Threat Intelligence — Malware Analysis, IOC & CVE Lookup

By

Last updated:

Search 53 threat intelligence sources — malware analysis, IOC databases, CVE lookups, sanctions & watchlists (OFAC, Interpol, FBI, UN, EU), phishing detection, live threat maps, and threat actor profiles — all free with no registration required.

🔗 Related tools in this family
🐛CVE Intelligence #️⃣Hash Analyzer ✉️Email Security

🛡️Threat Intelligence Links0 sources

How Do You Use Threat Intelligence Platforms for Cybersecurity?

Max Intel's Threat Intelligence tool provides access to 25+ cybersecurity platforms supporting the indicator lookup workflow described in the MITRE ATT&CK framework and NIST SP 800-150. Enter a file hash, IP, domain, URL, or CVE to query malware sandboxes, IOC databases, and vulnerability registries.

CategoryKey PlatformsInput TypesPrimary Use
Malware AnalysisVirusTotal, Hybrid Analysis, Any.Run, Joe SandboxFile hash, URL, file uploadMulti-engine scanning, behavioral sandbox analysis
IOC SearchAlienVault OTX, ThreatFox, GreyNoise, PulsediveIP, domain, hash, URLIndicator correlation, threat feed aggregation
VulnerabilityNIST NVD, CVE Details, Exploit-DBCVE ID, software nameCVE lookup, CVSS scoring, exploit availability
Network IntelShodan, Censys, GreyNoise, TalosIP, domain, ASNExposed services, port scanning, reputation

Malware Analysis

VirusTotal is the most comprehensive multi-scanner tool, checking files and URLs against 70+ antivirus engines. According to VirusTotal's 2024 transparency report, the platform processes over 2 million unique file submissions per day. Hybrid Analysis and Any.Run provide interactive sandbox analysis where you can observe malware behavior in a safe environment. Joe Sandbox and Triage offer additional sandboxing capabilities. MalwareBazaar and Malshare maintain databases of known malware samples for research purposes.

IOC Search & Correlation

Indicators of compromise (IOCs) — defined by NIST SP 800-53 as observable artifacts that indicate a security incident — can be searched across multiple platforms simultaneously. AlienVault OTX provides community-contributed threat intelligence. ThreatMiner correlates IOCs across data sources. ThreatFox tracks malware-associated indicators. Maltiverse aggregates threat data from multiple feeds. GreyNoise distinguishes targeted attacks from internet-wide scanning noise.

Vulnerability Research

CVE lookup is essential for understanding software vulnerabilities. The NIST National Vulnerability Database (NVD) is the authoritative source, cataloging over 240,000 CVEs with CVSS severity scores. CVE Details provides searchable vulnerability data with statistics. Exploit-DB maintains a database of publicly available exploits linked to CVEs.

Threat Intelligence — Frequently Asked Questions

How do I check an IP’s reputation for free?

Enter an IP or indicator to check it against threat-intelligence feeds and reputation sources at once, with a live dashboard of active threats. Free situational awareness for defenders and investigators.

How can I check if a file is malware?

Max Intel's Threat Intel tool links to VirusTotal (which scans files against 70+ antivirus engines), Hybrid Analysis, Any.Run, Joe Sandbox, and Triage for dynamic malware analysis. Upload a file hash (MD5, SHA1, or SHA256) to these services to check if it's been flagged as malicious. MalwareBazaar and Malshare provide access to known malware samples for research.

How do I look up a CVE vulnerability?

Max Intel links to the NIST National Vulnerability Database (NVD), CVE Details, CVE MITRE, and Exploit-DB. Enter a CVE identifier (e.g., CVE-2024-1234) to find vulnerability descriptions, severity scores (CVSS), affected software, and available exploits. These are the authoritative sources for vulnerability information.

What are indicators of compromise (IOCs)?

Indicators of compromise are pieces of forensic data that identify potentially malicious activity — including file hashes, IP addresses, domain names, URLs, email addresses, and registry keys. Max Intel links to IOC search platforms including AlienVault OTX, ThreatMiner, ThreatFox, Maltiverse, and GreyNoise for searching and correlating IOCs.

Can I analyze a suspicious URL for free?

Yes, Max Intel links to VirusTotal, URLScan.io, and PhishTank for URL analysis. VirusTotal checks URLs against 70+ security engines. URLScan.io provides visual page screenshots and network request analysis. PhishTank is a community-driven database of known phishing sites.

Is threat intelligence useful for non-security professionals?

Yes, basic threat intelligence tools are useful for anyone concerned about cybersecurity. VirusTotal can check suspicious files and URLs. CVE databases help you understand if software you use has known vulnerabilities. AbuseIPDB can check if an IP sending you emails or connecting to your network has been reported for abuse.

IP Address Lookup

Check IP reputation, geolocation, and threat scores from multiple sources.

Domain OSINT

Investigate suspicious domains with DNS, WHOIS, and SSL analysis.

Wireless & Network

Research network infrastructure, BGP data, and connected devices.

Document Search

Search for leaked data, exposed credentials, and malware samples in paste sites.
🎯
Typosquat Generator
dnstwist permutations + DoH probe
🔑
Credential Detector
50+ token formats
🎙️
AI Voice Detection
Deepfake audio tools
📷
ALPR / Flock Camera Map
Surveillance infrastructure tracking
🔒
Ring & Sidewalk OPSEC
Defensive guide
📡
AP-Finder (ESP32)
Hardware WiFi direction finder

Threat Feed Aggregator

Enter any IP address, domain, or file hash to check it against 10+ live threat intelligence feeds simultaneously. Each feed is queried in real-time — get a composite blocklist score showing exactly which feeds flag the indicator and which don't.

Last updated:

Auto-detects type: IPv4 · Domain · MD5/SHA1/SHA256

What are threat intelligence feeds?

Threat intelligence feeds are continuously updated lists of malicious indicators — IP addresses, domains, URLs, and file hashes — maintained by security organizations worldwide. By checking an indicator against multiple feeds simultaneously, you can quickly determine if it's been associated with malware distribution, botnet command-and-control, brute-force attacks, phishing, or other malicious activity. No single feed is comprehensive, which is why aggregating results from 10+ sources provides much higher confidence.

Key Terminology

IOC (Indicator of Compromise)
A piece of forensic data — an IP address, domain name, URL, or file hash — that identifies potentially malicious activity. IOCs are the building blocks of threat intelligence and are shared between organizations to improve collective defense.
C2 (Command and Control)
Infrastructure used by attackers to communicate with and control compromised systems. Feodo Tracker specifically monitors C2 servers for banking trojans like Emotet, Dridex, and QakBot.
Passive DNS
Historical DNS resolution data collected by observing real DNS queries. Shows what domains resolved to in the past and what other domains share the same IP — useful for mapping attacker infrastructure.

🚨 Threat Feed Aggregator — Frequently Asked Questions

What threat feeds does this tool check?

It checks Feodo Tracker for botnet C2 IPs, URLhaus for malware distribution URLs, SSLBL for malicious SSL certificates, blocklist.de for brute-force attack IPs, Tor Project for exit nodes, SANS ISC for attack reports, OTX AlienVault for threat pulses, InQuest Labs for reputation data, ThreatFox for IOC matches, and MalwareBazaar for malware sample hashes.

How is the composite threat score calculated?

Each feed that flags the indicator adds points to the composite score. Critical feeds like Feodo C2 and active malware URLs add more weight than informational feeds. The final score is categorized as CRITICAL, HIGH, MEDIUM, or LOW based on how many feeds flag the indicator and the severity of the matches.

Threat Dashboard

Live security overview.

Internet Threat Dashboard

A real-time overview of the current internet threat landscape. Aggregates 7+ live feeds: ISC SANS threat level and top attackers, CISA Known Exploited Vulnerabilities, URLhaus malware URLs, Feodo botnet C2 servers, and SSLBL malicious certificates.

Last updated:

Fetches live data from 7+ threat intelligence sources

What is a threat intelligence dashboard?

A threat intelligence dashboard aggregates multiple live security feeds into a single view, giving analysts an at-a-glance understanding of the current threat landscape. Instead of checking individual feeds one by one, this dashboard pulls from SANS Internet Storm Center (global threat level and top attackers), CISA's Known Exploited Vulnerabilities catalog (confirmed active exploits), and the abuse.ch family of feeds (botnet C2, malware URLs, malicious certificates) in one load.

Key Terminology

ISC INFOCON
The Internet Storm Center's threat level indicator. Green means normal activity, yellow indicates noteworthy activity, orange signals significant threat, and red indicates a critical internet-wide emergency. It's the internet's equivalent of a weather alert system.
CISA KEV
The Known Exploited Vulnerabilities catalog — a list of CVEs that have been observed being actively exploited in the wild. Federal agencies are required to patch these by specific deadlines, and private organizations should treat these as top priorities.

📊 Internet Threat Dashboard — Frequently Asked Questions

How often is the threat dashboard data updated?

Data is fetched live each time you load the page. ISC SANS INFOCON and attack statistics update multiple times daily. CISA KEV additions happen as new exploited vulnerabilities are confirmed. Feodo botnet data refreshes every few hours.

What does the SANS ISC INFOCON level mean?

INFOCON is a four-level scale — green (normal), yellow (notable increase in threats), orange (significant new threat), and red (severe disruption expected). It reflects the current global internet threat posture as assessed by the SANS Internet Storm Center.