bokamba / tools /

ioc extractor

100% client-side

Paste a threat report, advisory, or log and pull out every IP, domain, URL, hash, CVE and email. Defanged indicators (hxxp, [.], [@]) are understood, deduped with counts, and honestly flagged.

PRIVATE 100% in your browser — nothing is uploaded. The text you paste never leaves this page.

paste text — reports, advisories, logs

watchlist (one value per line — matches get a ★, stays in this browser)

what was detected

APT report: C2 at http://malicious.top/gate.php (185.220.101.45). Backup 45.66.77.88. Dropper SHA256 44d88612fea8a8f36de82e1278abb02f (see CVE-2024-1709). Beacon to internal host 10.0.0.5. Contact: [email protected]. Benign check-in to github.com.

summary

8unique IOCs
8total occurrences
6types found
3from defanged

filter by type

indicators

type value count line flags copy
IPv410.0.0.511private
IPv4185.220.101.4511
MD544d88612fea8a8f36de82e1278abb02f11
IPv445.66.77.8811was defanged
CVECVE-2024-170911
Domaingithub.com11benign
URLhttp://malicious.top/gate.php11was defanged
Email[email protected]11was defanged

export

free
exports the currently shown IOCs — generated in your browser

What it detects

IOC typeexample
IPv4 / IPv6 185.220.101.45, 2001:db8::1
Domain malicious.top, corp-security.com
URL http://malicious.top/gate.php
Email [email protected]
Hashes (MD5/SHA-1/SHA-256/SHA-512) 44d88612fea8a8f36de82e1278abb02f
CVE CVE-2024-1709
MAC address 00:1b:44:11:3a:b7
UUID 550e8400-e29b-41d4-a716-446655440000
Registry key (heuristic) HKLM\Software\Run
File path (heuristic) C:\Windows\Temp\a.exe
Bitcoin address (heuristic) 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

Defang styles it understands

stylerefanged
Bracketed dot malicious[.]top → malicious.top
Neutralized scheme hxxp:// → http://
Bracketed at-sign ops[@]corp → ops@corp
Escaped / spaced dot 45[.]66[.]77[.]88 → 45.66.77.88
“dot” / (dot) evil(dot)com → evil.com

Honest false-positive handling. Nothing is dropped silently. Private / loopback / doc-range / reserved IPs are kept but labelled; domains on a curated allowlist are flagged benign; and ambiguous types (Bitcoin, registry keys, file paths) carry a heuristic badge. Anything only found after refanging is marked was defanged.

FAQ

What is an IOC (indicator of compromise)?

An indicator of compromise is a piece of forensic data — an IP address, domain, URL, file hash, email address, or CVE — that suggests a system may have been breached or is being targeted. Threat reports and advisories are full of them, often mixed into prose. This tool scans arbitrary text and pulls every indicator it recognizes into a clean, deduped, copy-ready table.

How do I extract IPs, hashes, or domains from a threat report?

Paste the whole report (or drop in a log or advisory) into the box. The extractor immediately lists every IPv4/IPv6 address, domain, URL, email, MD5/SHA-1/SHA-256/SHA-512 hash, CVE, MAC address and UUID it finds, with an occurrence count and the first line each appeared on. Use the type filter chips to narrow to just IPs or just hashes, then copy that type with one click.

Does it upload my data anywhere?

No. Extraction runs 100% in your browser — the text you paste never leaves the page. Your watchlist is stored only in this browser’s local storage. Pro exports are also generated client-side; the only network call the tool ever makes is an optional license check when you activate a Pro key, and that sends just the key, never your data.

What is defanging, and does this handle it?

Defanging neutralizes an indicator so it can’t be clicked or resolved by accident — for example writing hxxp://malicious[.]top instead of the live URL, or ops[@]corp instead of a real email. The extractor refangs the text first, so defanged indicators are detected as real values, and it flags anything that was only found after refanging so you know it appeared neutralized in the source.

How does it avoid false positives?

Honestly and visibly, never silently. Private, loopback, documentation-range and reserved IPs are kept but labelled; domains on a curated allowlist are flagged “benign”; and inherently ambiguous types (Bitcoin addresses, registry keys, file paths) carry a “heuristic” badge so you know they are best-effort, not authoritative. Nothing is dropped without a visible reason.

Can it export STIX or MISP?

Yes — with Pro. Activate a Bokamba Pro license and you can download the extracted IOCs as CSV, JSON, a STIX 2.1 bundle of indicator objects, or a MISP freetext import. All four are generated in your browser from the same in-page results; nothing is sent to a server.

Learn & extract by type

Need to redact instead of extract? → Scrub sensitive data with LogScrub — mask IPs, emails, hostnames and secrets before you share a log.