extracting-iocs-from-malware-sampleslisted

# Extracting IOCs from Malware Samples ## When to Use - A malware analysis (static or dynamic) is complete and actionable indicators need to be extracted for defense teams - Building blocklists for firewalls, proxies, and DNS sinkholes from analyzed samples - Creating YARA rules, Snort/Suricata signatures, or SIEM detection content from malware artifacts - Contributing to threat intelligence sharing platforms (MISP, OTX, ThreatConnect) - Tracking malware campaigns by correlating IOCs across multiple samples **Do not use** for IOCs from unverified sources without validation; false positives in blocklists can disrupt legitimate business operations. ## Prerequisites - Python 3.8+ with `iocextract`, `pefile`, `yara-python` libraries installed - Completed malware analysis report (static analysis, dynamic analysis, or reverse engineering) - Access to PCAP files, memory dumps, or sandbox reports from the analysis - MISP instance or STIX/TAXII server for structured IOC sharing - VirusTotal API key for IOC enrichment and validation - CyberChef for decoding obfuscated indicators ## Workflow ### Step 1: Extract File-Based IOCs Compute hashes and identify file metadata indicators: ```bash # Generate all standard hashes md5sum malware_sample.exe sha1sum malware_sample.exe sha256sum malware_sample.exe # Generate ssdeep fuzzy hash for similarity matching ssdeep malware_sample.exe # Generate imphash (import hash) for PE files python3 -c " import pefile pe = pefile.PE('malware_samp