Overview
With Abuse.ch Transforms, investigators can identify malicious URLs and domains, explore their connections and the underlying malware.
Abuse.ch is a research project at the Institute for Cybersecurity and Engineering ICE hosted at the Bern University of Applied Sciences (BFH) in Switzerland. The project’s main goal is to identify and track cyber threats, with a strong focus on malware and botnets. They publish actionable open source threat intelligence as well as develop and operate platforms for IT security researchers and experts enabling them to shares relevant threat intel data with the community.
URLHaus is a project operated by Abuse.ch to share intelligence on malicious URLs that are being used for malware distribution. The community-driven project collects, tracks, and shares malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats.
You can read more about Abuse.ch URLHaus Transforms for Maltego on our website here.
Be sure to read our blog post, Identify and Understand Malware with Maltego and URLHaus by Abuse.ch for an interesting walk-through of the URLHaus data and how to use our new Maltego Transforms to speed up your malware investigations.
To Payload Signature [URLHaus]
Description
This Transform extracts the signature from the properties of the input Payload Entity
| Display Name | To Payload Signature [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Transform Name | abusech.payloadToSignature |
| Input Entities | maltego.abusech.Payload |
| Output Entities | maltego.abusech.Signature |
| Short Description | This Transform extracts the signature from the properties of the input Payload Entity |
To Payload URLs Observed [URLHaus]
| Display Name | To Payload URLs Observed [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Output Entities | maltego.URL |
Variants
| abusech.abusechTagToPayloadUrlsObserved | maltego.abusech.Tag | This Transform returns the URLs that were distributing the payloads having the same tag as the input |
| abusech.ipv4AddressToPayloadUrlsObserved | maltego.IPv4Address | This Transform returns the payload URLs that were observed in the input host |
| abusech.domainToPayloadUrlsObserved | maltego.Domain | This Transform returns the payload URLs that were observed in the input host |
| abusech.abusechSignatureToPayloadUrlsObserved | maltego.abusech.Signature | This Transform returns the URLs that were distributing the payloads having the same signature as the input |
| abusech.dnsNameToPayloadUrlsObserved | maltego.DNSName | This Transform returns the payload URLs that were observed in the input host |
To Payload [URLHaus]
Description
This Transform returns the payload which matches the input hash
| Display Name | To Payload [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Transform Name | abusech.hashToPayload |
| Input Entities | maltego.Hash |
| Output Entities | maltego.abusech.Payload |
| Short Description | This Transform returns the payload which matches the input hash |
To MD5 Hash [URLHaus]
Description
This Transform extracts the MD5 hash from the properties of the input Payload Entity
| Display Name | To MD5 Hash [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Transform Name | abusech.payloadToMd5Hash |
| Input Entities | maltego.abusech.Payload |
| Output Entities | maltego.Hash |
| Short Description | This Transform extracts the MD5 hash from the properties of the input Payload Entity |
Description
This Transform returns the tags associated with the input URL
| Display Name | To Payload URL Tags [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Transform Name | abusech.urlToPayloadUrlTags |
| Input Entities | maltego.URL |
| Output Entities | maltego.abusech.Tag |
| Short Description | This Transform returns the tags associated with the input URL |
To Payload URLs [URLHaus]
| Display Name | To Payload URLs [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Output Entities | maltego.URL |
Variants
| abusech.payloadToPayloadUrls | maltego.abusech.Payload | This Transform returns the URLs that were distributing the input payload |
| abusech.hashToPayloadUrls | maltego.Hash | This Transform returns the URLs that were distributing the payloads identified by the input hash |
Lookup in URLHaus [URLHaus]
Description
This Transform returns the same input Entity back with details found in the URLHaus database
| Display Name | Lookup in URLHaus [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Short Description | This Transform returns the same input Entity back with details found in the URLHaus database |
Variants
| abusech.domainToHostLookup | maltego.Domain | maltego.Domain |
| abusech.urlToUrlLookup | maltego.URL | maltego.URL |
| abusech.ipv4AddressToHostLookup | maltego.IPv4Address | maltego.IPv4Address |
| abusech.dnsNameToHostLookup | maltego.DNSName | maltego.DNSName |
To Payload Host [URLHaus]
Description
This Transform returns the host of the input URL
| Display Name | To Payload Host [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Transform Name | abusech.urlToPayloadHost |
| Input Entities | maltego.URL |
| Output Entities | maltego.Domain, maltego.IPv4Address, maltego.IPv6Address |
| Short Description | This Transform returns the host of the input URL |
To SHA256 Hash [URLHaus]
Description
This Transform extracts the MD5 hash from the properties of the input Payload Entity
| Display Name | To SHA256 Hash [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Transform Name | abusech.payloadToSha256Hash |
| Input Entities | maltego.abusech.Payload |
| Output Entities | maltego.Hash |
| Short Description | This Transform extracts the MD5 hash from the properties of the input Payload Entity |
To Blacklists Status [URLHaus]
| Display Name | To Blacklists Status [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Output Entities | maltego.abusech.Blacklist |
Variants
| abusech.ipv4AddressToBlacklistsStatus | maltego.IPv4Address | This Transform returns the status of the input host in various blacklists |
| abusech.urlToBlackListsStatus | maltego.URL | This Transform returns the status of the input URL in various blacklists |
| abusech.domainToBlacklistsStatus | maltego.Domain | This Transform returns the status of the input host in various blacklists |
| abusech.dnsNameToBlacklistsStatus | maltego.DNSName | This Transform returns the status of the input host in various blacklists |
To Payloads [URLHaus]
Description
This Transform returns the payloads identified on the input URL
| Display Name | To Payloads [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Transform Name | abusech.urlToPayloads |
| Input Entities | maltego.URL |
| Output Entities | maltego.abusech.Payload |
| Short Description | This Transform returns the payloads identified on the input URL |
To Payload URL Reporter [URLHaus]
Description
This Transform retuns the Twitter handle of the account that submitted the URL
| Display Name | To Payload URL Reporter [URLHaus] |
| Owner | |
| Author | |
| Data Source | URLHaus |
| Transform Name | abusech.urlToPayloadUrlReporter |
| Input Entities | maltego.URL |
| Output Entities | maltego.affiliation.Twitter |
| Short Description | This Transform retuns the Twitter handle of the account that submitted the URL |