Malware Indicators of Compromise

Here are indicators of compromise (IOCs) of our various investigations. We are doing this to help the broader security community fight malware wherever it might be.

.yar files are Yara rules
.rules files are Snort rules
samples.md5, samples.sha1 and samples.sha256 files are newline separated list of hexadecimal digests of malware samples

If you would like to contribute improved versions please send us a pull request.

If you’ve found false positives give us the details in an issue report and we’ll try to improve our IOCs.

These are licensed under the permissive BSD two-clause license. You are allowed to modify these and keep the changes to yourself even though it would be rude to do so.

Name	Latest commit message	Commit time
Failed to load latest commit information.
amavaldo	Added IoCs for Amavaldo	Jul 31, 2019
animalfarm	Animal Farm (Dino) yara rules	Aug 17, 2015
attor	Added IoCs for Attor	Oct 10, 2019
buhtrap	Added IoCs for buhtrap	Jul 11, 2019
casbaneiro	Added IoCs for Casbaneiro	Oct 2, 2019
danabot	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
deprimon	Remove two file names from DePriMon causing FP	Nov 22, 2019
dnsbirthday	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
dukes	Remove "PolyglotDuke" string in Dukes' C&C domain list	Oct 28, 2019
gamarue	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
glupteba	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
grandoreiro	Added IoCs for Grandoreiro	Apr 27, 2020
greyenergy	Add some missing hashes in samples.* files	Jul 26, 2019
groundbait	Renamed duplicated strings and updated conditions (fix for yara 3.10+)	Aug 28, 2019
guildma	Added IoCs for guildma	Mar 2, 2020
industroyer	Add some missing hashes in samples.* files	Jul 26, 2019
invisimole	Add some missing hashes in samples.* files	Jul 26, 2019
kasidet	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
keydnap	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
machete	Add IoCs for Machete	Aug 5, 2019
mikroceen	mikroceen: Keep only SHA-1 in README and remove extra newlines	May 20, 2020
mispadu	Fix formatting in mispadu README for GitHub Asciidoc renderer	Nov 20, 2019
moose	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
mumblehard	Add the other U-A pattern to Mumblehard's IoC	Apr 6, 2016
nukesped_lazarus	Add some missing hashes in samples.* files	Jul 26, 2019
oceanlotus	Add some missing hashes in samples.* files	Jul 26, 2019
okrum_ke3chang	Added IoCs for okrum_ke3chang	Jul 18, 2019
potao	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
powerpool	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
rakos	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
ramsay	Added IoCs for Ramsay.	May 12, 2020
rtm	Add some missing hashes in samples.* files	Jul 26, 2019
sednit	Add some missing hashes in samples.* files	Jul 26, 2019
sshdoor	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
stantinko	Update Stantinko IoCs to include cryptomining activities	Nov 26, 2019
telebots	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
turla	Added IoCs for Turla ComRAT v4	May 25, 2020
windigo	Add samples.{md5,sha1,sha256} for all existing samples listed	Feb 11, 2019
winnti_group	Updated IoCs for the No "Game over" for the Winnti Group blogpost	May 22, 2020
LICENSE	Update main copyright notice to 2018	Jan 9, 2018
Makefile	readme, license and Makefile	Mar 17, 2014
README.adoc	Add description of samples.* files in README	Feb 11, 2019
andromeda	Added IoCs for Gamarue / Andromeda	Dec 4, 2017

eset / malware-ioc

Join GitHub today

Clone with HTTPS

Downloading

Launching GitHub Desktop

Launching GitHub Desktop

Launching Xcode

Launching Visual Studio

Latest commit

Files

README.adoc

Malware Indicators of Compromise