Hashes or it Didn't Happen

If you’ve been in the trenches of security research, you may be familiar with the phrase, “hashes or it didn’t happen”. It’s a testament to the importance of having malware when conducting an investigation and it’s something PassiveTotal has historically lacked inside the platform. Our focus has always been to provide the most comprehensive infrastructure solution while working with companies dedicated to the processing malware to fill our gaps. Starting today, we are happy to announce that Proofpoint Emerging Threats data will be available to all users within PassiveTotal.

Emerging Threats is a household name in the security community and has been processing malicious samples in their sandboxes for years. Partnering with them lets us connect those millions of samples with command and control data directly to the infrastructure being queried inside of PassiveTotal. In short, you will notice the “Potential Malware” tab showing up a lot more in your search results with a lot more malware leads.

Fortunately for us and our community, Emerging Threats also kept the resolution data with timestamps when they ran the samples, so in a way, they created a very specific historic DNS database. We’ve taken this data and wrapped it up inside a module to create a new source of passive DNS appropriately labeled “emerging_threats”. Similar to our other sources of passive DNS, this will show up when running queries and should provide even more research leads.

How do I get this data?

Easy, just run queries like you normally would. When we pushed the Emerging Threats module out to the production servers, we also modified the allowed sources for each account to include Emerging Threats. This source will now be on by default for all new and existing accounts, but can easily be toggled off from within the API associations settings in your account.

In order to access the malware data, you will need to run a query that hits in the Emerging Threats database. If data is found, we will populate the “Potential Malware” tab with the source of data and the hash. In order to view the details of the file and respective sandbox run, you will need access to Proofpoint’s threat intelligence portal, but at the very least, it’s a good lead in knowing some malware exists.

Hashes for All

Running sandboxes at scale and processing a near infinite amount of samples was not something we wanted to focus on because we saw a rich selection of open source, commercial and private repositories that the community was accessing. Emerging Threats is certainly one of the leaders in our industry and we couldn’t be happier to be working with them. If you have any questions or comments related to this new set of data, please reach out to feedback@passivetotal.org.