associated URLs, IP addresses, and the countries of origin for those IPs. <\/p>\n\n\n\n<p>Additionally, we identified another pivot point with the ASN \u201c1337team Limited\u201d:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-183\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"183\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIpAsn:%255C%25221337team%2520Limited%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIpAsn:%255C%25221337team%2520Limited%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"destinationIpAsn:&quot;1337team Limited&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">destinationIpAsn:&quot;1337team Limited&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-183'>\ntable#wpdtSimpleTable-183{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-183 td, table.wpdtSimpleTable183 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"438\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image10-1024x438.jpeg\" alt=\"\" class=\"wp-image-9056\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image10-1024x438.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image10-300x128.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image10-768x328.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image10-370x158.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image10-270x115.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image10-740x316.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image10.jpeg 1526w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>10<\/em>: Results from pivoting on 1337team Limited ASN&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Pivoting on the ASN mentioned above revealed more events and IPs, some of which are associated with StealC, <a href=\"https:\/\/any.run\/malware-trends\/redline\" target=\"_blank\" rel=\"noreferrer noopener\">Redline<\/a>, and <a href=\"https:\/\/any.run\/malware-trends\/amadey\" target=\"_blank\" rel=\"noreferrer noopener\">Amadey<\/a> activities.\u00a0\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Searching for Interesting Samples Using MITRE&nbsp;&nbsp;<\/h2>\n\n\n\n<p>Users can search for relevant samples using MITRE techniques or IDs. ANY.RUN provides predefined IDs and their definitions, eliminating the need to search for them elsewhere.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"813\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image11-1-1024x813.png\" alt=\"\" class=\"wp-image-9057\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image11-1-1024x813.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image11-1-300x238.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image11-1-768x610.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image11-1-370x294.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image11-1-270x214.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image11-1-740x587.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image11-1.png 1106w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>11<\/em>: Predefined MITRE IDs and their definitions&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can look for phishing samples containing <a href=\"https:\/\/any.run\/cybersecurity-blog\/qr-extractor\/\" target=\"_blank\" rel=\"noreferrer noopener\">malicious QR codes<\/a> via the following query, where T1566 is Phishing:\u00a0<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-184\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"184\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22MITRE:%5C%22T1566%5C%22%C2%A0and%C2%A0ruleName:%5C%22qr%C2%A0code%C2%A0contains%C2%A0url%C2%A0with%C2%A0email%5C%22%22,%22dateRange%22:180}\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22MITRE:%5C%22T1566%5C%22%C2%A0and%C2%A0ruleName:%5C%22qr%C2%A0code%C2%A0contains%C2%A0url%C2%A0with%C2%A0email%5C%22%22,%22dateRange%22:180}\" data-link-text=\"MITRE:&quot;T1566&quot; and ruleName:&quot;qr code contains url with email&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">MITRE:&quot;T1566&quot; and ruleName:&quot;qr code contains url with email&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-184'>\ntable#wpdtSimpleTable-184{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-184 td, table.wpdtSimpleTable184 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"480\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image12-1024x480.jpeg\" alt=\"\" class=\"wp-image-9058\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image12-1024x480.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image12-300x141.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image12-768x360.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image12-370x173.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image12-270x127.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image12-740x347.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image12.jpeg 1429w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>12<\/em>: Results from the search for phishing emails containing the QR code&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Now, we can spice up the query and look for phishing links containing the Cloudflare challenge that is commonly used by <a href=\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon 2FA<\/a> and other phishing kits:\u00a0<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-185\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"185\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/style=&quot;color: #009cff; text-decoration: underline&quot;#%7B%2522query%2522:%2522domainName:%255C%2522challenges.cloudflare.com%255C%2522%25C2%25A0AND%25C2%25A0MITRE:%255C%2522T1566%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/style=&quot;color: #009cff; text-decoration: underline&quot;#%7B%2522query%2522:%2522domainName:%255C%2522challenges.cloudflare.com%255C%2522%25C2%25A0AND%25C2%25A0MITRE:%255C%2522T1566%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"domainName:&quot;challenges.cloudflare.com&quot; AND MITRE:&quot;T1566&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:&quot;challenges.cloudflare.com&quot; AND MITRE:&quot;T1566&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-185'>\ntable#wpdtSimpleTable-185{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-185 td, table.wpdtSimpleTable185 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"405\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image13-1024x405.jpeg\" alt=\"\" class=\"wp-image-9059\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image13-1024x405.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image13-300x119.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image13-768x304.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image13-370x146.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image13-270x107.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image13-740x293.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image13.jpeg 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>13<\/em>: Results from the search for phishing links containing the Cloudflare challenge&nbsp;&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The query can also be adjusted to show the phishing samples with URL submissions only instead of the file attachments using the threatLevel \u201cmalicious\u201d to avoid false positives:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-186\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"186\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522MITRE:%255C%2522T1566%255C%2522%25C2%25A0and%25C2%25A0taskType:%255C%2522url%255C%2522%25C2%25A0and%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522MITRE:%255C%2522T1566%255C%2522%25C2%25A0and%25C2%25A0taskType:%255C%2522url%255C%2522%25C2%25A0and%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"MITRE:&quot;T1566&quot; and taskType:&quot;url&quot; and threatLevel:&quot;malicious&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">MITRE:&quot;T1566&quot; and taskType:&quot;url&quot; and threatLevel:&quot;malicious&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-186'>\ntable#wpdtSimpleTable-186{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-186 td, table.wpdtSimpleTable186 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"488\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-1024x488.png\" alt=\"\" class=\"wp-image-9060\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-1024x488.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-768x366.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-1536x731.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-2048x975.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-370x176.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image14-740x352.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>14<\/em>: Searching for samples containing URLs instead of file attachment submissions&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Searching for samples using CommandLine&nbsp;<\/h2>\n\n\n\n<p>We can search for <a href=\"https:\/\/any.run\/cybersecurity-blog\/brute-ratel-c4-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Latrodectus<\/a> downloader samples, which is known to drop the copy of itself under the \u201c%AppData%\\Custom_update\\\u201d path. We can leverage that knowledge to create a query that looks for command lines containing that path:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-187\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"187\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22commandLine:%5C%22C:%5C%5C%5C%5CUsers%5C%5C%5C%5Cadmin%5C%5C%5C%5CAppData%5C%5C%5C%5CRoaming%5C%5C%5C%5CCustom_update%5C%22%22,%22dateRange%22:180}\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22commandLine:%5C%22C:%5C%5C%5C%5CUsers%5C%5C%5C%5Cadmin%5C%5C%5C%5CAppData%5C%5C%5C%5CRoaming%5C%5C%5C%5CCustom_update%5C%22%22,%22dateRange%22:180}\" data-link-text=\"commandLine:&quot;C:\\\\Users\\\\admin\\\\AppData\\\\Roaming\\\\Custom_update&quot;\u00a0\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot;C:\\\\Users\\\\admin\\\\AppData\\\\Roaming\\\\Custom_update&quot;\u00a0<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-187'>\ntable#wpdtSimpleTable-187{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-187 td, table.wpdtSimpleTable187 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"498\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-1024x498.png\" alt=\"\" class=\"wp-image-9061\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-1024x498.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-300x146.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-768x373.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-1536x747.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-2048x996.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-370x180.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-270x131.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image15-740x360.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>15<\/em>: Results from the query to look for a specific file path within the command line to search for Latrodectus samples&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>From the Synchronization tab, we notice the mutex \u201crunnung\u201d being used, so we can also leverage that to look for Latrodectus samples.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"482\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image16-1024x482.jpeg\" alt=\"\" class=\"wp-image-9062\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image16-1024x482.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image16-300x141.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image16-768x361.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image16-370x174.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image16-270x127.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image16-740x348.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image16.jpeg 1428w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>16<\/em>: Leveraging the mutex finding to find Latrodectus samples&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can also leverage CommandLine to look for malicious <a href=\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell commands<\/a>, for example, while looking for a <a href=\"https:\/\/x.com\/anyrun_app\/status\/1828798277828890788\" target=\"_blank\" rel=\"noreferrer noopener\">RobotDropper<\/a>, aka LegionLoader samples. <\/p>\n\n\n\n<p>So, for the query, we are going to grab a snippet of the base64-encoded command, which partially decodes to \u201c$w=new-object\u201d:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-188\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"188\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522powershell%25C2%25A0-windowstyle%25C2%25A0hidden%25C2%25A0-e%25C2%25A0JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdA%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522powershell%25C2%25A0-windowstyle%25C2%25A0hidden%25C2%25A0-e%25C2%25A0JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdA%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"commandLine:&quot;powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdA&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot;powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdA&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-188'>\ntable#wpdtSimpleTable-188{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-188 td, table.wpdtSimpleTable188 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>We have 13 samples that match our query, all of which are true positives.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"591\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17-1024x591.jpeg\" alt=\"\" class=\"wp-image-9063\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17-1024x591.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17-300x173.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17-768x443.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17-1536x887.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17-370x214.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17-270x156.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17-740x427.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image17.jpeg 1807w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>17<\/em>: Results from the query to look for RobotDropper using CommandLine search parameter&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"592\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-1024x592.jpeg\" alt=\"\" class=\"wp-image-9064\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-1024x592.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-300x174.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-768x444.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-1536x888.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-370x214.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-270x156.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-740x428.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18.jpeg 1812w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>18<\/em>: Events tab overview from the search query&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nInvestigate cyber threats using <span class=\"highlight\">TI Lookup<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=ti_use_cases_from_researcher&#038;utm_term=021024&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nRequest free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Searching for Gh0stRAT Samples and C2s from a Specific Country\u00a0\u00a0<\/h2>\n\n\n\n<p>We can also create a query that searches for <a href=\"https:\/\/any.run\/cybersecurity-blog\/gh0stbins-chinese-rat-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Gh0stRAT<\/a> samples and C2s using \u201cdestinationIPgeo\u201d as one of the search parameters; this query looks for Gh0stRAT samples that connect to servers located in China:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-189\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"189\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIPgeo:%255C%2522cn%255C%2522%25C2%25A0and%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%25C2%25A0and%25C2%25A0threatName:%255C%2522gh0st%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIPgeo:%255C%2522cn%255C%2522%25C2%25A0and%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%25C2%25A0and%25C2%25A0threatName:%255C%2522gh0st%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"destinationIPgeo:&quot;cn&quot;\u00a0and\u00a0threatLevel:&quot;malicious&quot;\u00a0and\u00a0threatName:&quot;gh0st&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">destinationIPgeo:&quot;cn&quot;\u00a0and\u00a0threatLevel:&quot;malicious&quot;\u00a0and\u00a0threatName:&quot;gh0st&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-189'>\ntable#wpdtSimpleTable-189{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-189 td, table.wpdtSimpleTable189 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"599\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-1024x599.png\" alt=\"\" class=\"wp-image-9065\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-1024x599.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-300x175.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-768x449.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-1536x898.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-370x216.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-740x433.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19.png 1814w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>19<\/em>: Results from the query to look for Gh0stRAT samples that connect to servers based in China&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">YARA Search\u00a0<\/h2>\n\n\n\n<p>In addition to the Threat Intelligence Lookup service, ANY.RUN offers <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, enabling users to scan its database of collected and analyzed threat data using YARA rules, whether imported from the local machine or created on the fly.\u00a0<\/p>\n\n\n\n<p>We can create a <a href=\"https:\/\/github.com\/RussianPanda95\/Yara-Rules\/blob\/main\/LummaC2\/LummaC2.yar\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">YARA rule<\/a> to look for LummaC2 Stealer samples, and in\u202funder 10 seconds, we get the results, which is impressively fast. Users can also run multiple YARA scans in separate tabs.\u00a0\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"598\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20-1024x598.png\" alt=\"\" class=\"wp-image-9066\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20-1024x598.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20-300x175.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20-768x449.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20-1536x897.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20-370x216.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20-740x432.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image20.png 1815w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>20<\/em>: Results from YARA scan&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>You can view the binary&#8217;s PE characteristics from the results, download it, and export the results in JSON format.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"844\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1024x844.png\" alt=\"\" class=\"wp-image-9067\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1024x844.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-300x247.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-768x633.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-370x305.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-270x223.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-740x610.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21.png 1061w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>21<\/em>: Exported JSON results&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN&#8217;s <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What&#8217;s impressive is how fast these scans are\u2014they significantly speed up the analysis process, allowing for quick detection of threats and malware.\u00a0<\/p>\n\n\n\n<p>ANY.RUN is making it easier for organizations to take a proactive and informed stance on cybersecurity, which is essential in our constantly evolving threat landscape.<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ti_use_cases_from_researcher&amp;utm_term=021024&amp;utm_content=linktotiplans\/\" target=\"_blank\" rel=\"noreferrer noopener\">Test ANY.RUN&#8217;s Threat Intelligence Lookup and YARA Search in a free trial \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note: The current article is authored by Anna Pham (also known as RussianPanda), a threat intelligence researcher. You can find her latest research and insights on X, LinkedIn, and her blog. ANY.RUN introduced Threat Intelligence Lookup in February 2024, followed by the YARA Search in April 2024. This article will explore both services and [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":9071,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34],"class_list":["post-9046","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TI Lookup: Real-World Use Cases from a Malware Researcher<\/title>\n<meta name=\"description\" content=\"See real-world use cases for ANY.RUN&#039;s Threat Intelligence Lookup presented by the professional threat intelligence researcher Anna Pham\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Anna Pham\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/\"},\"author\":{\"name\":\"Anna Pham\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"TI Lookup: Real-World Use Cases from a Malware Researcher\",\"datePublished\":\"2024-10-02T11:31:42+00:00\",\"dateModified\":\"2026-02-26T12:57:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/\"},\"wordCount\":1369,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/\",\"name\":\"TI Lookup: Real-World Use Cases from a Malware Researcher\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-10-02T11:31:42+00:00\",\"dateModified\":\"2026-02-26T12:57:12+00:00\",\"description\":\"See real-world use cases for ANY.RUN's Threat Intelligence Lookup presented by the professional threat intelligence researcher Anna Pham\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"TI Lookup: Real-World Use Cases from a Malware Researcher\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Anna Pham\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/wyIBFRtO.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/wyIBFRtO.jpg\",\"caption\":\"Anna Pham\"},\"description\":\"Senior Threat Intelligence researcher by day and malware enthusiast by night. Follow Anna on: LinkedIn. X. Read her blog at russianpanda.com.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TI Lookup: Real-World Use Cases from a Malware Researcher","description":"See real-world use cases for ANY.RUN's Threat Intelligence Lookup presented by the professional threat intelligence researcher Anna Pham","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/","twitter_misc":{"Written by":"Anna Pham","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/"},"author":{"name":"Anna Pham","@id":"https:\/\/any.run\/"},"headline":"TI Lookup: Real-World Use Cases from a Malware Researcher","datePublished":"2024-10-02T11:31:42+00:00","dateModified":"2026-02-26T12:57:12+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/"},"wordCount":1369,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/","url":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/","name":"TI Lookup: Real-World Use Cases from a Malware Researcher","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-10-02T11:31:42+00:00","dateModified":"2026-02-26T12:57:12+00:00","description":"See real-world use cases for ANY.RUN's Threat Intelligence Lookup presented by the professional threat intelligence researcher Anna Pham","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-use-cases\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"TI Lookup: Real-World Use Cases from a Malware Researcher"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Anna Pham","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/wyIBFRtO.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/wyIBFRtO.jpg","caption":"Anna Pham"},"description":"Senior Threat Intelligence researcher by day and malware enthusiast by night. Follow Anna on: LinkedIn. X. Read her blog at russianpanda.com.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/9046"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=9046"}],"version-history":[{"count":12,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/9046\/revisions"}],"predecessor-version":[{"id":18852,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/9046\/revisions\/18852"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/9071"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=9046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=9046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=9046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}