RedXray-Plus Guide
  • Introduction
  • Overview
    • Cyber Threat Analysis Center (CTAC)
  • RedXray
    • API
      • 1. /COMPANIES
      • 2. /COMPANIES/IDS
      • 3. /COMPANIES/{COMPANY ID}
      • 4. /THREATS/COUNTS/{COMPANY ID}
      • 5. /THREATS/HITS/{COMPANY ID}
    • Appendices
      • Data Sets - Unique Fields
      • Data Sets - Common Fields
    • Data Sets
      • Indices
      • botnet_tracker
      • breach_data
      • keylogger_data
      • malicious_emails
      • pastebin
      • sinkhole_traffic
      • threat_recon
    • How-To Section
      • Create a Company Profile
      • Create a Portfolio (E-mail Notifications)
      • Export/Import a Company Profile
      • Export/Import a Portfolio
      • Export RedXray Indicators
      • Search Indicators
Powered by GitBook
On this page
  • Malicious Emails
  • Malicious Email Detections
  • Malicious Email Context

Was this helpful?

  1. RedXray
  2. Data Sets

malicious_emails

Malicious Emails

Malicious Emails

The malicious_emails data set contains indicators extracted from malicious email headers. When a malicious email (1 or more AV detections) is uploaded to VirusTotal or some other source, we download the email and parse the header to extract data such as the email’s routing information, sending emails, recipients, subject lines etc. Indicators are geo-located and sector information is added for context.

Field

Description

area_code

area code geolocated from indicator

city

city name geolocated from indicator

country

two character country code geolocated from indicator

detection

number of positive antivirus detections

domain_cat

general site categorization of indicator

email_type

type of email: either MSG or EML

etl_date

date data was exported, transformed or loaded(ETL)

first_seen

when email first observed

indicator

indicator extracted from email header

indicator_context

additional context on indicator, defines the indicator in the context of the email header

indicator_context

context of indicator as it applies to the email header

indicator_type

type of indicator extracted from email header

last_seen

when email last observed

location

latitude longitude coordinates

postal_code

postal code geolocated from indicator

raw_data_file

email file - named with prefix email_+sha256 hash

reference

link to Virus Total

region

region name geolocated from indicator

url_cat

specific site categorization of indicator

Malicious Email Data Sets all pivot on "reference" which is the common link to VirusTotal Metadata

Malicious Email Detections

The malicious_email_detections data set is a companion data set to Malicious Emails and contains vendor AV detections. We have also normalized the detection name in order to allow for easier analytics. For example, a detection name of Exploit.ComObj.CVE-2012-0158.hzuf would be changed to just cve-2012-0158.

Field

Description

detection_name

antivirus detection name

detection_shortname

normalized antivirus name

etl_date

date data was exported, transformed or loaded(ETL)

first_seen

when email first observed

last_seen

when email last observed

raw_data_file

email file - named with prefix email_+sha256 hash

reference

link to Virus Total

vendor

antivirus vendor

Malicious Email Data Sets all pivot on "reference" which is the common link to VirusTotal Metadata

Malicious Email Context

Field

Description

detections

complete list of antivirus detection names

etl_date

date data was exported, transformed or loaded(ETL)

first_seen

when email first observed

last_seen

when email last observed

raw_data_file

email file - named with prefix email_+sha256 hash

recipients

email account(s) receiving malicious email

reference

link to Virus Total

sender

email account sending email

subject_line

observed subject line

targets

organization receiving malicious email

Malicious Email Data Sets all pivot on "reference" which is the common link to VirusTotal Metadata

Previouskeylogger_dataNextpastebin

Last updated 3 years ago

Was this helpful?