Skip to main content

MalwareBazaar

This Integration is part of the MalwareBazaar Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the Infosec community, AV vendors, and threat intelligence providers. This integration was integrated and tested with version 1 of MalwareBazaar

Configure MalwareBazaar on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for MalwareBazaar.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLThis is the API endpoint for the MalwareBazaar API.True
    User NameAPI key is required only to add a comment to a malware sample.False
    API KeyFalse
    Source ReliabilityReliability of the source providing the intelligence data.True
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

file#


Check if a particular malware sample is known to MalwareBazaar.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileA list of SHA256, MD5, or SHA1 hashes of the malware samples you want to query.Required

Context Output#

PathTypeDescription
MalwareBazaar.File.sha256_hashStringSHA256 hash of the malware sample.
MalwareBazaar.File.sha3_384_hashStringSHA3-384 hash of the malware sample.
MalwareBazaar.File.sha1_hashStringSHA1 hash of the malware sample.
MalwareBazaar.File.md5_hashStringMD5 hash of the malware sample.
MalwareBazaar.File.first_seenDateTimestamp of when the file was first seen by MalwareBazaar in UTC format.
MalwareBazaar.File.last_seenDateTimestamp of when the file was last seen by MalwareBazaar in UTC format.
MalwareBazaar.File.file_nameStringMalware sample's file name.
MalwareBazaar.File.file_sizeNumberMalware sample's file size in bytes.
MalwareBazaar.File.file_type_mimeStringMalware samples's MIME file type.
MalwareBazaar.File.file_typeStringMalware sample's file type.
MalwareBazaar.File.reporterStringTwitter handle of the report (or anonymous for anonymous submissions).
MalwareBazaar.File.origin_countryStringTwo letter country code of the country where the sample was uploaded from.
MalwareBazaar.File.anonymousNumberWhether the submission of the sample was anonymous - 1 (true) or 0 (false).
MalwareBazaar.File.signatureStringMalware family (if available).
MalwareBazaar.File.imphashStringImport hash (imphash) (only available for Portable Executables).
MalwareBazaar.File.tlshStringTrend Micro Locality Sensitive Hash (tlsh).
MalwareBazaar.File.telfhashStringTrend Micro ELF Hash (telfhash).
MalwareBazaar.File.ssdeepStringThe SSDeep hash of the file.
MalwareBazaar.File.dhash_iconUnknownIn case the file is a Portable Executable, the dhash of the sample's icon.
MalwareBazaar.File.commentStringComment in the malware sample.
MalwareBazaar.File.tagsStringList of tags in the malware sample.
MalwareBazaar.File.code_sign.subject_cnStringSubject common name (CN).
MalwareBazaar.File.code_sign.issuer_cnStringIssuer common name (CN).
MalwareBazaar.File.code_sign.algorithmStringAlgorithm used.
MalwareBazaar.File.code_sign.valid_fromDateDatetime from which the code sign was valid.
MalwareBazaar.File.code_sign.valid_toDateDatetime until which the code sign was valid (expiry date).
MalwareBazaar.File.code_sign.serial_numberStringSerial number of the code sign.
MalwareBazaar.File.code_sign.cscb_listedStringWhether the sample is listed in the Code Signing Certificate Blocklist (CSCB).
MalwareBazaar.File.code_sign.cscb_reasonStringCode Signing Certificate Blocklist (CSCB) listing reason.
MalwareBazaar.File.delivery_methodStringHow the file was distributed.
MalwareBazaar.File.file_informationUnknownContextual information about the file sample.
MalwareBazaar.File.yara_rules.rule_nameStringName of the YARA rule that triggered the malware.
MalwareBazaar.File.yara_rules.authorStringAuthor of the YARA rule.
MalwareBazaar.File.yara_rules.descriptionStringDescription of the YARA rule.
MalwareBazaar.File.yara_rules.referenceUnknownReference of the YARA rule.
MalwareBazaar.File.vendor_intel.ANY.RUNUnknownDynamic malware analysis from ANY.RUN.
MalwareBazaar.File.vendor_intel.CAPEUnknownDynamic malware analysis from CAPE sandbox.
MalwareBazaar.File.vendor_intel.CERT-PL_MWDBUnknownThreat intel from CERT.PL Malware database.
MalwareBazaar.File.vendor_intel.vxCubeUnknownDynamic malware analysis from Dr.Web vxCube.
MalwareBazaar.File.vendor_intel.DocGuardUnknownOffice document reputation from DocGuad.
MalwareBazaar.File.vendor_intel.FileScan-IOUnknownMalware analysis service from FileScan.IO.
MalwareBazaar.File.vendor_intel.InQuest LabsUnknownFile reputation service from InQuest Labs.
MalwareBazaar.File.vendor_intel.IntezerUnknownCode analysis from Intezer.
MalwareBazaar.File.vendor_intel.ReversingLabsUnknownFile reputation and intelligence from ReversingLabs TitaniumCloud.
MalwareBazaar.File.vendor_intel.Spamhaus_HBLUnknownFile reputation from Spamhaus Hash Blocklist (HBL).
MalwareBazaar.File.vendor_intel.TriageUnknownDynamic malware analysis from Hatching Triage.
MalwareBazaar.File.vendor_intel.UnpacMeUnknownMalware unpacking service from UnpacMe.
MalwareBazaar.File.vendor_intel.VMRayUnknownDynamic malware analysis from VMRay.
MalwareBazaar.File.vendor_intel.YOROI_YOMIUnknownDynamic malware analysis from YOROI YOMI.
MalwareBazaar.File.comments.idStringUnique ID that identifies this comment.
MalwareBazaar.File.comments.date_addedDateTimestamp (UTC) of when this comment was made.
MalwareBazaar.File.comments.twitter_handleStringTwitter handle who wrote this comment.
MalwareBazaar.File.comments.display_nameStringTwitter display name.
MalwareBazaar.File.comments.commentStringThe comment itself.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringType of indicator.
DBotScore.VendorStringVendor used to calculate the score.
DBotScore.ReliabilityStringThe reliability of the vendor.
File.MD5StringMD5 hash of the file submitted for analysis.
File.SHA1StringSHA1 hash of the file submitted for analysis.
File.SHA256StringSHA256 hash of the file submitted for analysis.
File.SizeStringSize of the file submitted for analysis.
File.Malicious.VendorStringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionStringFor malicious files, the reason that the vendor made the decision.
File.Relationships.EntityAStringThe source of the relationship.
File.Relationships.EntityBStringThe destination of the relationship.
File.Relationships.RelationshipStringThe name of the relationship.
File.Relationships.EntityATypeStringThe type of the source of the relationship.
File.Relationships.EntityBTypeStringThe type of the destination of the relationship.

Command Example#

!file file=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d

Context Example#

{
"DBotScore": {
"Indicator": "123094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d",
"Reliability": "A - Completely reliable",
"Score": 3,
"Type": "file",
"Vendor": "MalwareBazaar"
},
"File": {
"MD5": "1232f6432c5af8d10b04caed90d410ec7ad",
"Malicious": {
"Description": null,
"Vendor": "MalwareBazaar"
},
"Relationships": [
{
"EntityA": "123094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d",
"EntityAType": "File",
"EntityB": "AgentTesla",
"EntityBType": "Malware",
"Relationship": "indicator-of"
}
],
"SHA1": "1234b1fc10818dd534922feef4d521eb3574337e3c0",
"SHA256": "123094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d",
"Size": 472064,
"Type": "exe"
},
"MalwareBazaar": {
"File": {
"anonymous": 0,
"code_sign": null,
"comment": null,
"comments": [
{
"comment": "test",
"date_added": "2021-09-26 07:07:00",
"display_name": "mr tall",
"id": "25397",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-09-26 08:16:59",
"display_name": "mr tall",
"id": "25405",
"twitter_handle": "tiulog"
},
{
"comment": "Swiss chocolate is the best chocolate",
"date_added": "2021-09-26 14:57:36",
"display_name": "mr tall",
"id": "25412",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-09-29 15:10:09",
"display_name": "mr tall",
"id": "25689",
"twitter_handle": "tiulog"
},
{
"comment": "test new",
"date_added": "2021-10-03 10:53:34",
"display_name": "mr tall",
"id": "25968",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-03 11:03:32",
"display_name": "mr tall",
"id": "25978",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-04 09:07:37",
"display_name": "mr tall",
"id": "26069",
"twitter_handle": "tiulog"
},
{
"comment": "test new",
"date_added": "2021-10-04 11:15:43",
"display_name": "mr tall",
"id": "26098",
"twitter_handle": "tiulog"
},
{
"comment": "test new",
"date_added": "2021-10-04 11:15:58",
"display_name": "mr tall",
"id": "26099",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-04 11:26:47",
"display_name": "mr tall",
"id": "26100",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-04 12:11:40",
"display_name": "mr tall",
"id": "26106",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-04 12:41:08",
"display_name": "mr tall",
"id": "26109",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-05 08:20:09",
"display_name": "mr tall",
"id": "26169",
"twitter_handle": "tiulog"
},
{
"comment": "test_module",
"date_added": "2021-10-05 13:56:59",
"display_name": "mr tall",
"id": "26190",
"twitter_handle": "tiulog"
},
{
"comment": "test_module",
"date_added": "2021-10-05 14:06:40",
"display_name": "mr tall",
"id": "26194",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-05 15:14:51",
"display_name": "mr tall",
"id": "26200",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-05 15:16:17",
"display_name": "mr tall",
"id": "26201",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-06 14:42:17",
"display_name": "mr tall",
"id": "26263",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 07:13:43",
"display_name": "mr tall",
"id": "26325",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 07:16:53",
"display_name": "mr tall",
"id": "26326",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 07:17:36",
"display_name": "mr tall",
"id": "26327",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 07:43:28",
"display_name": "mr tall",
"id": "26328",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 07:46:45",
"display_name": "mr tall",
"id": "26329",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 11:39:00",
"display_name": "mr tall",
"id": "26353",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 11:39:55",
"display_name": "mr tall",
"id": "26354",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 11:41:41",
"display_name": "mr tall",
"id": "26355",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 11:50:55",
"display_name": "mr tall",
"id": "26356",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 12:19:14",
"display_name": "mr tall",
"id": "26357",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 13:11:26",
"display_name": "mr tall",
"id": "26361",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-07 15:44:49",
"display_name": "mr tall",
"id": "26367",
"twitter_handle": "tiulog"
},
{
"comment": "test",
"date_added": "2021-10-10 09:17:58",
"display_name": "mr tall",
"id": "26633",
"twitter_handle": "tiulog"
}
],
"delivery_method": null,
"dhash_icon": null,
"file_information": null,
"file_name": "COPY-SCANB840284-IMG-2020-13-02-DOCUMENT-PDF.exe",
"file_size": 472064,
"file_type": "exe",
"file_type_mime": "application/x-dosexec",
"first_seen": "2020-02-13 11:55:46",
"imphash": "123f34d5f2d4577ed6d9ceec516c1f5a744",
"intelligence": {
"clamav": [
"SecuriteInfo.com.Trojan.PackedNET.211.15710.28159.UNOFFICIAL"
],
"downloads": "2596",
"mail": null,
"uploads": "2"
},
"last_seen": "2021-06-02 16:06:57",
"md5_hash": "2f6432c5af8d10b04caed90d410ec7ad",
"ole_information": [],
"origin_country": "CH",
"reporter": "abuse_ch",
"sha1_hash": "1234b1fc10818dd534922feef4d521eb3574337e3c0",
"sha256_hash": "123094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d",
"sha3_384_hash": "11239ae5c4841f72a91eb66db9191d879a33cf87e69f07809105d25de6aa90fbce69c9e795a4a0b984bd33537502361bb9b",
"signature": "AgentTesla",
"ssdeep": "12288:GCU4gtAxIflaBAFGWf1yN6OcsiUIpqpcsHs4d8/U:MwIflaBaIH2Us69d88",
"tags": [
"AgentTesla",
"exe"
],
"telfhash": null,
"tlsh": "65A4BF181BB98C13F54BA6BAC4D942C9E2FCD57B8907F759D41129D60F0ABA7AC023C7",
"vendor_intel": {
"ReversingLabs": {
"first_seen": "2020-02-14 04:28:36",
"scanner_count": "31",
"scanner_match": "26",
"scanner_percent": "83.87",
"status": "MALICIOUS",
"threat_name": "ByteCode-MSIL.Trojan.Kryptik"
},
"Spamhaus_HBL": [
{
"detection": "malicious",
"link": "https://www.test.com"
}
],
"Triage": {
"link": "https://tria.ge/reports/201109-7p6mxbz6r2/",
"malware_config": [],
"malware_family": "agenttesla",
"score": "10",
"signatures": [
{
"score": "10",
"signature": "AgentTesla"
},
{
"score": "9",
"signature": "AgentTesla Payload"
},
{
"score": "7",
"signature": "Reads data files stored by FTP clients"
},
{
"score": "7",
"signature": "Reads user/profile data of local email clients"
},
{
"score": "7",
"signature": "Reads user/profile data of web browsers"
},
{
"score": "6",
"signature": "Adds Run key to start application"
},
{
"score": "6",
"signature": "Looks up external IP address via web service"
},
{
"score": "5",
"signature": "Suspicious use of SetThreadContext"
},
{
"score": null,
"signature": "Suspicious behavior: EnumeratesProcesses"
},
{
"score": null,
"signature": "Suspicious behavior: MapViewOfSection"
},
{
"score": null,
"signature": "Suspicious use of AdjustPrivilegeToken"
},
{
"score": null,
"signature": "Suspicious use of SetWindowsHookEx"
},
{
"score": null,
"signature": "Suspicious use of WriteProcessMemory"
}
],
"tags": [
"family:agenttesla",
"keylogger",
"persistence",
"spyware",
"stealer",
"trojan"
]
},
"YOROI_YOMI": {
"detection": "Unknown",
"score": "1.00"
}
},
"yara_rules": [
{
"author": "JPCERT/CC Incident Response Group",
"description": "detect Agenttesla in memory",
"reference": "internal research",
"rule_name": "Agenttesla_type2"
},
{
"author": "Brian C. Bell -- @biebsmalwareguy",
"description": null,
"reference": "https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar",
"rule_name": "CAP_HookExKeylogger"
},
{
"author": "Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>",
"description": null,
"reference": null,
"rule_name": "win_agent_tesla_g2"
}
]
}
}
}

Human Readable Output#

MalwareBazaar File reputation for: 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d#

Md5 HashSha256 HashSha1 HashFile NameFile TypeFile SizeTagsFirst SeenLast SeenSignatureSsdeepReporterImphashYara Rules Names
2f6432c5af8d10b04caed90d410ec7ad094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d4b1fc10818dd534922feef4d521eb3574337e3c0COPY-SCANB840284-IMG-2020-13-02-DOCUMENT-PDF.exeexe472064AgentTesla,
exe
2020-02-13 11:55:462021-06-02 16:06:57AgentTesla12288:GCU4gtAxIflaBAFGWf1yN6OcsiUIpqpcsHs4d8/U:MwIflaBaIH2Us69d88abuse_chf34d5f2d4577ed6d9ceec516c1f5a744Agenttesla_type2,
CAP_HookExKeylogger,
win_agent_tesla_g2

malwarebazaar-download-sample#


Download a malware sample from MalwareBazaar. Any malware sample downloaded from MalwareBazaar is zipped and password protected using the password "infected" (without "").

Base Command#

malwarebazaar-download-sample

Input#

Argument NameDescriptionRequired
sha256_hashSHA256 hash of the malware sample to download.Required

Context Output#

PathTypeDescription
File.SizeStringThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringEntry ID of the file.
File.InfoStringInformation about the file.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

Command Example#

!malwarebazaar-download-sample sha256_hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78

Context Example#

{
"File": {
"EntryID": "7712@e99f97d1-7225-4c75-896c-3c960febbe8c",
"Extension": "zip",
"Info": "application/zip",
"MD5": "12323c96a2ba1a4d7cd8d179641aac32f0d",
"Name": "094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78.zip",
"SHA1": "123b11025b4d625079d201ac9ba0552291a60be9c1e",
"SHA256": "123d727a2f40a5151d7a0e3bf9ebf77a8bf17a965505eb6db68080a38330c3fb743",
"SHA512": "12349f45537621ac26e7c5d7fea643fba27153070a52b8ebc56cab7e8522f5d8087697be6df969e9cfac74cefddceb6271aae1796f819fa3f405f909e3a488e4d18",
"SSDeep": "1233:HzH1IOH0Wp6FYn:Hr1I2xaY",
"Size": 45,
"Type": "JSON data"
}
}

Human Readable Output#

malwarebazaar-comment-add#


Add a comment for a malware sample.

Base Command#

malwarebazaar-comment-add

Input#

Argument NameDescriptionRequired
sha256_hashSHA256 hash of the malware sample to add a comment.Required
commentThe comment to add to the sample.Required

Context Output#

PathTypeDescription
MalwareBazaar.MalwarebazaarCommentAdd.sha256_hashStringSHA256 hash of given file.
MalwareBazaar.MalwarebazaarCommentAdd.commentStringThe comment that was added to the malware sample.

Command Example#

!malwarebazaar-comment-add comment="test" sha256_hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d

Context Example#

{
"MalwareBazaar": {
"MalwarebazaarCommentAdd": {
"comment": "test",
"sha256_hash": "123094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d"
}
}
}

Human Readable Output#

Comment added to 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d malware sample successfully

malwarebazaar-samples-list#


Retrieves a list of recent malware samples (maximum 1000) associated with a specific sample type. Note that you can either use the limit argument or the page and page_size argument.

Base Command#

malwarebazaar-samples-list

Input#

Argument NameDescriptionRequired
sample_typeType of the sample. Possible values are: tag, signature, file_type, clamav, imphash, yara_rule, issuer_cn.Required
sample_valueValue of the sample selected.Required
limitMaximum number of results to return. Default is 1000. Note that when using the issuer_cn argument, all relevant results will display (maximum 100).Optional
pagePage number to view. Each page contains page_size values. Must be used along with the page_size argument.Optional
page_sizeNumber of results per page to display.Optional

Context Output#

PathTypeDescription
MalwareBazaar.MalwarebazaarSamplesList.sha256_hashStringSHA256 hash of the malware sample.
MalwareBazaar.MalwarebazaarSamplesList.sha3_384_hashStringSHA3-384 hash of the malware sample.
MalwareBazaar.MalwarebazaarSamplesList.sha1_hashStringSHA1 hash of the malware sample.
MalwareBazaar.MalwarebazaarSamplesList.md5_hashStringMD5 hash of the malware sample.
MalwareBazaar.MalwarebazaarSamplesList.first_seenDateTimestamp of when the file was first seen by MalwareBazaar (UTC).
MalwareBazaar.MalwarebazaarSamplesList.last_seenDateTimestamp of when the file was last seen by MalwareBazaar (UTC).
MalwareBazaar.MalwarebazaarSamplesList.file_nameStringMalware sample's file name.
MalwareBazaar.MalwarebazaarSamplesList.file_sizeNumberFile size in bytes.
MalwareBazaar.MalwarebazaarSamplesList.file_type_mimeStringMIME file type.
MalwareBazaar.MalwarebazaarSamplesList.file_typeStringFile type.
MalwareBazaar.MalwarebazaarSamplesList.reporterStringTwitter handle of the report (or anonymous for anonymous submissions).
MalwareBazaar.MalwarebazaarSamplesList.anonymousNumberWhether the submission of the sample was anonymous - 1 (true) or 0 (false).
MalwareBazaar.MalwarebazaarSamplesList.signatureStringMalware family (if available).
MalwareBazaar.MalwarebazaarSamplesList.imphashStringImport hash (imphash) of the sample (only available for Portable Executables).
MalwareBazaar.MalwarebazaarSamplesList.tlshStringTrend Micro Locality Sensitive Hash (tlsh) of the sample.
MalwareBazaar.MalwarebazaarSamplesList.telfhashStringTrend Micro ELF Hash (telfhash) of the sample.
MalwareBazaar.MalwarebazaarSamplesList.ssdeepStringThe SSDeep hash of the sample.
MalwareBazaar.MalwarebazaarSamplesList.dhash_iconUnknownIn case the file is a Portable Executable, the dhash of the samples icon.
MalwareBazaar.MalwarebazaarSamplesList.tagsStringList of tags.
MalwareBazaar.MalwarebazaarSamplesList.code_sign.subject_cnStringSubject common name (CN).
MalwareBazaar.MalwarebazaarSamplesList.code_sign.issuer_cnStringIssuer common name (CN).
MalwareBazaar.MalwarebazaarSamplesList.code_sign.algorithmStringAlgorithm used.
MalwareBazaar.MalwarebazaarSamplesList.code_sign.valid_fromDateDatetime from which the code sign was valid.
MalwareBazaar.MalwarebazaarSamplesList.code_sign.valid_toDateDatetime until which the code sign was valid (expiry date).
MalwareBazaar.MalwarebazaarSamplesList.code_sign.serial_numberStringSerial number of the code sign.
MalwareBazaar.MalwarebazaarSamplesList.code_sign.cscb_listedStringWhether the sample is listed in the Code Signing Certificate Blocklist (CSCB).
MalwareBazaar.MalwarebazaarSamplesList.code_sign.cscb_reasonStringCode Signing Certificate Blocklist (CSCB) listing reason.
MalwareBazaar.MalwarebazaarSamplesList.intelligence.clamavStringList of ClamAV detections (official and unofficial rules).
MalwareBazaar.MalwarebazaarSamplesList.intelligence.downloadsNumberNumber of downloads from MalwareBazaar.
MalwareBazaar.MalwarebazaarSamplesList.intelligence.uploadsNumberNumber of uploads to MalwareBazaar.
MalwareBazaar.MalwarebazaarSamplesList.intelligence.mailStringIndicates if this malware sample has been seen in global spam traffic.

Command Example#

!malwarebazaar-samples-list sample_type=tag sample_value=TrickBot limit=2

Context Example#

{
"MalwareBazaar": {
"MalwarebazaarSamplesList": [
{
"anonymous": 0,
"code_sign": [],
"dhash_icon": "0000000000000000",
"file_name": "ee566f0e04b497770c5baa4de14c416f.exe",
"file_size": 656384,
"file_type": "exe",
"file_type_mime": "application/x-dosexec",
"first_seen": "2021-11-07 08:38:51",
"imphash": "2a49715e49b2891839bf716e121ca434",
"intelligence": {
"clamav": [
"SecuriteInfo.com.Variant.Fragtor.38286.19831.22095.UNOFFICIAL"
],
"downloads": "92",
"mail": null,
"uploads": "1"
},
"last_seen": null,
"md5_hash": "ee566f0e04b497770c5baa4de14c416f",
"reporter": "abuse_ch",
"sha1_hash": "98f77caf24f14dca0fa163596a730269037f2065",
"sha256_hash": "06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9",
"sha3_384_hash": "84f65cac42470c9f3920019b8fb60f3975be1c0528c180a180839b60198b36de966f6cae2aabf532b3c5c777dd75a027",
"signature": "TrickBot",
"ssdeep": "12288:InZndx1krxFPqBSPcLQuDACflBMhhDKG/M:AZdxuQSP/u8Qm5J",
"tags": [
"exe",
"TrickBot"
],
"telfhash": null,
"tlsh": "T115D4E0103390C032D5A324718A69DBB58E7EB861676275CF3BD91E7E5F24AD1EA3430E"
},
{
"anonymous": 0,
"code_sign": [],
"dhash_icon": "0000000000000000",
"file_name": "7425c5e4bd0f910f80a1ab456b68e192.exe",
"file_size": 656896,
"file_type": "exe",
"file_type_mime": "application/x-dosexec",
"first_seen": "2021-11-07 08:35:14",
"imphash": "2a49715e49b2891839bf716e121ca434",
"intelligence": {
"clamav": [
"SecuriteInfo.com.Variant.Fragtor.38286.19831.22095.UNOFFICIAL"
],
"downloads": "90",
"mail": null,
"uploads": "1"
},
"last_seen": null,
"md5_hash": "7425c5e4bd0f910f80a1ab456b68e192",
"reporter": "abuse_ch",
"sha1_hash": "dbd26c846e03f94aa1451b6b73e1fa138ea5a953",
"sha256_hash": "3d775f1f2da385ed73d988930d9c9675fc2e466098bb5f19c8501a723e14f437",
"sha3_384_hash": "b5ae6ff44057229fbc1af7e68527ebc5cb4f018c9cbfe20a06c8594c401ab708a4d9a7fc69fa10929365695c11f01ca7",
"signature": "TrickBot",
"ssdeep": "12288:5nZndx1krxFPqBSPw7bQ9k03GxGprGwbKM:9ZdxuQSPw72k034GJGf",
"tags": [
"exe",
"TrickBot"
],
"telfhash": null,
"tlsh": "T12FD4E0213290C032D1A324718E66DBB98E7EB861775265CF3BD90E7D4F24BD1EA3531A"
}
]
}
}

Human Readable Output#

Sample List#

Md5 HashSha256 HashSha1 HashFile NameFile TypeFile SizeTagsFirst Seen
ee566f0e04b497770c5baa4de14c416f06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de998f77caf24f14dca0fa163596a730269037f2065ee566f0e04b497770c5baa4de14c416f.exeexe656384exe,
TrickBot
2021-11-07 08:38:51
7425c5e4bd0f910f80a1ab456b68e1923d775f1f2da385ed73d988930d9c9675fc2e466098bb5f19c8501a723e14f437dbd26c846e03f94aa1451b6b73e1fa138ea5a9537425c5e4bd0f910f80a1ab456b68e192.exeexe656896exe,
TrickBot
2021-11-07 08:35:14