Skip to main content
DECODA’s IOC extraction engine automatically detects indicators of compromise from analysis output using pattern matching with validation. Each indicator is assigned a confidence level and can be exported in machine-readable formats.

Network Indicators

CategoryPatternConfidenceExample
IPv4Standard dotted-decimalHigh192.168.1.100
IPv4 with PortIP:port formatHigh10.0.0.1:4444
IPv6Full and compressed formatsMediumfe80::1, 2001:db8::1
DomainCommon TLDs used in malware opsMediumevil-c2.xyz, payload.onion
URLHTTP/HTTPS/FTP with pathsHighhttps://malware.site/payload.bin
EmailStandard email formatHighattacker@evil.com
Domain detection covers 60+ TLDs including those commonly abused in malware campaigns: .xyz, .top, .tk, .pw, .onion, .bit, and country-code TLDs.

File Indicators

CategoryPatternConfidenceExample
MD532 hex charactersLowd41d8cd98f00b204e9800998ecf8427e
SHA-140 hex charactersLowda39a3ee5e6b4b0d3255bfef95601890afd80709
SHA-25664 hex charactersLowe3b0c44298fc1c149afbf4c8996fb924...
SHA-512128 hex charactersLowFull 128-char hex string
PDB PathWindows .pdb debug pathsHighC:\Users\dev\malware\Release\loader.pdb
Windows PathDrive letter pathsMediumC:\Windows\System32\cmd.exe
Unix PathSystem directory pathsMedium/tmp/.hidden/payload
PDB paths are particularly valuable for attribution, as they may reveal developer usernames, project names, and build environments.

Host Indicators

CategoryPatternConfidenceExample
Registry KeyHKEY_* / HKLM / HKCU pathsHighHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MutexGlobal\ and Local\ prefixed namesHighGlobal\{DEADBEEF-1234-5678}
User AgentMozilla/* HTTP user-agent stringsMediumMozilla/5.0 (Windows NT 10.0; ...)

Cryptocurrency Indicators

CategoryPatternConfidenceExample
BitcoinP2PKH (1…), P2SH (3…), Bech32 (bc1…)Highbc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
MoneroStandard addresses starting with 4High4AdUndXHHZ6cfufTMvppY6JwXNouMBzSkbLYfpAV5Usx...

Confidence Levels

Each detected IOC is assigned a confidence level:
  • High — Strong structural match with validation (URLs, registry keys, crypto addresses, mutexes)
  • Medium — Good pattern match but may have false positives (domains, IP addresses, file paths, user agents)
  • Low — Hex string length match only (hashes) — could be coincidental hex sequences
Hash confidence is low because a 32-character hex string could be an MD5 hash, a GUID, or just a hex-encoded value. DECODA uses context from surrounding analysis to improve hash classification.

Export Formats

IOCs can be exported in three machine-readable formats:

JSON

Structured data suitable for SIEM ingestion or custom tooling: 
{
  "indicators": [
    {
      "type": "ipv4",
      "value": "192.168.1.100",
      "confidence": "high",
      "context": "Found in decoded C2 configuration"
    }
  ]
}

CSV

Spreadsheet-compatible format for manual review or bulk import: 
type,value,confidence,context
ipv4,192.168.1.100,high,Found in decoded C2 configuration
domain,evil-c2.xyz,medium,Referenced in HTTP beacon function

STIX 2.1

Standard threat intelligence format for sharing between organisations and tools. DECODA generates valid STIX bundles with proper object types (indicators, observables, relationships).

Filtering & Options

When asking the agent to extract IOCs, you can specify:
  • Category filter — “Extract only network IOCs” or “Just the file hashes”
  • Confidence threshold — “Only high-confidence indicators”
  • Defanged output — IOCs are modified to prevent accidental clicks (e.g., hxxps://evil[.]com)
Example prompts:
“Extract all network IOCs and export as STIX 2.1”
“Find high-confidence IOCs only, defanged, as CSV”
“Generate IOCs from this analysis and export as JSON”

False Positive Filtering

DECODA maintains a whitelist to filter out common false positives:
  • Known-safe domains (microsoft.com, google.com, etc.)
  • Private/reserved IP ranges (unless specifically suspicious in context)
  • File extensions that look like domains (.dll, .exe, .sys)
  • Common library paths that aren’t indicators