How to manage Threat Intelligence Tools! A Walkthrough of the TryHackMe Threat Intelligence Tools Room

Yazid Rahmouni March 2026 Introduction This article is a walkthrough of the Threat Intelligence Tools room on TryHackMe. The room covers different open-source intelligence (OSINT) tools that are used by SOC analysts to conduct security threat assessments and investigations. The tools covered in this room include UrlScan.io, Abuse.ch (ThreatFox, SSL Blacklist, URLhaus, Feodo Tracker), PhishTool, and Cisco Talos Intelligence. Each tool serves a different purpose in the threat intelligence workflow, from scanning suspicious URLs to tracking malware and botnet infrastructure. By the end of this walkthrough, you will understand how to use these tools to analyze suspicious emails, look up indicators of compromise (IoCs), and gather intelligence on threats. Task 2: Threat Intelligence Threat Intelligence is the process of analyzing data and information to find meaningful patterns that help protect against current or future cyber threats. The goal is to understand the relationship between your environment and the attacker. Threat intelligence is divided into four types: Strategic Intel: High-level information about threat trends and risk areas. This is used by executives and leadership for long-term planning. Technical Intel: Evidence-based indicators of compromise (IoCs) such as malicious IP addresses, file hashes, and domain names. SOC analysts use this to create detection rules in SIEM and firewall systems. Tactical Intel: Information about adversary tactics, techniques, and procedures (TTPs). This describes how threat actors operate and what tools they use. Operational Intel: Details about specific ongoing or upcoming attacks. This helps security teams prepare and respond in real time. Task 3: UrlScan.io UrlScan.io is a free online service that scans and analyzes URLs. When you submit a URL, it loads the page in a sandboxed browser and records all HTTP requests, takes a screenshot, and produces a detailed report. SOC analysts use this tool to safely investigate suspicious links found in phishing emails without actually visiting the URL. The scan report shows the IP address the URL resolves to, the server location, any external resources loaded, and whether the page contains forms or suspicious content. In this task, TryHackMe provided a screenshot of a UrlScan.io scan performed on TryHackMe’s own domain. I used the information shown in the Summary and Live Information sections of the scan result to answer the questions. Task 4: Abuse.ch Abuse.ch is a research project from the Institute for Cybersecurity and Engineering at the Bern University of Applied Sciences in Switzerland. It provides several platforms for tracking malware and botnet activity. I used four of these platforms in this task. ThreatFox ThreatFox is a database where security researchers share indicators of compromise (IoCs). I searched for the IOC 212.192.246.30:5555 and found that it is associated with the Mirai malware. The detailed view shows the malware alias is Katana, which is a variant of Mirai. Mirai is a malware that targets IoT devices like routers and cameras that use default credentials. Infected devices become part of a botnet used for DDoS attacks. Port 5555 is commonly associated with Android Debug Bridge (ADB), which Mirai variants exploit to gain access. Press enter or click to view image in full size Press enter or click to view image in full size SSL Blacklist SSL Blacklist tracks malicious SSL certificates and JA3 fingerprints. A JA3 fingerprint is a hash of the TLS handshake parameters that a client uses when connecting to a server. Each piece of malware produces a unique JA3 fingerprint based on its TLS configuration. I searched for the JA3 fingerprint 51c64c77e60f3980eea90869b68c58a8 and found it is associated with Dridex, a banking trojan that steals financial credentials. There are 296,214 malware samples linked to this fingerprint. Press enter or click to view image in full size URLhaus URLhaus is a database of URLs that are used to distribute malware. The statistics page shows which hosting networks are most frequently abused by attackers. I looked at the statistics page and found that ASN number AS14061 belongs to DigitalOcean, a popular cloud hosting provider. Attackers abuse DigitalOcean because it is cheap and easy to set up servers quickly for malware distribution. Feodo Tracker Feodo Tracker tracks botnet Command and Control (C2) servers. A C2 server is the server that an attacker uses to send commands to all infected machines in their botnet. I searched for the IP address 178.134.47.166 and found that it is a C2 server for TrickBot malware, located in Georgia (country code GE). The server was first seen on 2021–04–22 and its status is currently offline. The network is AS35805 SILKNET-AS. Press enter or click to view image in full size Task 5: PhishTool and Email Analysis (Email1.eml) In this task, I analyzed Email1.eml on the TryHackMe VM using Thunderbird. The email was a phishing email designed to look like a notification from LinkedIn. The attacker was trying to trick the recipient into clicking a malicious link. I opened the raw message source using Ctrl+U in Thunderbird to view the email headers. From the headers, I found the following information: Social media platform impersonated: LinkedIn (visible from the email body content and the List-Unsubscribe header containing linkedin.com) Sender email: darkabutla@sc500.whpservers.com Recipient email: cabbagecare@hotsmail.com Become a Medium member Originating IP: 204.93.183.11 (defanged: 204[.]93[.]183[.]11) Number of hops: 4 (counted by the number of Received: headers) The originating IP was found in the last Received: header, which shows the first server hop. The email originated from sc500.whpservers.com (204.93.183.11) and passed through Microsoft’s mail protection infrastructure before reaching the recipient. Press enter or click to view image in full size Task 6: Cisco Talos Intelligence Using the originating IP address 204.93.183.11 from Email1.eml, I performed a lookup on Cisco Talos Intelligence and a WHOIS query to find more information about the sender’s infrastructure. The WHOIS data revealed two levels of ownership: Network Owner: DEFT.COM (the organization that owns the IP block 204.93.128.0/17) Customer: Complete Web Reviews (the entity renting the specific /24 subnet 204.93.183.0/24 from DEFT.COM) This means the phishing email was sent from a server hosted on IP space owned by DEFT.COM, a data center company in Elk Grove Village, Illinois, and rented by Complete Web Reviews in Arlington Heights, Illinois. Press enter or click to view image in full size Press enter or click to view image in full size Task 7: Scenario 1 — Email2.eml In this scenario, I acted as a SOC Analyst triaging a suspicious email (Email2.eml) forwarded by a coworker. I opened Email2.eml in Thunderbird on the VM and identified the recipient’s email address from the To: field. The email contained a suspicious attachment named “Proforma Invoice P101092292891 TT slip pdf.rar.zip”. The filename was designed to look like a PDF invoice, but it was actually a compressed archive containing malware. To verify if the attachment was malicious, I computed its SHA-256 hash using the sha256sum command in the terminal: Press enter or click to view image in full size The hash was: 435bfc4c3a3c887fd39c058e8c11863d5dd1f05e0c7a86e232c93d0e979fdb28 I searched this hash on VirusTotal and found that 49 out of 65 antivirus vendors flagged the file as malicious. The popular threat label was trojan.noon/fareitvb. The threat categories included trojan, downloader, and spreader. On the Details tab, the History section showed: First Submission: 2017–12–14 (the answer to the question is 2017) Last Submission: 2026–03–17 This means the malware has been in circulation since 2017 and is still being actively distributed almost 9 years later. Press enter or click to view image in full size Task 8: Scenario 2 — Email3.eml In this second scenario, I analyzed Email3.eml. The email contained an attachment called Sales_Receipt 5606.xls. This is an Excel spreadsheet file, which is a common delivery method for malware through embedded VBA macros. I computed the SHA-256 hash of the attachment: Press enter or click to view image in full size The hash was: b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d I searched this hash on VirusTotal. The results confirmed the file is malicious. The family labels shown were valyria, x97m, and dridex. Multiple antivirus vendors detected it as Downloader/XLS.Dridex. Malware family: Dridex Dridex is a banking trojan that spreads through malicious Office documents with embedded macros. When a victim opens the Excel file and enables macros, the malicious VBA code executes, downloads the Dridex payload from a remote server, and infects the system. Dridex is designed to steal banking credentials and financial information. Press enter or click to view image in full size Conclusion This room provided hands-on experience with several open-source threat intelligence tools that SOC analysts use daily. The key tools and their purposes are: UrlScan.io: Safely scan and analyze suspicious URLs without visiting them directly. ThreatFox: Look up indicators of compromise (IoCs) and find associated malware families. SSL Blacklist: Identify malware based on TLS/SSL fingerprints (JA3 hashes). URLhaus: Check if a URL is known to distribute malware and identify abused hosting networks. Feodo Tracker: Track botnet C2 server infrastructure and identify associated malware. PhishTool: Analyze phishing emails by extracting headers, attachments, and IoCs. Cisco Talos Intelligence: Look up IP and domain reputation and perform WHOIS queries. VirusTotal: Check file hashes against 70+ antivirus engines to determine if a file is malicious. The overall workflow demonstrated in this room follows a standard SOC analyst triage process: receive a suspicious email, extract indicators (IPs, hashes, URLs, domains), look them up across multiple threat intelligence platforms, and use the results to determine the nature and severity of the threat. This process is essential for identifying phishing attacks, malware distribution, and botnet activity.