fcti-malware-hashes
Fetch malware hashes from FCTI
fcti-malware-hashes [proxy=PROXY] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- proxy=PROXY
- URL of the proxy server
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | |
| md5 | String | MD5 | |
| sha1 | String | SHA1 | |
| sha256 | String | SHA256 | |
| file_name | String | File name | |
| version | String | File version | e.g. 1.0.0.0 |
| file_size | Long | File size | |
| file_type | String | File type | e.g. PE |
| importance | String | Severity | e.g. H (High), M (Medium), L (Low) |
| confirm_yn | String | Confirm request | e.g. Y, N |
| confirm_status | String | Confirm status | |
| static_report | String | Static report | Static file analysis report |
| dynamic_report | String | Dynamic report | Dynamic file analysis report |
| packer | String | Packer | |
| description | String | Description | |
| detect_engines | Integer | Detect engines | Number of antivirus engines that have diagnosed the file as malware |
| total_engines | Integer | Total engines | Number of the antivirus engines |
| av_result | List | AV result | |
| sign_name | String | Signer | |
| sign_publisher | String | Issuer | e.g. Symantec Class 3 Extended Validation Code Signing CA - G2 |
| sign_time | Date | Sign time | |
| is_signed | Bool | Is signed | |
| is_valid_sign | Bool | Is valid sign | |
| country | String | Country | |
| pdb_path | String | PDB path | |
| copyright | String | Copyright | |
| organization | String | Organization | |
| writer | String | Author | |
| stix_id | String | STIX ID | |
| shared_scope | String | Shared scope | e.g. ALL, FSI, BANK, INVEST, INSURANCE, NONBANK, CUSTOM |
| dns | List | DNS flows | Elements with dnsHash, request, answers properties |
| irc | List | IRC flows | Elements with type, command, params properties |
| icmp | List | ICMP flows | Elements with type, src, dst properties |
| smtp | List | SMTP flows | Elements with src, raw properties |
| tcp | List | TCP flows | Elements with src, sport, dst, dport properties |
| udp | List | UDP flows | Elements with src, sport, dst, dport properties |