The Analyst Toolkit: Part 1 – Malware & IOC Feeds

Cybersecurity Learning and Career Growth. Advanced
, , , , , , , ,
1

Hello! I’m Steve, a security engineer with years of experience working across Security Operations Centers.

Whether it’s part of my day job or side projects, using tools like malware repositories, IOC (Indicator of Compromise) repositories, and dynamic analysis platforms is a powerful way to investigate potential malicious activity efficiently and recognize suspicious patterns more clearly. These resources allow us to gather intelligence on websites, IP addresses, and suspicious files—without risking damage to our own machines.

Instead of downloading unknown files or interacting directly with suspicious artifacts, dynamic analysis tools let you analyze safely and efficiently, giving quick useful output to help your security investigations.

Here are a couple of real-world scenarios where these tools can be applied:

Example Scenario 1: Investigating a Suspicious Website

You receive a security alert mentioning an outbound connection to a domain you’ve never seen before.
Instead of directly visiting the website, you can interact with it by searching the URL in online tools such as URLScan or VirusTotal. Within seconds, you get a snapshot of the website’s behavior, any linked malicious activity, and potential red flags.

This allows you to document your findings and decide your next investigation steps quickly.

For instance in the image below you can see 10 anti virus vendors have flagged the URL entered to be associated with malware.

image
image1257×931 184 KB

Example Scenario 2: Handling Suspicious Files

You discover an unknown file on an endpoint. Instead of running it—or risking infection—you search its hash (digital fingerprint) on platforms like VirusTotal or analyze the sample in a dynamic analysis sandbox such as Any Run.
This reveals how the file behaves without exposing your network to danger, letting you create detection rules, block related threats, and evidence your findings.

Below, you can see an example of the famous WannaCry ransomware being run through AnyRun. The analysis shows spawned processes and observed network connections.

annotated_anyrun_wannacry_screenshot
annotated_anyrun_wannacry_screenshot1890×1417 232 KB

I’m sure you can see how valuable these approaches are. In this blog, I’ll demonstrate tools that have helped me several times and will be valuable to add to your toolkit:

  1. MalwareBazaar — Malware repository for live samples and hashes
  2. URLHaus — IOC (Indicator of Compromise) feed for phishing and malware domains
  3. URLScan — Web-based URL analysis and behavior visualization
  4. Browserling — Online browser sandbox for safely opening suspicious URLs
  5. VirusTotal — Multi-engine antivirus scanning and behavior analysis
  6. Hybrid Analysis — Dynamic malware analysis in a controlled environment
  7. AnyRun — Interactive real-time malware sandboxing

:world_map: Progress Tracker

  • :arrow_right: :globe_with_meridians: Malware and IOC Feeds
    • :white_large_square: :toolbox: MalwareBazaar (Malware Repository)
    • :white_large_square: :toolbox: URLHaus (Malicious URL Feed)
  • :white_large_square: :globe_with_meridians: URL Analysis
  • :white_large_square: :file_cabinet: File Analysis (Dynamic Sandboxing)
  • :white_large_square: :clipboard: Quiz: Test Your Knowledge

:globe_with_meridians: Malware and IOC Feeds

When analyzing potential threats, one of the most valuable resources available is access to live malware samples and up-to-date indicators of compromise (IOCs).

Malware repositories and IOC feeds offer searchable databases of real-world malicious artifacts—from downloadable malware files to known-bad IPs and domains. These platforms give analysts a safe way to examine how threats behave without exposing their own environments.

They’re key for investigating attacks, developing detection rules, and sharpening your ability to recognize malicious activity in the wild.

In this section, I’ll walk you through several platforms that supply malware samples, phishing domain lists, and threat intelligence feeds—essential tools for anyone looking to safely investigate artifacts and better defend against attacker activity.

:toolbox: MalwareBazaar — Hunting Malware Safely

MalwareBazaar is a public repository maintained by abuse.ch that hosts real-world malware samples submitted by researchers, threat intel teams, and security professionals worldwide.

Instead of directly downloading and interacting with unknown files, analysts can safely retrieve file hashes, YARA rules, or full samples for sandbox testing—all within controlled, isolated environments.

:magnifying_glass_tilted_right: Why Use MalwareBazaar?

  • Real-world samples: Actual malware discovered in the wild.
  • Hash (malware fingerprint) retrieval: Investigate malware via SHA256 hashes without downloading the file itself.
  • YARA rules: Community-submitted detection signatures to help identify known threats.
  • Wide malware coverage: From Microsoft Office documents to malicious powershell scripts and ransomware.
  • Integration-friendly: Can be queried by other tools via API—ideal for SOC workflows and automation.

:hammer_and_wrench: How to Use MalwareBazaar

1. Visit MalwareBazaar.

MalwareBazaar Homepage
MalwareBazaar Homepage1068×1044 59.8 KB

2. Browse the Database and optionally filter by:

  • Signature (e.g., CobaltStrike, Formbook, Mirai) — e.g., signature:Mirai
  • File type (e.g., .exe, .dll, .docm, .apk) — e.g., file_type:exe
  • Tags (e.g., dll, asyncrat, ransomware) — e.g., tag:DLL

MalwareBazaar Filter Examples
MalwareBazaar Filter Examples1068×941 75.1 KB

3. Select a Sample by clicking the SHA256 hash to review metadata:

  • Unique file hash (SHA256)
  • First seen date
  • File size and type
  • Vendor threat intelligence results and links
  • Available Yara rules

For instance if I select the sample with the hash value ‘1bad2b6e8ab16c5a692b2d05f68f7924a73a5818ddf3a9678ca8caab3568a78e’,

it opens the following page: 1bad2b6e8ab16c5a692b2d05f68f7924a73a5818ddf3a9678ca8caab3568a78e

Sample Details
Sample Details1085×1103 61.6 KB

4. Safely Interact with the Sample:

  • :white_check_mark: Copy the SHA256 hash and use it in tools like VirusTotal, Hybrid Analysis, or AnyRun.
  • :link: Or, use the Threat Intelligence section to jump straight to vendors that already analyzed it (e.g., Any.Run).

:warning: You can download the file, but only in a safe, isolated lab environment (Virtual Machine or sandbox).

Vendor Intel View
Vendor Intel View1093×1095 52.1 KB

:magnifying_glass_tilted_left: AnyRun will load the sample in a live sandbox, showing exactly what happens when it’s executed.

AnyRun Malware Execution
AnyRun Malware Execution1078×1136 282 KB

:high_voltage: Analyst Tip:

Never run a sample from MalwareBazaar on your everyday machine.
Treat every file as malicious by default.
The safest workflow: grab the SHA256 hash, then inspect it using trusted sandbox tools before ever touching the actual file.

Now onto our next intelligence feed - abuse.ch URLHaus IOC Feeds

:toolbox: URLHaus — Tracking Malicious URLs

URLHaus is a project by abuse.ch that provides a constantly updated feed of malicious URLs involved in phishing, malware delivery, and exploit kits. It’s one of the most useful free resources for quick IOC lookups, phishing investigations, and URL-based threat hunting.

Unlike MalwareBazaar, which focuses on malware samples, URLHaus focuses on malicious infrastructure—especially domains and URLs known to serve malware.

:magnifying_glass_tilted_right: Why Use URLHaus?

  • Real-time IOC feed: Constantly updated with live URLs used in attacks.
  • Phishing & malware coverage: Identify payload hosts, redirects, and infected domains.
  • Quick triage: Check a suspicious URL or domain instantly.
  • Exportable feeds: Download indicators in CSV/JSON format.
  • Community-driven: Submissions come from researchers, and automated systems.

:hammer_and_wrench: How to Use URLHaus

1. Visit urlhaus.abuse.ch

From the homepage, click “Browse URLhaus Database” to see the most recently submitted malicious URLs.

image
image1079×1092 54.8 KB

2. View or Search for a Suspicious URL or Domain

Use the search bar to check for known malicious infrastructure.

Example: You receive an alert about an outbound connection to malicious_domain_example.com.

  • Paste the domain or URL into the search bar.
  • If it’s known, URLHaus will return matching results:

Results for the provided URL search
Results for the provided URL search1081×1042 50 KB

Click on the database entry to view full details

3. Review the Details & Pivot for Deeper Insight

Once you’ve opened a result, you can view key metadata including:

  • Date added (when the URL was first reported)
  • URL status (online/offline)
  • Associated threat type (e.g., malware download)
  • Reporter (the user or system that submitted the entry)

Selected URL Details
Selected URL Details1079×1084 60.8 KB

This information is incredibly useful for documenting your findings, improving security alerts, or triggering further investigation using other tools. You can also pivot directly from these entries to related infrastructure or malware.

For example, in this entry: https://urlhaus.abuse.ch/url/3531031/,
you’ll notice a Payload Delivery section. This links to the actual malware associated with the URL—allowing you to trace it back to a platform like VirusTotal for full behavior analysis:

VirusTotal Malware Details
VirusTotal Malware Details1076×1144 117 KB

This pivot from infrastructure to malware sample lets you build a wider picture of attacker campaigns, enrich threat intel, or validate alerts with higher confidence.

4. Export IOCs or Automate Retrieval

You can also integrate these URLs from this feed into:

  • :locked_with_key: SIEMs or blocklists to proactively block known malicious domains
  • :test_tube: Threat hunting scripts for IOC enrichment and detection engineering
  • :bar_chart: Custom dashboards or tooling for visualizing trends or correlating alerts

:high_voltage: Analyst Tip:

Use URLHaus when you have a suspicious URL or domain from logs, alerts, or emails.
It’s a fast way to confirm if infrastructure is part of a known malware campaign—without having to download or sandbox anything. :warning: It’s generally best to avoid directly visiting these URLs unless you’re in a secure analysis environment like a virtual machine or disposable sandbox.

Now that we’ve completed Section One on Malware and IOC Feeds, we’ll move into URL Analysis—covering tools that help determine whether a URL is suspicious, malicious, or safe to investigate further.

:puzzle_piece: Wrapping Up Part 1: What You’ve Learned

In this first part of The Analyst Toolkit, we focused on two foundational areas: malware repositories and IOC feeds.

You’ve learned:

  • How to use MalwareBazaar to safely analyze real-world malware via hashes or samples
  • How to leverage URLHaus to track phishing and malicious URLs without ever visiting them
  • Why these tools matter in real-world investigations - from SOC alerts to threat hunting

Together, they can help you with workflows in various scenarios when investigating suspicious activity.

:soon_arrow: What’s Next: URL Analysis

In Part 2 we’ll explore tools that let you visually inspect suspicious websites and safely interact with live pages - without risking your host system.

:world_map: Progress Tracker

  • :white_check_mark: :globe_with_meridians: Malware and IOC Feeds
    • :white_check_mark: :toolbox: MalwareBazaar (Malware Repository)
    • :white_check_mark: :toolbox: URLHaus (Malicious URL Feed)
  • :arrow_right: :globe_with_meridians: URL Analysis
    • :white_large_square: :shield: URLScan (Website Behavior Analysis)
    • :white_large_square: :shield: Browserling (Browser Sandbox)
  • :white_large_square: :file_cabinet: File Analysis (Dynamic Sandboxing)
  • :white_large_square: :clipboard: Quiz: Test Your Knowledge

Next we’ll cover:

  • URLScan.io – See how a site behaves in real-time
  • Browserling – Browse risky URLs in a disposable sandbox

:speech_balloon: Got Questions or thoughts?

Please feel free to join and contribute here! :busts_in_silhouette: Join Our Community It would be great to hear from other members of the community and share knowledge! :slight_smile:

:toolbox: For a full list of all the investigation tools covered in this blog—and others you can explore or use in your own analysis—check out our curated resource:
:link: Investigation & Threat Analysis Toolkit

:globe_with_meridians: Connect with me:
:bird: Twitter
:newspaper: Stay Updated with Our Cybersecurity Newsletter