Malware Bazaar
App Vendor: abuse.ch
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.0.0
API Version: v1
About App
Malware Bazaar app allows to upload or download malware samples and also to do automated bulk queries obtaining intel from Malware Bazaar.
Malware Bazaar app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Upload Malware Samples | This action uploads malware samples to Malware Bazaar. |
Download Malware Sample | This action downloads malware samples from Malware Bazaar. |
Query Malware Sample | This action validates a particular malware sample if known to Malware Bazaar. |
Get Query Tag List | This action retrieves a list of malware samples associated with a specific tag. |
Get Query Signature List | This action retrieves a list of malware samples associated with a specific signature. |
Get Query Filetype List | This action retrieves a list of malware samples having a specific file type. |
Get Query ClamAV List | This action retrieves a list of malware samples associated with a specific ClamAV signature. |
Get Query Imphash List | This action retrieves a list of malware samples associated with a specific imphash. |
Get Query TLSH Hash List | This action retrieves a list of malware samples associated with a specific TLSH hash. |
Get Query Telfhash Hash List | This action retrieves a list of malware samples associated with a specific telfhash hash. |
Get Query Icon List | This action retrieves a list of malware samples that are having a specific icon using the icon's dhash. |
Get Query YARA Rule List | This action retrieves a list of malware samples associated with a specific YARA rule . |
Get Query Code Signing Certificates by Issuer | This action retrieves a list of malware samples that are using a code sign certificate issued by a certain Certificate Authority (issuer CN). |
Get Query Code Signing Certificates by Subject | This action retrieves a list of malware samples that are signed with a code sign certificate that matches a certain Subject Common Name (CN). |
Update Entry | This action updates an existing entry (malware sample). |
Add Comment | This action adds a comment to a malware sample. |
Dump Content | This action dumps the content of the Malware Bazaar code signing certificate blocklist (CSCB). |
Get Recent Samples | This action retrieves a list of malware samples added to Malware Bazaar within the last 60 minutes or the latest 100 additions. |
Configuration Parameters
The following configuration parameters are required for the Malware Bazaar app to communicate with the Malware Bazaar enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access the Malware Bazaar application. | Text | Required | |
API Key | Enter the API key. | Password | Required | |
Verify | Choose to verify the SSL certificates. Example: false | Boolean | Optional | Default value: true Allowed values:
|
Action: Upload Malware Samples
This action uploads malware samples to Malware Bazaar.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File | Enter the path of the malware sample that needs to be uploaded. Example: "/tmp/d984xx40-730f-4de7-b117-ddc2x9cf1762/sample_file" | Text | Required | |
Anonymous | Enter 1 to upload the malware sample anonymously. Example: 1 | Integer | Optional | Default value: 0 If you pass 0 as input, then the malware sample is not uploaded anonymously. |
Tags | Enter the tags. Example: $LIST[example, sample] | List | Optional | |
References | Enter references as a key-value pair. Example: {'links':'https://domain.tld/blog','any_run':'https://app.any.run/tasks/xyz'} | Key Value | Optional | |
Context | Enter context as a key-value pair. Example: { "dropped_by_md5": "68b329da98xxe34099c7d8axxcb9c940", "dropped_by_malware": "gozi"} | Key Value | Optional | |
Delivery Method | Enter delivery method. Example: "email_attachment" | Text | Optional | Allowed values:
|
Example Request
[
{
"file": "/tmp/d984xx40-730f-4de7-b117-ddc2x9cf1762/sample_file",
"anonymous": 1,
"tags: ["example", "sample"],
"references": {"links":"https://domain.tld/blog", "any_run": "https://app.any.run/tasks/xyz"},
"context": { "dropped_by_md5": "68b329da98xxe34099c7d8axxcb9c940","dropped_by_malware": "gozi"},
"delivery_method": "email_attachment"
}
]
Action: Download Malware Sample
This action downloads malware samples from Malware Bazaar.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash Value | Enter the SHA256 hash of the malware sample that is to be downloaded. Example:"80856a0fa6e70b90xx31bea004dd61d3e2xxsd56706813654601ade6ee9f87bcd" | Text | Required |
Example Request
[
{
"hash_value": "80856a0fa6e70b90xx31bea004dd61d3e2xxsd56706813654601ade6ee9f87bcd"
}
]
Action: Query Malware Sample
This action validates a particular malware sample from Malware Bazaar.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash value | Enter the SHA256, MD5, or SHA1 hash of the malware sample that needs to be validated. Example: "80856a0fa6e70b90xx31bea004dd61d3e2xxsd56706813654601ade6ee9f87bcd" | Text | Required |
Example Request
[
{
"hash_value": "80856a0fa6e70b90xx31bea004dd61d3e2xxsd56706813654601ade6ee9f87bcd"
}
]Action: Get Query Tag List
This action retrieves a list of malware samples associated with a specific tag.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tag | Enter a tag to query a related list of malware samples. Example: "trickbot" | Text | Required | |
Limit | Enter the maximum number of results to be displayed. Example: 40 | Integer | Optional | Default value: 100 |
Example Request
[
{
"tag": "trickbot",
"limit": 40
}
]Action: Get Query Signature List
This action retrieves a list of malware samples associated with a specific signature.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Signature | Enter the signature to retrieve a list of malware samples. Example: "trickbot" | Text | Required | |
Limit | Enter the maximum number of results to be displayed. Example: 80 | Integer | Optional | Default value:100 |
Example Request
[
{
"signature": "trickbot",
"limit": 40
}
]Action: Get Query Filetype List
This action retrieves a list of recent malware samples having a specific filetype.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filetype | Enter a file type to retrieve a list of malware samples. Ex: "elf" | Text | Required | |
Limit | Enter the maximum number of results to be retrieved. Example: 40 | Integer | Optional | Default value: 100 |
Example Request
[
{
"filetype": "elf",
"limit": 40
}
]Action: Get Query ClamAV List
This action is used get a list of recent malware samples associated with a specific clamav signature .
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CalmAV | Enter the ClamAV signature. Example:
| Text | Required | |
Limit | Enter the maximum number of results to be retrieved. Example: 40 | Integer | Optional | Default value:100 |
Example Request
[
{
"calmav": "doc.downloader.emotet-7580152-0",
"limit": 40
}
]Action: Get Query Imphash List
This action retrieves a list of malware samples associated with a specific imphash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Imphash | Enter an imphash to retrieve a list of malware samples. Example: "45d579faec0eaf279c0841b2233727cf" | Text | Required | |
Limit | Enter the maximum number of results to be retrieved. Example: 40 | Integer | Optional | Default value:100 |
Example Request
[
{
"imphash": "45d579faec0eaf279c0841b2233727cf",
"limit": 40
}
]Action: Get Query TLSH Hash List
This action retrieves a list of malware samples associated with a specific TLSH hash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
TLSH | Enter a TLSH hash to retrieve a list of malware samples. Example: "d2057e62e291d876d02605398c6bd638582bbf257578491f2be93c0c6f7738234bbd4b" | Text | Required | |
Limit | Enter the maximum number of results to be retrieved. Example: 40 | Integer | Optional | Default value: 100 |
Example Request
[
{
"tlsh":"d2057e62e291d876d02605398c6bd638582bbf257578491f2be93c0c6f7738234bbd4b",
"limit": 40
}
]Action: Get Query Telfhash Hash List
This action retrieves a list of malware samples associated with a specific telfhash hash .
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Telf Hash | Enter a telfhash hash to retrieve a list of malware samples. Example: "t155212bf31dbe09e8b7f0a500c31a5bd31d6ee63b257031a44672d92422d39d1a0bac3a" | Text | Required | |
Limit | Enter the maximum number of results to be retrieved. Example: 40 | Integer | Optional | Default value: 100 |
Example Request
[
{
"telf_hash":"t155212bf31dbe09e8b7f0a500c31a5bd31d6ee63b257031a44672d92422d39d1a0bac3a",
"limit": 40
}
]Action: Get Query Icon List
This action retrieves a list of malware samples that are having a specific icon using the icon's dhash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Icon Dhash | Enter an icon's dhash to retrieve a list of malware samples. Example: "48b9b2b0e8c18c90" | Text | Required | |
Limit | Enter the maximum number of results to be retrieved. Example: 40 | Integer | Optional | Default value: 100 |
Example Request
[
{
"icon_dhash":"48b9b2b0e8c18c90",
"limit": 40
}
]Action: Get Query YARA Rule List
This action retrieves a list of malware samples associated with a specific YARA rule .
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
YARA Rule | Enter the name of a YARA rule. Example: "win_remcos_g0" | Text | Required | |
Limit | Enter the maximum number of results to be retrieved. Example: 40 | Integer | Optional | Default value: 100 |
Example Request
[
{
"yara_rule":"win_remcos_g0",
"limit": 40
}
]Action: Get Query Code Signing Certificates by Issuer
This action retrieves a list of malware samples that are using a code sign certificate issued by a certain Certificate Authority (Issuer CN).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Issuer CN | Enter the Issuer Common Name (CN). Example: "Sectigo RSA Code Signing CA" | Text | Required |
Example Request
[
{
"issuer_cn": "Sectigo RSA Code Signing CA"
}
]Action: Get Query Code Signing Certificates by Subject
This action retrieves a list of malware samples that are signed with a code sign certificate that matches a certain Subject Common Name (CN).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subject CN | Enter a Subject Common Name (CN). Example: "Ekitai Data Inc." | Text | Required |
Example Request
[
{
"subject_cn": "Ekitai Data Inc."
}
]Action: Update Entry
This action updates an existing entry (malware sample). You can only update malware samples that are uploaded by you.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash Value | Enter a SHA256 hash of the malware sample that needs to be updated. Example: "094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d" | Text | Required | |
Key | Enter a key that needs to be updated. Example: "links" | Text | Required | For more information on supported key values, see Action: Update an Entry in Malware Bazaar |
Value | Enter the respective value of the key that needs to be updated. Example: "https://www.abuse.ch" | Text | Required |
Example Request
[
{
"sha256_hash": "d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77b',
"key": "links",
"value": "https://www.abuse.ch"
}
]Action: Add Comment
This action adds a comment to a malware sample.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash Value | Enter the SHA256 hash of the malware sample. Example: "094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d" | Text | Required | |
Comment | Enter a comment. Example: "Cybersecurity is interesting" | Text | Required |
Example Request
[
{
"hash_value": "094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d",
"comment": "Cybersecurity is interesting"
}
]
Action: Dump Content
This action dumps the content of the Malware Bazaar Code Signing Certificate Blocklist (CSCB).
Action Input Parameters
This action does not require any action input parameter.
Action: Get Recent Samples
This action retrieves a list of malware samples added to Malware Bazaar within the last 60 minutes or the latest 100 additions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Latest | Enter true to retrieve a list of malware samples added to Malware Bazaar within the last 60 minutes. Example: true | Boolean | Optional | Allowed values:
Default value: false By default, it retrieves the latest 100 malware samples uploaded to Malware Bazaar. |
Example Request
[
{
"latest": true
}
]