How to use ThreatMiner

To help users get the most out of ThreatMiner, this page lists all the search operators currently implemented.

If you encounter any problems with any of the following features, please send a direct message to @threatminer or email michael.yip.apps [{a}] gmail.com.

Indicator type Search operator Full text Results Sample URL Note
Any search term aptnotes: Exact match only.
  • APTNotes
https://www.threatminer.org/reports.php?q=sofacy aptnotes:sofacy
Any search term aptnotes:
year: 		Exact match only.
  • APTNotes in a specific year
 https://www.threatminer.org/reports.php?q=sofacy&y=2017 aptnotes:sofacy year:2017
Domain N/A Exact match only.
  • WHOIS
  • APTNotes
  • Passive DNS
  • URI
  • Related Samples
https://www.threatminer.org/domain.php?q=google.com N/A
IP N/A Exact match only.
  • WHOIS
  • APTNotes
  • Passive DNS
  • Passive SSL
  • URI
  • Related Samples
https://www.threatminer.org/host.php?q=216.58.213.110 N/A
Sample hash (MD5, SHA1, SHA256) N/A Exact match only.
  • File metadata
  • APTNotes
  • Domains
  • Hosts
  • AV detections
  • HTTP Traffic
  • Mutants
  • Registry keys
https://www.threatminer.org/sample.php?q=e6ff1bf0821f00384cdd25efb9b1cc09 N/A
Import hash (imphash) imphash: Exact match only.
  • APTNotes
  • Related samples
https://www.threatminer.org/imphash.php?q=1f4f257947c1b713ca7f9bc25f914039 N/A
SSDeep hash ssdeep: Exact match only.
  • APTNotes
  • Related samples
https://www.threatminer.org/ssdeep.php?q=1536:TJsNrChuG2K6IVOTjWko8a9P6W3OEHBQc4w4:TJs0oG2KSTj3o8a9PFeEHn4l N/A
Email address (SHA1 only) N/A Exact match only.
  • Checks haveibeenpwned.com
  • APTNotes
  • Domains (and subdomains)
https://www.threatminer.org/email.php?q=1AA0F0C838FCB6F995AF394AB6A166CABEF04A4E N/A
SSL hash (SHA1) ssl: Exact match only.
  • APTNotes
  • Hosts
https://www.threatminer.org/ssl.php?q=7359755c6df9a0abc3060bce369564c8ec4542a3 N/A
SSL organisation name ssl.o: Exact match only.
  • APTNotes
  • SSL certificates
https://www.threatminer.org/ssls.php?q=solusvm%20slave&t=14 N/A
SSL organisation unit ssl.ou: Exact match only.
  • APTNotes
  • SSL certificates
https://www.threatminer.org/ssls.php?q=co44ks5z0zjma0u&t=15 N/A
SSL common name ssl.cn: Exact match only.
  • APTNotes
  • SSL certificates
https://www.threatminer.org/ssls.php?q=*.google.com&t=16 N/A
SSL country name ssl.c: Exact match only.
  • APTNotes
  • SSL certificates
https://www.threatminer.org/ssls.php?q=us&t=17 N/A
SSL locality ssl.l: Exact match only.
  • APTNotes
  • SSL certificates
https://www.threatminer.org/ssls.php?q=server.local.com&t=18 N/A
SSL state or province name ssl.st: Exact match only.
  • APTNotes
  • SSL certificates
https://www.threatminer.org/ssls.php?q=california&t=19 N/A
Malware detection name (e.g. Trojan.Enfal) av: Exact match only.
  • APTNotes
  • Related samples
https://www.threatminer.org/av.php?q=Trojan.Enfal N/A
Any filename string (e.g. .scr, resume.doc) filename: Full text.
  • Related samples
https://www.threatminer.org/filename.php?q=.scr N/A
Any mutex string (e.g. UVhVXmJpX2Ax) mutex: Full text.
  • APTNotes
  • Related samples
https://www.threatminer.org/mutex.php?q=UVhVXmJpX2Ax N/A
Any registry key string (e.g. \\run for finding samples which modifies the run key) reg: Full text.
  • APTNotes
  • Related samples
https://www.threatminer.org/registry.php?q=\\run This search operator can take a while to return results.
Any URI string (e.g. main.php) uri: Full text.
  • APTNotes
  • Related samples
https://www.threatminer.org/uri.php?q=main.php N/A
Any User-Agent string (e.g. Python-urllib) ua: Full text.
  • APTNotes
  • Related samples
https://www.threatminer.org/ua.php?q=Python-urllib N/A
Comments
User comments about ThreatMiner features.
NOTICE: We have updated our privacy terms and conditions in accordance to GDPR. By using our site, you acknowledge that you have read and understand our Privacy Policy. Your use of ThreatMiner’s Products and Services is subject to these policies and terms.