OPTIONAL: LOW: Sandbox URL Report

DESCRIPTION LAST UPDATED:  2023-12-07

DEFAULT SEVERITY LEVEL: LOW

OPTIONAL REPORT

This is an optional report, you need to explicitly request it.

This report includes the sets of URLs that we collect while running binaries through the different sandbox systems that we have.

As we run binaries through our sandbox systems, we are able to collect different sets of URLs from the execution of malicious binaries. There is no specific timestamp for each data set, but all results are generated from the last 24 hours of binaries run in the sandbox system. Please note the fact that a malicious binary queries your URL may not be an indication of a specific malicious action.

Severity levels are described here.

Filename: sandbox_url

Fields

  • timestamp
    Timestamp the URL was observed in UTC+0
  • severity
    Severity level
  • ip
    IP of the URL location
  • asn
    ASN of the URL location
  • geo
    Country of the URL location
  • md5
    MD5 of the binary that did the access
  • url
    URL that the binary accessed
  • user_agent
    User Agent that the binary utilized to access the URL
  • hostname
    The content of the HTTP "Host" header
  • method
    Which HTTP method was utilized to access the URL
  • naics
    North American Industry Classification System Code
  • sector
    Sector to which the queried IP belongs to
  • region
    State / Province/ Administrative region to which the queried IP belongs to
  • city
    City to which the queried IP belongs to
  • port
    Destination port being queried
  • sha1
    SHA1 of the binary that made the request
  • sha256
    SHA256 of the binary that made the request

Sample

"timestamp","severity","ip","asn","geo","md5","url","user_agent","hostname","method","naics","sector","region","city","port","sha1","sha256"
"2010-02-10 00:00:00",low,192.168.0.1,64512,ZZ,19d370b167fbf66422acc9b113dfdb98,http://192.168.0.1/msdownload/update/v3/static/trustedr/en/authrootstl.cab,Microsoft-CryptoAPI/6.1,node01.example.com,GET,0,"Communications, Service Provider, and Hosting Service",Region,City,80,6175e0065c2da4b6a75a0eed170a49c246dae934,c463a5ee102fe366f92ecf672ef520d627028f62fcedcbfce0fa4cf48f7aa10f
"2010-02-10 00:00:01",low,192.168.0.2,64512,ZZ,09e8302aa2d3abcdc5ad7cdffef57157,http://192.168.0.2/DigiCertGlobalRootG2.crt,Microsoft-CryptoAPI/6.1,node02.example.com,GET,0,"Communications, Service Provider, and Hosting Service",Region,City,80,aefa6626d4e70a6b8bf4dd7d6989ccfc2cf774dc,0a315b51e92408a43028a07643a84bbde2cb733d55186daa67753f68b00bf8dd
"2010-02-10 00:00:02",low,192.168.0.3,64512,ZZ,4f345889ca940fcc8da607f4147bb89d,http://192.168.0.3/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl,Microsoft-CryptoAPI/6.1,node03.example.com,GET,0,"Communications, Service Provider, and Hosting Service",Region,City,80,0f8faf1e215f081b2294ca5cf6b0d9dfe52c1247,b933e88949655491e951cba37a452dc8ea8780359563ab333d5e789bc124aab1

Our 132 Report Types