### ThreatFox API IOC Response Example Source: https://threatfox.abuse.ch/api This is an example of a JSON response received from the ThreatFox API when querying for an IOC by its ID. It includes details about the IOC, associated malware, and first/last seen timestamps. ```json { "id": "41", "ioc": "gaga.com", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "domain", "ioc_type_desc": "Domain that is used for botnet Command&control (C&C)", "malware": "win.dridex", "malware_printable": "Dridex", "malware_alias": null, "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.dridex", "confidence_level": 50, "first_seen": "2020-12-08 13:36:27 UTC", "last_seen": null, "reference": "https:\/\/twitter.com\/JAMESWT_MHT\/status\/1336229725082177536", "reporter": "abuse_ch", "comment": "These domains are too bad!", "tags": [ "exe", "test" ], "credits": [ { "credits_from": "ThreatFox", "credits_amount": 5 } ], "malware_samples": [ { "time_stamp": "2021-03-23 08:18:06 UTC", "md5_hash": "5b7e82e051ade4b14d163eea2a17bf8b", "sha256_hash": "b325c92fa540edeb89b95dbfd4400c1cb33599c66859a87aead820e568a2ebe7", "malware_bazaar": "https:\/\/bazaar.abuse.ch\/sample\/b325c92fa540edeb89b95dbfd4400c1cb33599c66859a87aead820e568a2ebe7\/" }, { "time_stamp": "2021-03-23 08:18:08 UTC", "md5_hash": "694bf1540ff9d86851adbe15e9568d13", "sha256_hash": "05a7bd44b039d1c1b0eb7ed12d2266ca341ba63d66084e151cfef5649c52ef08", "malware_bazaar": "https:\/\/bazaar.abuse.ch\/sample\/05a7bd44b039d1c1b0eb7ed12d2266ca341ba63d66084e151cfef5649c52ef08\/" }, { "time_stamp": "2021-03-23 08:18:09 UTC", "md5_hash": "9024c9672b189faa5880a47031397350", "sha256_hash": "b4f33452f07d0b284df64219b015c331b87faad62c11bfcc246513d06c101f6e", "malware_bazaar": "https:\/\/bazaar.abuse.ch\/sample\/b4f33452f07d0b284df64219b015c331b87faad62c11bfcc246513d06c101f6e\/" }, { "time_stamp": "2021-03-23 08:18:11 UTC", "md5_hash": "938bf3f035fbf95144ec5493ef1920af", "sha256_hash": "7c1648815aa70e879d1f6f542ae8c41ba912305fe8adc70f5970026adc2e46a6", "malware_bazaar": "https:\/\/bazaar.abuse.ch\/sample\/7c1648815aa70e879d1f6f542ae8c41ba912305fe8adc70f5970026adc2e46a6\/" }, { "time_stamp": "2021-03-23 08:18:12 UTC", "md5_hash": "aadaa91ca106e59aa1e4e59f8f956c23", "sha256_hash": "cca1a1f85ee5c99d124bd9df98342eae40343b8757838bb7f1e1385fe8b836d8", "malware_bazaar": "https:\/\/bazaar.abuse.ch\/sample\/cca1a1f85ee5c99d124bd9df98342eae40343b8757838bb7f1e1385fe8b836d8\/" }, { "time_stamp": "2021-03-23 08:18:14 UTC", "md5_hash": "ad721c851b6eca529ed7054fb3d51723", "sha256_hash": "40ae56610e25e1b7dbe5e0c69bd432fbcb4ebe014cd3e0ca66b5dcf98ed34602", "malware_bazaar": "https:\/\/bazaar.abuse.ch\/sample\/40ae56610e25e1b7dbe5e0c69bd432fbcb4ebe014cd3e0ca66b5dcf98ed34602\/" } ] } ``` -------------------------------- ### Obtain Auth-Key and Query API Source: https://threatfox.abuse.ch/api Example curl command to authenticate with the ThreatFox API using an Auth-Key and send a POST request for a specific query. ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "get_iocs", "days": 1 }' ``` -------------------------------- ### ThreatFox API Tag List Response Example Source: https://threatfox.abuse.ch/api This is an example of a successful response from the ThreatFox API when querying for a tag list. It includes query status and a data object containing tag details. ```json { "query_status": "ok", "data": { "exe": { "first_seen": "2020-12-06 09:16:18", "last_seen": "2020-12-08 13:36:27", "color": "#D984D4" }, "js": { "first_seen": "2020-12-06 15:04:03", "last_seen": "2020-12-06 15:04:03", "color": "#1BA0CD" }, "Magecart": { "first_seen": "2020-12-06 15:04:03", "last_seen": "2020-12-06 15:04:03", "color": "#C41619" } } ) ``` -------------------------------- ### Get Malware List (malware_list) Source: https://threatfox.abuse.ch/api Obtain a list of supported malware families from ThreatFox. The list is sourced from Malpedia. ```APIDOC ## POST /api/v1/ ### Description Obtain a list of supported malware families from ThreatFox. The list is sourced from Malpedia. ### Method POST ### Endpoint /api/v1/ ### Parameters #### Query Parameters - **query** (string) - Required - Selector, must be `malware_list` ### Request Example ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "malware_list" }' ``` ### Response #### Success Response (200) - **query_status** (string) - The status of the query ('ok'). - **data** (object) - An object containing malware families as keys. - **[malware_key]** (object) - Details for each malware family. - **malware_printable** (string) - The human-readable malware name. - **malware_alias** (string or null) - Aliases for the malware. #### Response Example ```json { "query_status": "ok", "data": { "win.sparksrv": { "malware_printable": "Sparksrv", "malware_alias": null }, "win.sslmm": { "malware_printable": "SslMM", "malware_alias": null }, "win.hermes_ransom": { "malware_printable": "Hermes Ransomware", "malware_alias": null }, "apk.doublelocker": { "malware_printable": "DoubleLocker", "malware_alias": null }, [...] } ``` ``` -------------------------------- ### Query Recent IOCs Source: https://threatfox.abuse.ch/api Example curl command to query the ThreatFox API for IOCs within a specified number of days. The 'days' parameter filters IOCs based on their 'first_seen' timestamp. ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "get_iocs", "days": 7 }' ``` -------------------------------- ### Submit IOC to ThreatFox Source: https://threatfox.abuse.ch/api Python script to submit IOC data to the ThreatFox API. Ensure you have the 'requests' library installed and replace placeholders with actual values. ```python import json import requests url = "https://threatfox-api.abuse.ch/api/v1/" # Example data for submitting an IOC data = { 'query': 'submit_ioc', 'threat_type': 'malware_download', 'ioc_type': 'domain', 'malware': 'Emotet', 'confidence_level': 5, 'reference': 'VirusTotal', 'is_compromised': 1, 'comment': 'This is a test IOC submission.', 'anonymous': 0, 'tags': [ 'test', 'emotet' ], 'iocs': [ 'example.com' ] } headers = { 'Content-Type': 'application/json' } try: response = requests.post(url, headers=headers, data=json.dumps(data)) response.raise_for_status() # Raise an exception for bad status codes result = response.json() print(json.dumps(result, indent=4)) except requests.exceptions.RequestException as e: print(f"An error occurred: {e}") except json.JSONDecodeError: print("Failed to decode JSON response.") ``` -------------------------------- ### Get Tag List using curl Source: https://threatfox.abuse.ch/api Use this curl command to query the ThreatFox API for a list of known tags. Ensure you replace 'YOUR-AUTH-KEY' with your actual authentication key. ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "tag_list" }' ``` -------------------------------- ### Get IOC / Threat Types (types) Source: https://threatfox.abuse.ch/api Retrieve a list of supported IOC (Indicator of Compromise) and threat types from ThreatFox. ```APIDOC ## POST /api/v1/ ### Description Retrieve a list of supported IOC (Indicator of Compromise) and threat types from ThreatFox. ### Method POST ### Endpoint /api/v1/ ### Parameters #### Query Parameters - **query** (string) - Required - Selector, must be `types` ### Request Example ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "types" }' ``` ### Response #### Success Response (200) - **query_status** (string) - The status of the query ('ok'). - **data** (object) - An object containing IOC types as keys. - **[ioc_type_key]** (object) - Details for each IOC type. - **ioc_type** (string) - The type of IOC (e.g., 'url', 'domain', 'ip:port'). - **fk_threat_type** (string) - The associated threat type (e.g., 'payload_delivery'). - **description** (string) - A description of the IOC type. #### Response Example ```json { "query_status": "ok", "data": { "1": { "ioc_type": "url", "fk_threat_type": "payload_delivery", "description": "URL that delivers a malware payload" }, "2": { "ioc_type": "domain", "fk_threat_type": "payload_delivery", "description": "Domain name that delivers a malware payload" }, "3": { "ioc_type": "ip:port", "fk_threat_type": "payload_delivery", "description": "ip:port combination that delivery a malware payload" }, [...] } } ``` ``` -------------------------------- ### Get IOC Types using Curl Source: https://threatfox.abuse.ch/api Use this curl command to query the ThreatFox API for a list of supported IOC (Indicator of Compromise) threat types. Replace 'YOUR-AUTH-KEY' with your actual API key. ```curl curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "types" }' ``` -------------------------------- ### Get Malware List using Curl Source: https://threatfox.abuse.ch/api This curl command retrieves a list of supported malware families from the ThreatFox API. Replace 'YOUR-AUTH-KEY' with your actual API key. ```curl curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "malware_list" }' ``` -------------------------------- ### Get Tag List Source: https://threatfox.abuse.ch/api Retrieve a list of all tags known to the ThreatFox platform. This is a POST request that requires a 'query' parameter set to 'tag_list'. ```APIDOC ## Get tag list ### Description Obtain a list of tags known to ThreatFox. ### Method POST ### Endpoint https://threatfox-api.abuse.ch/api/v1/ ### Parameters #### Request Body - **query** (string) - Required - Selector, must be `tag_list` ### Request Example ```json { "query": "tag_list" } ``` ### Response #### Success Response (200) - **query_status** (string) - Indicates the status of the query. - **data** (object) - Contains the tag information. - **[tag_name]** (object) - Information about a specific tag. - **first_seen** (string) - The date and time the tag was first seen. - **last_seen** (string) - The date and time the tag was last seen. - **color** (string) - A color code associated with the tag. ### Response Example ```json { "query_status": "ok", "data": { "exe": { "first_seen": "2020-12-06 09:16:18", "last_seen": "2020-12-08 13:36:27", "color": "#D984D4" }, "js": { "first_seen": "2020-12-06 15:04:03", "last_seen": "2020-12-06 15:04:03", "color": "#1BA0CD" }, "Magecart": { "first_seen": "2020-12-06 15:04:03", "last_seen": "2020-12-06 15:04:03", "color": "#C41619" } } } ``` ``` -------------------------------- ### Query Malware Information Source: https://threatfox.abuse.ch/api Allows users to search for specific malware families and retrieve related information. Ensure you use the correct malware family name, which can be obtained from the 'Get malware list' endpoint or Malpedia. ```APIDOC ## POST /api/v1/ ### Description Retrieves information about a specified malware family. ### Method POST ### Endpoint https://threatfox-api.abuse.ch/api/v1/ ### Parameters #### Request Body - **query** (string) - Required - Must be `malwareinfo`. - **malware** (string) - Required - The name of the malware family to search for. - **limit** (integer) - Optional - The maximum number of results to return. ### Request Example ```json { "query": "malwareinfo", "malware": "Cobalt Strike", "limit": 10 } ``` ### Response #### Success Response (200) - **query_status** (string) - Indicates the status of the query. - **data** (array) - An array of objects, where each object contains details about an IOC related to the malware. - **id** (string) - Unique identifier for the IOC. - **ioc** (string) - The indicator of compromise (e.g., IP address, URL). - **threat_type** (string) - The type of threat. - **threat_type_desc** (string) - Description of the threat type. - **ioc_type** (string) - The type of IOC. - **ioc_type_desc** (string) - Description of the IOC type. - **malware** (string) - The malware family name. - **malware_printable** (string) - A human-readable name for the malware. - **malware_alias** (string) - Aliases for the malware. - **malware_malpedia** (string) - URL to the malware's page on Malpedia. - **confidence_level** (integer) - Confidence level of the IOC. - **first_seen** (string) - Timestamp when the IOC was first seen. - **last_seen** (string) - Timestamp when the IOC was last seen (can be null). - **reference** (string) - A reference URL related to the IOC (can be null). - **reporter** (string) - The entity that reported the IOC. - **tags** (array) - An array of tags associated with the IOC (can be null). #### Response Example ```json { "query_status": "ok", "data": [ { "id": "21", "ioc": "43.255.30.192:8848", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "ip:port", "ioc_type_desc": "ip:port combination that is used for botnet Command&control (C&C)", "malware": "win.cobalt_strike", "malware_printable": "Cobalt Strike", "malware_alias": "Agentemis,BEACON,CobaltStrike", "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.cobalt_strike", "confidence_level": 50, "first_seen": "2020-12-06 09:47:30 UTC", "last_seen": null, "reference": null, "reporter": "abuse_ch", "tags": null } ] } ``` ``` -------------------------------- ### Submit IOCs using Python Source: https://threatfox.abuse.ch/api This Python script demonstrates how to submit Indicators of Compromise (IOCs) to the ThreatFox API. Ensure you have a valid Auth-Key and specify the correct threat and IOC types. ```python #!/usr/bin/python3 import requests import urllib3 import json # Prepare HTTPSConnectionPool headers = { "Auth-Key": "YOUR-AUTH-APKEY-HERE", } pool = urllib3.HTTPSConnectionPool('threatfox-api.abuse.ch', port=443, maxsize=50, headers=headers, cert_reqs='CERT_NONE', assert_hostname=True) # threat_type - Query https://threatfox.abuse.ch/api/#types to get the appropriate # threat_type / ioc_type combination # ioc_type - Query https://threatfox.abuse.ch/api/#types to get the appropriate # threat_type / ioc_type combination # malwareinfo - Query https://threatfox.abuse.ch/api/#malware-list to get the appropriate # - malware family or search through Malpedia web UI: https://malpedia.caad.fkie.fraunhofer.de/ # confidence_level - Optional; Must be between 0-100. Default: 50 # is_compromised - Optional: "True" or "False". Indicates whether the asset is compromised (i.e. compromised website, IP address, etc) or dedicated infrastructure setup and operated by the threat actor. Default: "False" # reference - Optional; Must be a URL if provided # Comment - Optional; Your comment on the IOC(s) you want to submit ``` -------------------------------- ### Query IOCs by Tag Source: https://threatfox.abuse.ch/api Use this cURL command to search for IOCs associated with a specific tag. Ensure you replace 'YOUR-AUTH-KEY' with your actual authentication key. ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "taginfo", "tag": "Magecart", "limit": 10 }' ``` -------------------------------- ### Sample API Response for Recent IOCs Source: https://threatfox.abuse.ch/api A sample JSON response structure from the ThreatFox API when querying for recent IOCs. It includes details like IOC ID, type, threat information, and timestamps. ```json { "query_status": "ok", "data": [ { "id": "41", "ioc": "gaga.com", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "domain", "ioc_type_desc": "Domain that is used for botnet Command&control (C&C)", "malware": "win.dridex", "malware_printable": "Dridex", "malware_alias": null, "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.dridex", "confidence_level": 50, "first_seen": "2020-12-08 13:36:27 UTC", "last_seen": null, "reporter": "abuse_ch", "reference": "https:\/\/twitter.com\/JAMESWT_MHT\/status\/1336229725082177536", "tags": [ "exe", "test" ] }, { "id": "40", "ioc": "susu.com", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "domain", "ioc_type_desc": "Domain that is used for botnet Command&control (C&C)", "malware": "win.dridex", "malware_printable": "Dridex", "malware_alias": null, "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.dridex", "confidence_level": 50, "first_seen": "2020-12-08 13:36:27 UTC", "last_seen": null, "reporter": "abuse_ch", "reference": null, "tags": [ "exe", "test" ] }, [...] } ``` -------------------------------- ### Search IOC with Curl Source: https://threatfox.abuse.ch/api Use this curl command to send an HTTP POST request to the Threatfox API to search for a specific IOC. Ensure you replace 'YOUR-AUTH-KEY' with your actual authentication key. ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "search_ioc", "search_term": "139.180.203.104", "exact_match": true }' ``` -------------------------------- ### Search IOCs by File Hash using curl Source: https://threatfox.abuse.ch/api Use this curl command to send an HTTP POST request to the Threatfox API to search for IOCs associated with a given file hash. Ensure you replace 'YOUR-AUTH-KEY' with your actual authentication key. ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "search_hash", "hash": "2151c4b970eff0071948dbbc19066aa4" }' ``` -------------------------------- ### ThreatFox API Tag Query Response Source: https://threatfox.abuse.ch/api This is a sample JSON response when querying for IOCs by tag. It includes details about the IOCs found, such as their ID, type, and associated malware. ```json { "query_status": "ok", "data": [ { "id": "29", "ioc": "jquery.su", "threat_type": "cc_skimming", "threat_type_desc": "Indicator that identifies credit card skimming infrastructure (NOT phishing)", "ioc_type": "domain", "ioc_type_desc": "Domain used for credit card skimming (usually related to Magecart attacks)", "malware": "js.magecart", "malware_printable": "magecart", "malware_alias": null, "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/js.magecart", "confidence_level": 50, "first_seen": "2020-12-06 15:04:03 UTC", "last_seen": null, "reference": "https:\/\/twitter.com\/AffableKraut\/status\/1335501765031174145", "reporter": "abuse_ch", "tags": [ "Magecart" ] }, { "id": "28", "ioc": "jquerysapi.com", "threat_type": "cc_skimming", "threat_type_desc": "Indicator that identifies credit card skimming infrastructure (NOT phishing)", "ioc_type": "domain", "ioc_type_desc": "Domain used for credit card skimming (usually related to Magecart attacks)", "malware": "js.magecart", "malware_printable": "magecart", "malware_alias": null, "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/js.magecart", "confidence_level": 50, "first_seen": "2020-12-06 15:04:03 UTC", "last_seen": null, "reference": "https:\/\/twitter.com\/AffableKraut\/status\/1335501765031174145", "reporter": "abuse_ch", "tags": [ "Magecart" ] } ] } ``` -------------------------------- ### ThreatFox API IOC Search Response Source: https://threatfox.abuse.ch/api This is a sample JSON response from the ThreatFox API after a successful IOC search query. It includes details about the IOC, associated malware, and related samples. ```json { "query_status": "ok", "data": [ { "id": "12", "ioc": "139.180.203.104:443", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "ip:port", "ioc_type_desc": "ip:port combination that is used for botnet Command&control (C&C)", "malware": "win.cobalt_strike", "malware_printable": "Cobalt Strike", "malware_alias": "Agentemis,BEACON,CobaltStrike", "malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "confidence_level": 75, "first_seen": "2020-12-06 09:10:23 UTC", "last_seen": null, "reference": null, "reporter": "abuse_ch", "tags": null, "malware_samples": [ { "time_stamp": "2021-03-23 08:18:06 UTC", "md5_hash": "5b7e82e051ade4b14d163eea2a17bf8b", "sha256_hash": "b325c92fa540edeb89b95dbfd4400c1cb33599c66859a87aead820e568a2ebe7", "malware_bazaar": "https://bazaar.abuse.ch/sample/b325c92fa540edeb89b95dbfd4400c1cb33599c66859a87aead820e568a2ebe7/" }, { "time_stamp": "2021-03-23 08:18:08 UTC", "md5_hash": "694bf1540ff9d86851adbe15e9568d13", "sha256_hash": "05a7bd44b039d1c1b0eb7ed12d2266ca341ba63d66084e151cfef5649c52ef08", "malware_bazaar": "https://bazaar.abuse.ch/sample/05a7bd44b039d1c1b0eb7ed12d2266ca341ba63d66084e151cfef5649c52ef08/" }, { "time_stamp": "2021-03-23 08:18:09 UTC", "md5_hash": "9024c9672b189faa5880a47031397350", "sha256_hash": "b4f33452f07d0b284df64219b015c331b87faad62c11bfcc246513d06c101f6e", "malware_bazaar": "https://bazaar.abuse.ch/sample/b4f33452f07d0b284df64219b015c331b87faad62c11bfcc246513d06c101f6e/" }, { "time_stamp": "2021-03-23 08:18:11 UTC", "md5_hash": "938bf3f035fbf95144ec5493ef1920af", "sha256_hash": "7c1648815aa70e879d1f6f542ae8c41ba912305fe8adc70f5970026adc2e46a6", "malware_bazaar": "https://bazaar.abuse.ch/sample/7c1648815aa70e879d1f6f542ae8c41ba912305fe8adc70f5970026adc2e46a6/" }, { "time_stamp": "2021-03-23 08:18:12 UTC", "md5_hash": "aadaa91ca106e59aa1e4e59f8f956c23", "sha256_hash": "cca1a1f85ee5c99d124bd9df98342eae40343b8757838bb7f1e1385fe8b836d8", "malware_bazaar": "https://bazaar.abuse.ch/sample/cca1a1f85ee5c99d124bd9df98342eae40343b8757838bb7f1e1385fe8b836d8/" }, { "time_stamp": "2021-03-23 08:18:14 UTC", "md5_hash": "ad721c851b6eca529ed7054fb3d51723", "sha256_hash": "40ae56610e25e1b7dbe5e0c69bd432fbcb4ebe014cd3e0ca66b5dcf98ed34602", "malware_bazaar": "https://bazaar.abuse.ch/sample/40ae56610e25e1b7dbe5e0c69bd432fbcb4ebe014cd3e0ca66b5dcf98ed34602/" } ] } ] } ``` -------------------------------- ### Query IOC by ID using cURL Source: https://threatfox.abuse.ch/api Use this cURL command to send an HTTP POST request to the ThreatFox API to retrieve a specific IOC by its ID. Ensure you replace 'YOUR-AUTH-KEY' with your actual authentication key. ```bash curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{ "query": "ioc", "id": 41 }' ``` -------------------------------- ### Threatfox API Response for Hash Search Source: https://threatfox.abuse.ch/api This is a sample JSON response from the Threatfox API when querying for IOCs associated with a file hash. It contains details about the query status and a list of matching IOCs. ```json { "query_status": "ok", "data": [ { "id": "4726", "ioc": "http:\/\/harold.jetos.com:3606\/is-ready", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "url", "ioc_type_desc": "URL that is used for botnet Command&control (C&C)", "malware": "win.houdini", "malware_printable": "Houdini", "malware_alias": "Hworm,Jenxcus,Kognito,Njw0rm,WSHRAT,dinihou,dunihi", "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.houdini", "confidence_level": 100, "first_seen": "2021-03-23 14:50:33 UTC", "last_seen": null, "reference": null, "reporter": "abuse_ch", "tags": [ "WSHRAT" ] }, { "id": "4727", "ioc": "http:\/\/harold.jetos.com:3606\/moz-sdk", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "url", "ioc_type_desc": "URL that is used for botnet Command&control (C&C)", "malware": "win.houdini", "malware_printable": "Houdini", "malware_alias": "Hworm,Jenxcus,Kognito,Njw0rm,WSHRAT,dinihou,dunihi", "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.houdini", "confidence_level": 100, "first_seen": "2021-03-23 14:50:35 UTC", "last_seen": null, "reference": null, "reporter": "abuse_ch", "tags": [ "WSHRAT" ] }, { "id": "4728", "ioc": "http:\/\/harold.jetos.com:3606\/show-toast", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "url", "ioc_type_desc": "URL that is used for botnet Command&control (C&C)", "malware": "win.houdini", "malware_printable": "Houdini", "malware_alias": "Hworm,Jenxcus,Kognito,Njw0rm,WSHRAT,dinihou,dunihi", "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.houdini", "confidence_level": 100, "first_seen": "2021-03-23 14:50:35 UTC", "last_seen": null, "reference": null, "reporter": "abuse_ch", "tags": [ "WSHRAT" ] }, { "id": "4729", "ioc": "http:\/\/harold.jetos.com:3606\/ie", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "url", "ioc_type_desc": "URL that is used for botnet Command&control (C&C)", "malware": "win.houdini", "malware_printable": "Houdini", "malware_alias": "Hworm,Jenxcus,Kognito,Njw0rm,WSHRAT,dinihou,dunihi", "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.houdini", "confidence_level": 100, "first_seen": "2021-03-23 14:50:36 UTC", "last_seen": null, "reference": null, "reporter": "abuse_ch", "tags": [ "WSHRAT" ] } ] } ``` -------------------------------- ### Search an IOC Source: https://threatfox.abuse.ch/api Allows users to search for an IOC on ThreatFox by sending an HTTP POST request to the API. Supports wildcard and exact match searches. ```APIDOC ## POST /api/v1/ ### Description Searches for a specific Indicator of Compromise (IOC) within the ThreatFox database. This endpoint supports both wildcard and exact match searches for IOCs. ### Method POST ### Endpoint https://threatfox-api.abuse.ch/api/v1/ ### Parameters #### Request Body - **query** (string) - Required - Selector, must be `search_ioc`. - **search_term** (string) - Required - The IOC you want to search for. - **exact_match** (boolean) - Optional - If set to `true`, performs an exact match search. Defaults to `false` (wildcard search). ### Request Example ```json { "query": "search_ioc", "search_term": "94.103.84.81", "exact_match": true } ``` ### Response #### Success Response (200) - **query_status** (string) - Indicates the status of the query, e.g., "ok". - **data** (array) - An array of objects, where each object represents a found IOC and its associated details. - **id** (string) - The unique identifier for the IOC entry. - **ioc** (string) - The Indicator of Compromise. - **threat_type** (string) - The type of threat associated with the IOC. - **threat_type_desc** (string) - A description of the threat type. - **ioc_type** (string) - The type of IOC (e.g., 'ip:port'). - **ioc_type_desc** (string) - A description of the IOC type. - **malware** (string) - The name of the associated malware. - **malware_printable** (string) - A human-readable name of the malware. - **malware_alias** (string) - Aliases for the malware. - **malware_malpedia** (string) - A URL to the malware details on Malpedia. - **confidence_level** (integer) - The confidence level of the IOC. - **first_seen** (string) - The timestamp when the IOC was first seen. - **last_seen** (string|null) - The timestamp when the IOC was last seen. - **reference** (string|null) - Any reference associated with the IOC. - **reporter** (string) - The entity that reported the IOC. - **tags** (string|null) - Tags associated with the IOC. - **malware_samples** (array) - An array of malware sample details. - **time_stamp** (string) - The timestamp of the sample. - **md5_hash** (string) - The MD5 hash of the sample. - **sha256_hash** (string) - The SHA256 hash of the sample. - **malware_bazaar** (string) - A URL to the sample on MalwareBazaar. #### Response Example ```json { "query_status": "ok", "data": [ { "id": "12", "ioc": "139.180.203.104:443", "threat_type": "botnet_cc", "threat_type_desc": "Indicator that identifies a botnet command&control server (C&C)", "ioc_type": "ip:port", "ioc_type_desc": "ip:port combination that is used for botnet Command&control (C&C)", "malware": "win.cobalt_strike", "malware_printable": "Cobalt Strike", "malware_alias": "Agentemis,BEACON,CobaltStrike", "malware_malpedia": "https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.cobalt_strike", "confidence_level": 75, "first_seen": "2020-12-06 09:10:23 UTC", "last_seen": null, "reference": null, "reporter": "abuse_ch", "tags": null, "malware_samples": [ { "time_stamp": "2021-03-23 08:18:06 UTC", "md5_hash": "5b7e82e051ade4b14d163eea2a17bf8b", "sha256_hash": "b325c92fa540edeb89b95dbfd4400c1cb33599c66859a87aead820e568a2ebe7", "malware_bazaar": "https:\/\/bazaar.abuse.ch\/sample\/b325c92fa540edeb89b95dbfd4400c1cb33599c66859a87aead820e568a2ebe7\/" } ] } ] } ``` ```