MalwareBazaar
This Integration is part of the MalwareBazaar Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the Infosec community, AV vendors, and threat intelligence providers. This integration was integrated and tested with version 1 of MalwareBazaar
Configure MalwareBazaar in Cortex#
| Parameter | Description | Required |
|---|---|---|
| Server URL | This is the API endpoint for the MalwareBazaar API. | True |
| User Name | API key is required only to add a comment to a malware sample. | False |
| API Key | False | |
| Source Reliability | Reliability of the source providing the intelligence data. | True |
| Use system proxy settings | False | |
| Trust any certificate (not secure) | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
file#
Check if a particular malware sample is known to MalwareBazaar.
Base Command#
file
Input#
| Argument Name | Description | Required |
|---|---|---|
| file | A list of SHA256, MD5, or SHA1 hashes of the malware samples you want to query. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| MalwareBazaar.File.sha256_hash | String | SHA256 hash of the malware sample. |
| MalwareBazaar.File.sha3_384_hash | String | SHA3-384 hash of the malware sample. |
| MalwareBazaar.File.sha1_hash | String | SHA1 hash of the malware sample. |
| MalwareBazaar.File.md5_hash | String | MD5 hash of the malware sample. |
| MalwareBazaar.File.first_seen | Date | Timestamp of when the file was first seen by MalwareBazaar in UTC format. |
| MalwareBazaar.File.last_seen | Date | Timestamp of when the file was last seen by MalwareBazaar in UTC format. |
| MalwareBazaar.File.file_name | String | Malware sample's file name. |
| MalwareBazaar.File.file_size | Number | Malware sample's file size in bytes. |
| MalwareBazaar.File.file_type_mime | String | Malware samples's MIME file type. |
| MalwareBazaar.File.file_type | String | Malware sample's file type. |
| MalwareBazaar.File.reporter | String | Twitter handle of the report (or anonymous for anonymous submissions). |
| MalwareBazaar.File.origin_country | String | Two letter country code of the country where the sample was uploaded from. |
| MalwareBazaar.File.anonymous | Number | Whether the submission of the sample was anonymous - 1 (true) or 0 (false). |
| MalwareBazaar.File.signature | String | Malware family (if available). |
| MalwareBazaar.File.imphash | String | Import hash (imphash) (only available for Portable Executables). |
| MalwareBazaar.File.tlsh | String | Trend Micro Locality Sensitive Hash (tlsh). |
| MalwareBazaar.File.telfhash | String | Trend Micro ELF Hash (telfhash). |
| MalwareBazaar.File.ssdeep | String | The SSDeep hash of the file. |
| MalwareBazaar.File.dhash_icon | Unknown | In case the file is a Portable Executable, the dhash of the sample's icon. |
| MalwareBazaar.File.comment | String | Comment in the malware sample. |
| MalwareBazaar.File.tags | String | List of tags in the malware sample. |
| MalwareBazaar.File.code_sign.subject_cn | String | Subject common name (CN). |
| MalwareBazaar.File.code_sign.issuer_cn | String | Issuer common name (CN). |
| MalwareBazaar.File.code_sign.algorithm | String | Algorithm used. |
| MalwareBazaar.File.code_sign.valid_from | Date | Datetime from which the code sign was valid. |
| MalwareBazaar.File.code_sign.valid_to | Date | Datetime until which the code sign was valid (expiry date). |
| MalwareBazaar.File.code_sign.serial_number | String | Serial number of the code sign. |
| MalwareBazaar.File.code_sign.cscb_listed | String | Whether the sample is listed in the Code Signing Certificate Blocklist (CSCB). |
| MalwareBazaar.File.code_sign.cscb_reason | String | Code Signing Certificate Blocklist (CSCB) listing reason. |
| MalwareBazaar.File.delivery_method | String | How the file was distributed. |
| MalwareBazaar.File.file_information | Unknown | Contextual information about the file sample. |
| MalwareBazaar.File.yara_rules.rule_name | String | Name of the YARA rule that triggered the malware. |
| MalwareBazaar.File.yara_rules.author | String | Author of the YARA rule. |
| MalwareBazaar.File.yara_rules.description | String | Description of the YARA rule. |
| MalwareBazaar.File.yara_rules.reference | Unknown | Reference of the YARA rule. |
| MalwareBazaar.File.vendor_intel.ANY.RUN | Unknown | Dynamic malware analysis from ANY.RUN. |
| MalwareBazaar.File.vendor_intel.CAPE | Unknown | Dynamic malware analysis from CAPE sandbox. |
| MalwareBazaar.File.vendor_intel.CERT-PL_MWDB | Unknown | Threat intel from CERT.PL Malware database. |
| MalwareBazaar.File.vendor_intel.vxCube | Unknown | Dynamic malware analysis from Dr.Web vxCube. |
| MalwareBazaar.File.vendor_intel.DocGuard | Unknown | Office document reputation from DocGuad. |
| MalwareBazaar.File.vendor_intel.FileScan-IO | Unknown | Malware analysis service from FileScan.IO. |
| MalwareBazaar.File.vendor_intel.InQuest Labs | Unknown | File reputation service from InQuest Labs. |
| MalwareBazaar.File.vendor_intel.Intezer | Unknown | Code analysis from Intezer. |
| MalwareBazaar.File.vendor_intel.ReversingLabs | Unknown | File reputation and intelligence from ReversingLabs TitaniumCloud. |
| MalwareBazaar.File.vendor_intel.Spamhaus_HBL | Unknown | File reputation from Spamhaus Hash Blocklist (HBL). |
| MalwareBazaar.File.vendor_intel.Triage | Unknown | Dynamic malware analysis from Hatching Triage. |
| MalwareBazaar.File.vendor_intel.UnpacMe | Unknown | Malware unpacking service from UnpacMe. |
| MalwareBazaar.File.vendor_intel.VMRay | Unknown | Dynamic malware analysis from VMRay. |
| MalwareBazaar.File.vendor_intel.YOROI_YOMI | Unknown | Dynamic malware analysis from YOROI YOMI. |
| MalwareBazaar.File.comments.id | String | Unique ID that identifies this comment. |
| MalwareBazaar.File.comments.date_added | Date | Timestamp (UTC) of when this comment was made. |
| MalwareBazaar.File.comments.twitter_handle | String | Twitter handle who wrote this comment. |
| MalwareBazaar.File.comments.display_name | String | Twitter display name. |
| MalwareBazaar.File.comments.comment | String | The comment itself. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Reliability | String | The reliability of the vendor. |
| File.MD5 | String | MD5 hash of the file submitted for analysis. |
| File.SHA1 | String | SHA1 hash of the file submitted for analysis. |
| File.SHA256 | String | SHA256 hash of the file submitted for analysis. |
| File.Size | String | Size of the file submitted for analysis. |
| File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | String | For malicious files, the reason that the vendor made the decision. |
| File.Relationships.EntityA | String | The source of the relationship. |
| File.Relationships.EntityB | String | The destination of the relationship. |
| File.Relationships.Relationship | String | The name of the relationship. |
| File.Relationships.EntityAType | String | The type of the source of the relationship. |
| File.Relationships.EntityBType | String | The type of the destination of the relationship. |
Command Example#
!file file=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d
Context Example#
Human Readable Output#
MalwareBazaar File reputation for: 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d#
Md5 Hash Sha256 Hash Sha1 Hash File Name File Type File Size Tags First Seen Last Seen Signature Ssdeep Reporter Imphash Yara Rules Names 2f6432c5af8d10b04caed90d410ec7ad 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d 4b1fc10818dd534922feef4d521eb3574337e3c0 COPY-SCANB840284-IMG-2020-13-02-DOCUMENT-PDF.exe exe 472064 AgentTesla,
exe2020-02-13 11:55:46 2021-06-02 16:06:57 AgentTesla 12288:GCU4gtAxIflaBAFGWf1yN6OcsiUIpqpcsHs4d8/U:MwIflaBaIH2Us69d88 abuse_ch f34d5f2d4577ed6d9ceec516c1f5a744 Agenttesla_type2,
CAP_HookExKeylogger,
win_agent_tesla_g2
malwarebazaar-download-sample#
Download a malware sample from MalwareBazaar. Any malware sample downloaded from MalwareBazaar is zipped and password protected using the password "infected" (without "").
Base Command#
malwarebazaar-download-sample
Input#
| Argument Name | Description | Required |
|---|---|---|
| sha256_hash | SHA256 hash of the malware sample to download. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| File.Size | String | The size of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.SHA512 | String | The SHA512 hash of the file. |
| File.Name | String | The name of the file. |
| File.SSDeep | String | The SSDeep hash of the file. |
| File.EntryID | String | Entry ID of the file. |
| File.Info | String | Information about the file. |
| File.Type | String | The file type. |
| File.MD5 | String | The MD5 hash of the file. |
| File.Extension | String | The extension of the file. |
Command Example#
!malwarebazaar-download-sample sha256_hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78
Context Example#
Human Readable Output#
malwarebazaar-comment-add#
Add a comment for a malware sample.
Base Command#
malwarebazaar-comment-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| sha256_hash | SHA256 hash of the malware sample to add a comment. | Required |
| comment | The comment to add to the sample. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| MalwareBazaar.MalwarebazaarCommentAdd.sha256_hash | String | SHA256 hash of given file. |
| MalwareBazaar.MalwarebazaarCommentAdd.comment | String | The comment that was added to the malware sample. |
Command Example#
!malwarebazaar-comment-add comment="test" sha256_hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d
Context Example#
Human Readable Output#
Comment added to 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d malware sample successfully
malwarebazaar-samples-list#
Retrieves a list of recent malware samples (maximum 1000) associated with a specific sample type. Note that you can either use the limit argument or the page and page_size argument.
Base Command#
malwarebazaar-samples-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| sample_type | Type of the sample. Possible values are: tag, signature, file_type, clamav, imphash, yara_rule, issuer_cn. | Required |
| sample_value | Value of the sample selected. | Required |
| limit | Maximum number of results to return. Default is 1000. Note that when using the issuer_cn argument, all relevant results will display (maximum 100). | Optional |
| page | Page number to view. Each page contains page_size values. Must be used along with the page_size argument. | Optional |
| page_size | Number of results per page to display. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| MalwareBazaar.MalwarebazaarSamplesList.sha256_hash | String | SHA256 hash of the malware sample. |
| MalwareBazaar.MalwarebazaarSamplesList.sha3_384_hash | String | SHA3-384 hash of the malware sample. |
| MalwareBazaar.MalwarebazaarSamplesList.sha1_hash | String | SHA1 hash of the malware sample. |
| MalwareBazaar.MalwarebazaarSamplesList.md5_hash | String | MD5 hash of the malware sample. |
| MalwareBazaar.MalwarebazaarSamplesList.first_seen | Date | Timestamp of when the file was first seen by MalwareBazaar (UTC). |
| MalwareBazaar.MalwarebazaarSamplesList.last_seen | Date | Timestamp of when the file was last seen by MalwareBazaar (UTC). |
| MalwareBazaar.MalwarebazaarSamplesList.file_name | String | Malware sample's file name. |
| MalwareBazaar.MalwarebazaarSamplesList.file_size | Number | File size in bytes. |
| MalwareBazaar.MalwarebazaarSamplesList.file_type_mime | String | MIME file type. |
| MalwareBazaar.MalwarebazaarSamplesList.file_type | String | File type. |
| MalwareBazaar.MalwarebazaarSamplesList.reporter | String | Twitter handle of the report (or anonymous for anonymous submissions). |
| MalwareBazaar.MalwarebazaarSamplesList.anonymous | Number | Whether the submission of the sample was anonymous - 1 (true) or 0 (false). |
| MalwareBazaar.MalwarebazaarSamplesList.signature | String | Malware family (if available). |
| MalwareBazaar.MalwarebazaarSamplesList.imphash | String | Import hash (imphash) of the sample (only available for Portable Executables). |
| MalwareBazaar.MalwarebazaarSamplesList.tlsh | String | Trend Micro Locality Sensitive Hash (tlsh) of the sample. |
| MalwareBazaar.MalwarebazaarSamplesList.telfhash | String | Trend Micro ELF Hash (telfhash) of the sample. |
| MalwareBazaar.MalwarebazaarSamplesList.ssdeep | String | The SSDeep hash of the sample. |
| MalwareBazaar.MalwarebazaarSamplesList.dhash_icon | Unknown | In case the file is a Portable Executable, the dhash of the samples icon. |
| MalwareBazaar.MalwarebazaarSamplesList.tags | String | List of tags. |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.subject_cn | String | Subject common name (CN). |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.issuer_cn | String | Issuer common name (CN). |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.algorithm | String | Algorithm used. |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.valid_from | Date | Datetime from which the code sign was valid. |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.valid_to | Date | Datetime until which the code sign was valid (expiry date). |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.serial_number | String | Serial number of the code sign. |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.cscb_listed | String | Whether the sample is listed in the Code Signing Certificate Blocklist (CSCB). |
| MalwareBazaar.MalwarebazaarSamplesList.code_sign.cscb_reason | String | Code Signing Certificate Blocklist (CSCB) listing reason. |
| MalwareBazaar.MalwarebazaarSamplesList.intelligence.clamav | String | List of ClamAV detections (official and unofficial rules). |
| MalwareBazaar.MalwarebazaarSamplesList.intelligence.downloads | Number | Number of downloads from MalwareBazaar. |
| MalwareBazaar.MalwarebazaarSamplesList.intelligence.uploads | Number | Number of uploads to MalwareBazaar. |
| MalwareBazaar.MalwarebazaarSamplesList.intelligence.mail | String | Indicates if this malware sample has been seen in global spam traffic. |
Command Example#
!malwarebazaar-samples-list sample_type=tag sample_value=TrickBot limit=2
Context Example#
Human Readable Output#
Sample List#
Md5 Hash Sha256 Hash Sha1 Hash File Name File Type File Size Tags First Seen ee566f0e04b497770c5baa4de14c416f 06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9 98f77caf24f14dca0fa163596a730269037f2065 ee566f0e04b497770c5baa4de14c416f.exe exe 656384 exe,
TrickBot2021-11-07 08:38:51 7425c5e4bd0f910f80a1ab456b68e192 3d775f1f2da385ed73d988930d9c9675fc2e466098bb5f19c8501a723e14f437 dbd26c846e03f94aa1451b6b73e1fa138ea5a953 7425c5e4bd0f910f80a1ab456b68e192.exe exe 656896 exe,
TrickBot2021-11-07 08:35:14