Threat Intelligence Tools

THM Room https://tryhackme.com/room/threatinteltools

    • Read the description! Continue to the next task. 

    No Answer

    • I've read on Threat Intel and the classifications 

    No Answer

    • What is TryHackMe's Cisco Umbrella Rank? 

    Looking on the provided screenshot :


    Answer : 345612

    • How many domains did UrlScan.io identify?

    Answer : 13

    • What is the main domain registrar listed?

    Answer : NAMECHEAP INC

    • What is the main IP address identified?

    Answer : 2606:4700:10::ac43:1b0a

    • The IOC 212.192.246.30:5555 is linked to which malware on ThreatFox?

    Going to ThreatFox website to look for all data IP:PORT :


    then exported then data :


    Unzipping the downloaded zip file, we get a JSON file in which we can look for our IP:PORT (212.192.246.30:5555)


    Answer : Katana

    • Which malware is associated with the JA3 Fingerprint 51c64c77e60f3980eea90869b68c58a8 on SSL Blacklist?

    We can search for this on SSL Blaclist and copy paste the fingerprint in the search bar :


    Answer : Dridex

    • From the statistics page on URLHaus, what malware-hosting network has the ASN number AS14061?

    Navigating to URLHaus in the statistics tab :



    We found the AS14061 as DIGITALOCEAN-ASN

    Answer : DIGITALOCEAN-ASN

    • Which country is the botnet IP address 178.134.47.166 associated with according to FeodoTracker?

    Visitting FeodoTracker website in the browse tab :


    We can search for our requested IP address to find our answer :


    Answer : Georgia

    • What organisation is the attacker trying to pose as in the email?

    Opening the first email we can see a phishing email obout LinkedIn :


    Answer : LinkedIn

    • What is the senders email address?

    From above screenshot, we can see the sender email address.

    Answer : [email protected]

    • What is the recipient's email address?

    From above screenshot, we can see the recepient email address.

    Answer : [email protected]

    • What is the Originating IP address? Defang the IP address.

    We can search the originated IP address of the sender in the source of the email :


    Answer : 204[.]93[.]183[.]11

    • How many hops did the email go through to get to the recipient?

    From the source in the obove screenshot, we can count the number of hops with the "received: " tag.

    Answer : 4

    • What is the listed domain of the IP address from the previous task?

    We can search for the sender IP address in the Talos Reputation Center to find the domain :


    Answer : scnet.net

    • What is the customer name of the IP address?

    The customer name can be found in the Whois tab :



    Answer : Complete Web Reviews

    •  How many instances of services.exe should be running on a Windows system? 

    Opening the email :


    Answer : [email protected]

    • From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H...

    To find the alias starting with an "H", we can search for the SHA256 of the file attached in the email in the Talos File Reputation :

    Firstly, retreive the SHA256 from the email attached file's properties :


    Then search this digest in the Talos reputation center :



    Answer : HIDDENEXT/Worm.Gen

    • What is the name of the attachment on Email3.eml? 

    In the email, we can see the attached file name :


    Answer : Sales_Receipt 5606.xls

    • What malware family is associated with the attachment on Email3.eml?

    In the same way for scenario 1, we can get the SHA256 from the file :


    Then search for this one in the Talos File Reputation :


    Answer : dridex

    • Read the above and completed the room 

    No Answer.