MalwareBazaar
This Integration is part of the MalwareBazaar Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the Infosec community, AV vendors, and threat intelligence providers. This integration was integrated and tested with version 1 of MalwareBazaar
Configure MalwareBazaar on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for MalwareBazaar.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL This is the API endpoint for the MalwareBazaar API. True User Name API key is required only to add a comment to a malware sample. False API Key False Source Reliability Reliability of the source providing the intelligence data. True Use system proxy settings False Trust any certificate (not secure) False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
file#
Check if a particular malware sample is known to MalwareBazaar.
Base Command#
file
Input#
| Argument Name | Description | Required |
|---|---|---|
| file | A list of SHA256, MD5, or SHA1 hashes of the malware samples you want to query. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| MalwareBazaar.File.sha256_hash | String | SHA256 hash of the malware sample. |
| MalwareBazaar.File.sha3_384_hash | String | SHA3-384 hash of the malware sample. |
| MalwareBazaar.File.sha1_hash | String | SHA1 hash of the malware sample. |
| MalwareBazaar.File.md5_hash | String | MD5 hash of the malware sample. |
| MalwareBazaar.File.first_seen | Date | Timestamp of when the file was first seen by MalwareBazaar in UTC format. |
| MalwareBazaar.File.last_seen | Date | Timestamp of when the file was last seen by MalwareBazaar in UTC format. |
| MalwareBazaar.File.file_name | String | Malware sample's file name. |
| MalwareBazaar.File.file_size | Number | Malware sample's file size in bytes. |
| MalwareBazaar.File.file_type_mime | String | Malware samples's MIME file type. |
| MalwareBazaar.File.file_type | String | Malware sample's file type. |
| MalwareBazaar.File.reporter | String | Twitter handle of the report (or anonymous for anonymous submissions). |
| MalwareBazaar.File.origin_country | String | Two letter country code of the country where the sample was uploaded from. |
| MalwareBazaar.File.anonymous | Number | Whether the submission of the sample was anonymous - 1 (true) or 0 (false). |
| MalwareBazaar.File.signature | String | Malware family (if available). |
| MalwareBazaar.File.imphash | String | Import hash (imphash) (only available for Portable Executables). |
| MalwareBazaar.File.tlsh | String | Trend Micro Locality Sensitive Hash (tlsh). |
| MalwareBazaar.File.telfhash | String | Trend Micro ELF Hash (telfhash). |
| MalwareBazaar.File.ssdeep | String | The SSDeep hash of the file. |
| MalwareBazaar.File.dhash_icon | Unknown | In case the file is a Portable Executable, the dhash of the sample's icon. |
| MalwareBazaar.File.comment | String | Comment in the malware sample. |
| MalwareBazaar.File.tags | String | List of tags in the malware sample. |
| MalwareBazaar.File.code_sign.subject_cn | String | Subject common name (CN). |
| MalwareBazaar.File.code_sign.issuer_cn | String | Issuer common name (CN). |
| MalwareBazaar.File.code_sign.algorithm | String | Algorithm used. |
| MalwareBazaar.File.code_sign.valid_from | Date | Datetime from which the code sign was valid. |
| MalwareBazaar.File.code_sign.valid_to | Date | Datetime until which the code sign was valid (expiry date). |
| MalwareBazaar.File.code_sign.serial_number | String | Serial number of the code sign. |
| MalwareBazaar.File.code_sign.cscb_listed | String | Whether the sample is listed in the Code Signing Certificate Blocklist (CSCB). |
| MalwareBazaar.File.code_sign.cscb_reason | String | Code Signing Certificate Blocklist (CSCB) listing reason. |
| MalwareBazaar.File.delivery_method | String | How the file was distributed. |
| MalwareBazaar.File.file_information | Unknown | Contextual information about the file sample. |
| MalwareBazaar.File.yara_rules.rule_name | String | Name of the YARA rule that triggered the malware. |
| MalwareBazaar.File.yara_rules.author | String | Author of the YARA rule. |
| MalwareBazaar.File.yara_rules.description | String | Description of the YARA rule. |
| MalwareBazaar.File.yara_rules.reference | Unknown | Reference of the YARA rule. |
| MalwareBazaar.File.vendor_intel.ANY.RUN | Unknown | Dynamic malware analysis from ANY.RUN. |
| MalwareBazaar.File.vendor_intel.CAPE | Unknown | Dynamic malware analysis from CAPE sandbox. |
| MalwareBazaar.File.vendor_intel.CERT-PL_MWDB | Unknown | Threat intel from CERT.PL Malware database. |
| MalwareBazaar.File.vendor_intel.vxCube | Unknown | Dynamic malware analysis from Dr.Web vxCube. |
| MalwareBazaar.File.vendor_intel.DocGuard | Unknown | Office document reputation from DocGuad. |
| MalwareBazaar.File.vendor_intel.FileScan-IO | Unknown | Malware analysis service from FileScan.IO. |
| MalwareBazaar.File.vendor_intel.InQuest Labs | Unknown | File reputation service from InQuest Labs. |
| MalwareBazaar.File.vendor_intel.Intezer | Unknown | Code analysis from Intezer. |
| MalwareBazaar.File.vendor_intel.ReversingLabs | Unknown | File reputation and intelligence from ReversingLabs TitaniumCloud. |
| MalwareBazaar.File.vendor_intel.Spamhaus_HBL | Unknown | File reputation from Spamhaus Hash Blocklist (HBL). |
| MalwareBazaar.File.vendor_intel.Triage | Unknown | Dynamic malware analysis from Hatching Triage. |
| MalwareBazaar.File.vendor_intel.UnpacMe | Unknown | Malware unpacking service from UnpacMe. |
| MalwareBazaar.File.vendor_intel.VMRay | Unknown | Dynamic malware analysis from VMRay. |
| MalwareBazaar.File.vendor_intel.YOROI_YOMI | Unknown | Dynamic malware analysis from YOROI YOMI. |
| MalwareBazaar.File.comments.id | String | Unique ID that identifies this comment. |
| MalwareBazaar.File.comments.date_added | Date | Timestamp (UTC) of when this comment was made. |
| MalwareBazaar.File.comments.twitter_handle | String | Twitter handle who wrote this comment. |
| MalwareBazaar.File.comments.display_name | String | Twitter display name. |
| MalwareBazaar.File.comments.comment | String | The comment itself. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Reliability | String | The reliability of the vendor. |
| File.MD5 | String | MD5 hash of the file submitted for analysis. |
| File.SHA1 | String | SHA1 hash of the file submitted for analysis. |
| File.SHA256 | String | SHA256 hash of the file submitted for analysis. |
| File.Size | String | Size of the file submitted for analysis. |
| File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | String | For malicious files, the reason that the vendor made the decision. |
| File.Relationships.EntityA | String | The source of the relationship. |
| File.Relationships.EntityB | String | The destination of the relationship. |
| File.Relationships.Relationship | String | The name of the relationship. |
| File.Relationships.EntityAType | String | The type of the source of the relationship. |
| File.Relationships.EntityBType | String | The type of the destination of the relationship. |
Command Example#
!file file=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d
Context Example#
Human Readable Output#
MalwareBazaar File reputation for: 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d#
Md5 Hash Sha256 Hash Sha1 Hash File Name File Type File Size Tags First Seen Last Seen Signature Ssdeep Reporter Imphash Yara Rules Names 2f6432c5af8d10b04caed90d410ec7ad 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d 4b1fc10818dd534922feef4d521eb3574337e3c0 COPY-SCANB840284-IMG-2020-13-02-DOCUMENT-PDF.exe exe 472064 AgentTesla,
exe2020-02-13 11:55:46 2021-06-02 16:06:57 AgentTesla 12288:GCU4gtAxIflaBAFGWf1yN6OcsiUIpqpcsHs4d8/U:MwIflaBaIH2Us69d88 abuse_ch f34d5f2d4577ed6d9ceec516c1f5a744 Agenttesla_type2,
CAP_HookExKeylogger,
win_agent_tesla_g2
malwarebazaar-download-sample#
Download a malware sample from MalwareBazaar. Any malware sample downloaded from MalwareBazaar is zipped and password protected using the password "infected" (without "").
Base Command#
malwarebazaar-download-sample
Input#
| Argument Name | Description | Required |
|---|---|---|
| sha256_hash | SHA256 hash of the malware sample to download. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| File.Size | String | The size of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.SHA512 | String | The SHA512 hash of the file. |
| File.Name | String | The name of the file. |
| File.SSDeep | String | The SSDeep hash of the file. |
| File.EntryID | String | Entry ID of the file. |
| File.Info | String | Information about the file. |
| File.Type | String | The file type. |
| File.MD5 | String | The MD5 hash of the file. |
| File.Extension | String | The extension of the file. |
Command Example#
!malwarebazaar-download-sample sha256_hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78
Context Example#
Human Readable Output#
malwarebazaar-comment-add#
Add a comment for a malware sample.
Base Command#
malwarebazaar-comment-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| sha256_hash | SHA256 hash of the malware sample to add a comment. | Required |
| comment | The comment to add to the sample. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| MalwareBazaar.MalwarebazaarCommentAdd.sha256_hash | String | SHA256 hash of given file. |
| MalwareBazaar.MalwarebazaarCommentAdd.comment | String | The comment that was added to the malware sample. |
Command Example#
!malwarebazaar-comment-add comment="test" sha256_hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d
Context Example#
Human Readable Output#
Comment added to 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d malware sample successfully
malwarebazaar-samples-list#
Retrieves a list of recent malware samples (maximum 1000) associated with a specific sample type. Note that you can either use the limit argument or the page and page_size argument.
Base Command#
malwarebazaar-samples-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| sample_type | Type of the sample. Possible values are: tag, signature, file_type, clamav, imphash, yara_rule, issuer_cn. | Required |
| sample_value | Value of the sample selected. | Required |
| limit | Maximum number of results to return. Default is 1000. Note that when using the issuer_cn argument, all relevant results will display (maximum 100). | Optional |
| page | Page number to view. Each page contains page_size values. Must be used along with the page_size argument. | Optional |
| page_size | Number of results per page to display. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| MalwareBazaar.MalwarebazaarSamplesList.sha256_hash | String | SHA256 hash of the malware sample. |
| MalwareBazaar.MalwarebazaarSamplesList.sha3_384_hash | String | SHA3-384 hash of the malware sample. |
| MalwareBazaar.MalwarebazaarSamplesList.sha1_hash | String | SHA1 hash of the malware sample. |
| MalwareBazaar.MalwarebazaarSamplesList.md5_hash | String | MD5 hash of the malware sample. |
| MalwareBazaar.MalwarebazaarSamplesList.first_seen | Date | Timestamp of when the file was first seen by MalwareBazaar (UTC). |
| MalwareBazaar.MalwarebazaarSamplesList.last_seen | Date | Timestamp of when the file was last seen by MalwareBazaar (UTC). |
| MalwareBazaar.MalwarebazaarSamplesList.file_name | String | Malware sample's file name. |
| MalwareBazaar.MalwarebazaarSamplesList.file_size | Number | File size in bytes. |
| MalwareBazaar.MalwarebazaarSamplesList.file_type_mime | String | MIME file type. |
| MalwareBazaar.MalwarebazaarSamplesList.file_type | String | File type. |
| MalwareBazaar.MalwarebazaarSamplesList.reporter | String | Twitter handle of the report (or anonymous for anonymous submissions). |
| MalwareBazaar.MalwarebazaarSamplesList.anonymous | Number | Whether the submission of the sample was anonymous - 1 (true) or 0 (false). |
| MalwareBazaar.MalwarebazaarSamplesList.signature | String | Malware family (if available). |
| MalwareBazaar.MalwarebazaarSamplesList.imphash | String | Import hash (imphash) of the sample (only available for Portable Executables). |
| MalwareBazaar.MalwarebazaarSamplesList.tlsh | String | Trend Micro Locality Sensitive Hash (tlsh) of the sample. |
| MalwareBazaar.MalwarebazaarSamplesList.telfhash | String | Trend Micro ELF Hash (telfhash) of the sample. |
| MalwareBazaar.MalwarebazaarSamplesList.ssdeep | String | The SSDeep hash of the sample. |
| MalwareBazaar.MalwarebazaarSamplesList.dhash_icon | Unknown | In case the file is a Portable Executable, the dhash of the samples icon. |
| MalwareBazaar.MalwarebazaarSamplesList.tags | String | List of tags. |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.subject_cn | String | Subject common name (CN). |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.issuer_cn | String | Issuer common name (CN). |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.algorithm | String | Algorithm used. |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.valid_from | Date | Datetime from which the code sign was valid. |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.valid_to | Date | Datetime until which the code sign was valid (expiry date). |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.serial_number | String | Serial number of the code sign. |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.cscb_listed | String | Whether the sample is listed in the Code Signing Certificate Blocklist (CSCB). |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.cscb_reason | String | Code Signing Certificate Blocklist (CSCB) listing reason. |
| MalwareBazaar.MalwarebazaarSamplesList.intelligence.clamav | String | List of ClamAV detections (official and unofficial rules). |
| MalwareBazaar.MalwarebazaarSamplesList.intelligence.downloads | Number | Number of downloads from MalwareBazaar. |
| MalwareBazaar.MalwarebazaarSamplesList.intelligence.uploads | Number | Number of uploads to MalwareBazaar. |
| MalwareBazaar.MalwarebazaarSamplesList.intelligence.mail | String | Indicates if this malware sample has been seen in global spam traffic. |
Command Example#
!malwarebazaar-samples-list sample_type=tag sample_value=TrickBot limit=2
Context Example#
Human Readable Output#
Sample List#
Md5 Hash Sha256 Hash Sha1 Hash File Name File Type File Size Tags First Seen ee566f0e04b497770c5baa4de14c416f 06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9 98f77caf24f14dca0fa163596a730269037f2065 ee566f0e04b497770c5baa4de14c416f.exe exe 656384 exe,
TrickBot2021-11-07 08:38:51 7425c5e4bd0f910f80a1ab456b68e192 3d775f1f2da385ed73d988930d9c9675fc2e466098bb5f19c8501a723e14f437 dbd26c846e03f94aa1451b6b73e1fa138ea5a953 7425c5e4bd0f910f80a1ab456b68e192.exe exe 656896 exe,
TrickBot2021-11-07 08:35:14