MalwareBazaar API
MalwareBazaar offers the following APIs to not only submit (upload) or download malware samples but also to do automated bulk queries obtaining intel form MalwareBazaar.
Obtain an Auth-Key (Required)
In order to interact with the MalwareBazaar API, you need to obtain an Auth-Key
first. If you don't have one you can get one for free here:
Whenever you interact with the MalwareBazaar API, you must include the HTTP header Auth-Key
with your Auth-Key. Example wget
command:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_info&hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d" https://mb-api.abuse.ch/api/v1/ -O-
Submission Policy
Before you start to submit malware samples to MalwareBazaar, please read the following submission policy:
- Confirmed malware only: Please do only submit confirmed / vetted malware samples to MalwareBazaar. Do not submit any suspicious or benign files to MalwareBazaar.
- Adware is not malware: Unlike Malware, most common Adware (aka Potential Unwanted Programs - PUPs) do need some sort of user interaction. In many cases, they also come with a licences agreement that the user has to accept and that is more or less transparent with regards to what the Adware does. Please refrain from submitting Adware to MalwareBazaar.
- Fresh malware samples: There are gazillions malware samples out there. Please refrain from uploading malware samples older than 10 days to MalwareBazaar.
- No file infectors: Please do not upload any file infectors.
Note: Should you repeatedly violate the submission policy documented above, your account may get banned from contributing to MalwareBazaar.
Upload malware samples
You can upload (submit) malware samples to MalwareBazaar by using the API documented below, sending a multipart form POST request with file
(the actual file you want to submit) and json_data
(see documentation below) to https://mb-api.abuse.ch/api/v1/
.
Key | Required? | Comment | Example |
---|---|---|---|
anonymous | No | If set to 1, your submission will be anonymous. Default: 0 | 0 |
file | Yes | The malware sample you want to upload | |
tags | No | List of tags. Allowed characters: [A-Za-z0-9.- ] | exe |
references | No | References for this malware sample | |
Key | Example | ||
urlhaus | https://urlhaus.abuse.ch/url/318612/ | ||
any_run | https://app.any.run/tasks/XYZ | ||
joe_sandbox | https://www.joesecurity.org/reports/XYZ/ | ||
malpedia | https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi | ||
https://twitter.com/abuse_ch/status/1224269018506330112 | |||
links | https://domain.tld/blog/interesting-malware.php | ||
context | No | Context for this malware sample | |
Key | Example | ||
dropped_by_md5 | 68b329da9893e34099c7d8ad5cb9c940 | ||
dropped_by_sha256 | 01ba4719c80b6fe911b091a7c... | ||
dropped_by_malware | Gozi | ||
dropping_md5 | 5fb882846518a38b42b74348bb3a838b | ||
dropping_sha256 | ddf42fa0c0c9f5e7c33dfe7cc6743... | ||
dropping_malware | Loki | ||
comment | This malware sample is very nasty! | ||
delivery_method | No | Delivery method used to spread this malware sample | |
Value | Meaning | ||
email_attachment | Distributed via e-mail attachment | ||
email_link | Distributed via e-mail link | ||
web_download | Distributed via web download | ||
web_drive-by | Distributed via drive-by | ||
multiple | Multiple delivery methods used | ||
other | Other delivery methods used |
To authenticate your request, you must send the HTTP header Auth-Key
with your personal Auth-Key:
Auth-Key: YOUR-AUTH-KEY-HERE
If you don't have an Auth-key yet you can get one for free here:
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
no_api_key | You did not provide an API key. You can obtain one here | |
user_blacklisted | Your API key is blacklisted. Please contact us through the Spamhaus Technology contact form: https://www.spamhaus.com/#contact-form | |
file_already_known | The malware sample you have tried to submit is already known | |
inserted | The malware sample has been inserted into MalwareBazaar | |
file_expected | You did not send any file |
Here's a sample python3 script that submits malware sample to MalwareBazaar
#!/usr/bin/env python3 import requests import sys import json if len(sys.argv) > 1: file = sys.argv[1] else: print("Usage: python3 malware_Bazaar_submit.py <file>") quit() headers = {'Auth-Key': 'YOUR-AUTH-KEY-HERE'} data = { 'anonymous': 1, 'delivery_method': 'email_attachment', 'tags': [ 'exe', 'test' ], 'references': { 'any_run': [ 'https://app.any.run/tasks/1', 'https://app.any.run/tasks/2' ], 'joe_sandbox': [ 'https://www.joesecurity.org/reports/1', 'https://www.joesecurity.org/reports/2' ], 'malpedia': [ 'https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi' ], 'twitter': [ 'https://twitter.com/abuse_ch/status/1224269018506330112' ], 'links': [ 'https://urlhaus.abuse.ch/url/306613/', ] }, 'context': { 'dropped_by_md5': [ '68b329da9893e34099c7d8ad5cb9c940' ], 'dropped_by_sha256': [ '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', '4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865' ], 'dropped_by_malware': [ 'Gozi' ], 'comment': 'this malware sample is very nasty!' } } files = { 'json_data': (None, json.dumps(data), 'application/json'), 'file': (open(file,'rb')) } response = requests.post('https://mb-api.abuse.ch/api/v1/', files=files, verify=False, headers=headers)
An additional python samples script showing how to submit a file to MalwareBazaar is available here:
Need help?
If you encounter any problems when submitting malware samples to MalwareBazaar, please do not hesitate to contact us through the Spamhaus Technology contact form: https://www.spamhaus.com/#contact-form
Retrieve (download) a malware sample
You can download (fetch) malware samples from MalwareBazaar by using the API documented below, sending an HTTP POST
request to https://mb-api.abuse.ch/api/v1/
. Please note that any malware sample you download from MalwareBazaar will be zipped and password protected using the password "infected" (without "").
Please note that there is a daily limit for file downloads on the API that is documented here.
Key | Example | Comment |
---|---|---|
query | get_file | |
sha256_hash | 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d | SHA256 hash of the malware sample you want to download |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
illegal_sha256_hash | Illegal SHA256 hash provided | |
no_sha256_hash | No SHA256 hash provided | |
file_not_found | The file was not found or is unknown to MalwareBazaar |
Here's a sample wget request on how to fetch a file:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_file&sha256_hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d" https://mb-api.abuse.ch/api/v1/
Problems with unzipping?
Malware samples are zipped using AES128 encryption and password "infected". Should you receive an error like NotImplementedError: compression type 99
when trying to unzip, it means that your library is not supporting AES encryption (yet). Please switch to a different library (e.g. when you are using python: pyzipper)
Query a malware sample (hash)
You can check if a particular malware sample is known to MalwareBazaar by query the API for the corresponding hash (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_info | |
hash | 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d | SHA256, MD5 or SHA1 hash of the malware sample you want to query |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
hash_not_found | The file (hash) you wanted to query is unknown to MalwareBazaar | |
illegal_hash | The hash you provided is not a valid SHA256 hash | |
no_hash_provided | You did not provide a hash | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
origin_country | US | Two letter country code of the country where the sample was uploaded from |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0oc... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
archive_pw | 1515 | In case the file is a password protected archive: The password to decrypt the archive |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason | |
delivery_method | email_attachment | Distributed via e-mail attachment |
email_link | Distributed via e-mail link | |
web_download | Distributed via web download | |
web_drive-by | Distributed via drive-by | |
multiple | Multiple delivery methods used | |
other | Other delivery methods used | |
file_information | various | Contextual information about the file sample |
yara_rules | rule_name | Name of the YARA rule that triggered |
author | Author of the YARA rule | |
description | Description of the YARA rule | |
reference | Reference of the YARA rule | |
ole_information | oleid | Results from oleid |
olevba | Results from olevba | |
vendor_intel | ANY.RUN | Dynamic malware analysis from ANY.RUN |
CAPE | Dynamic malware analysis from CAPE Sandbox | |
CERT-PL_MWDB | Threat intel from CERT.PL Malware Database | |
vxCube | Dynamic malware analysis from Dr.Web vxCube | |
DocGuard | Office document reputation from DocGuad | |
FileScan-IO | Malware analysis service from FileScan.IO | |
InQuest Labs | File reputation service from InQuest Labs | |
Intezer | Code analysis from Intezer | |
ReversingLabs | File reputation & intelligence from ReversingLabs TitaniumCloud | |
Spamhaus_HBL | File reputation from Spamhaus Hash Blocklist (HBL) | |
Triage | Dynamic malware analysis from Hatching Triage | |
UnpacMe | Malware unpacking service from UnpacMe | |
VMRay | Dynamic malware analysis from VMRay | |
YOROI_YOMI | Dynamic malware analysis from YOROI YOMI | |
comments | id | Unique id that identifies this comment |
date_added | Timestamp (UTC) when this comment has been made | |
twitter_handle | Twitter handle who wrote this comment | |
display_name | Twitter display name | |
comment | The comment itself |
Here's a sample wget request on how to query the API for a hash
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_info&hash=7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754" https://mb-api.abuse.ch/api/v1/
Query tag
You can get a list of malware samples (max 1'000) associated with a specific tag
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_taginfo | |
tag | TrickBot | Tag you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
tag_not_found | The tag you wanted to query is unknown to MalwareBazaar | |
illegal_tag | No valid tag provided | |
no_tag_provided | You did not provide a tag | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B091870... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0oc... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason | |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a tag
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_taginfo&tag=TrickBot&limit=50" https://mb-api.abuse.ch/api/v1/
Query signature
You can get a list of recent malware samples (max 1'000) associated with a specific signature
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_siginfo | |
signature | TrickBot | Tag you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
signature_not_found | The signature you wanted to query is unknown to MalwareBazaar | |
illegal_signature | The text you provided is not a valid signature | |
no_signature_provided | You did not provide a signature | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b3... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B0918... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason | |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a signature
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_siginfo&signature=TrickBot&limit=50" https://mb-api.abuse.ch/api/v1/
Query filetype
You can get a list of recent malware samples (max 1'000) having a specifc filetype
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_file_type | |
file_type | elf | Tag you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
illegal_file_type | The text you provided is not a valid file_type | |
no_file_type | You did not provide a file_type | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b3... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B0918... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason | |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a file_type
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_file_type&file_type=elf&limit=10" https://mb-api.abuse.ch/api/v1/
Query ClamAV signature
You can get a list of recent malware samples (max 1'000) associated with a specific ClamAV signature
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_clamavinfo | |
clamav | Doc.Downloader.Emotet-7580152-0 | ClamAV signature you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
clamav_not_found | The clamav signature you wanted to query is unknown to MalwareBazaar | |
illegal_clamav | The text you provided is not a valid ClamAV signature | |
no_clamav_provided | You did not provide a clamav signature | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b300b41... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B09187... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason | |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a clamav
signature:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_clamavinfo&clamav=Doc.Downloader.Emotet-7580152-0&limit=50" https://mb-api.abuse.ch/api/v1/
Query imphash
You can get a list of malware samples (max 1'000) associated with a specific imphash
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_imphash | |
imphash | 45d579faec0eaf279c0841b2233727cf | imphash you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
illegal_imphash | The text you provided is not a valid imphash signature | |
no_imphash | You did not provide a imphash signature | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b300b41... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B09187... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a imphash
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_imphash&imphash=45d579faec0eaf279c0841b2233727cf&limit=50" https://mb-api.abuse.ch/api/v1/
Query TLSH
You can get a list of malware samples (max 1'000) associated with a specific TLSH hash
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_tlsh | |
tlsh | 4FB44AC6A19643BBEE8766FF358AC55D... | TLSH hash you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
illegal_tlsh | The text you provided is not a valid tlsh signature | |
no_tlsh | You did not provide a tlsh signature | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b300b41... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B09187... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a TLSH
hash:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_tlsh&tlsh=4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4FBC789AA020A31B05ED12350&limit=50" https://mb-api.abuse.ch/api/v1/
Query telfhash
You can get a list of malware samples (max 1'000) associated with a specific telfhash hash
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_telfhash | |
telfhash | 1E634BC4B643D9F2ED0602B52477EF33... | telfhash hash you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
illegal_telfhash | The text you provided is not a valid telfhash signature | |
no_telfhash | You did not provide a telfhash | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b300b41... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B09187... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a TLSH
hash:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_telfhash&telfhash=ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037a00463e93033abe466069c7a&limit=50" https://mb-api.abuse.ch/api/v1/
Query gimphash
You can get a list of malware samples (max 1'000) associated with a specific gimphash
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_gimphash | |
gimphash | 3870859e16c5541b4a6d2b3ce.... | gimphash hash you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
illegal_gimphash | The hash you provided is not a valid gimphash | |
no_gimphash | You did not provide a gimphash | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b300b41... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B09187... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a TLSH
hash:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_gimphash&gimphash=50f5783c2188897815d9b34a77aa4df70ac96a71542ddc79b94fef8ce7ba2120&limit=50" https://mb-api.abuse.ch/api/v1/
Query icon dhash
You can get a list of malware samples (PE executables only, max 1'000) that are having a specific icon
using the icon's dhash
. In order to do so, you must query t he API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_dhash_icon | |
dhash_icon | 48b9b2b0e8c18c90 | The icon's dhash you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
illegal_dhash_icon | The text you provided is not a valid dhash signature | |
no_imphash | You did not provide a dhash signature | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b300b41... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B09187... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a TLSH
hash:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_dhash_icon&dhash_icon=48b9b2b0e8c18c90&limit=5" https://mb-api.abuse.ch/api/v1/
You can caluclate the dhash
of an icon
from a PE32 executable by using the following script:
Query YARA rule
You can get a list of malware samples (max 1'000) associated with a specific YARA rule
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_yarainfo | |
yara_rule | win_remcos_g0 | Name of the YARA rule (rule_name ) you want to get malware samples for |
limit | 50 | Optional: Max number of results you want to display (default: 100, max: 1'000) |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
yara_not_found | The yara_rule you wanted to query is unknown to MalwareBazaar | |
illegal_yara_rule | The text you provided is not a valid yara_rule | |
no_yara_rule_provided | You did not provide a yara_rule | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b30... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B0918704... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason | |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to query the API for a yara_rule
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_yarainfo&yara_rule=win_remcos_g0&limit=50" https://mb-api.abuse.ch/api/v1/
Query Code Signing Certificates (by Issuer CN)
You can get a list of malware samples (max 100) that are using code sign certificate issued by a certain Certificate Authority (Issuer CN)
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_issuerinfo | |
issuer_cn | Sectigo RSA Code Signing CA | Exact Issuer Common Name (CN) of the certificate authority that issued the certificate |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
illegal_issuer_cn | The value you provided is not a valid issuer_cn | |
no_issuer_cn | You did not provide a issuer_cn | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b30... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B0918704... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
trid | n/a | TrID file identifier (TrID) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason |
Here's a sample wget request on how to query the API for a issuer_cn
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_issuerinfo&issuer_cn=Sectigo RSA Code Signing CA" https://mb-api.abuse.ch/api/v1/
Query Code Signing Certificates (by Subject CN)
You can get a list of malware samples (max 100) that are signed with a code sign certificate that matches a certain Subject Common Name (CN)
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_subjectinfo | |
subject_cn | Ekitai Data Inc. | Exact Subject Common Name (CN) of the code signing certificate |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b30... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B0918704... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason |
Here's a sample wget request on how to query the API for a issuer_cn
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_subjectinfo&subject_cn=Ekitai Data Inc." https://mb-api.abuse.ch/api/v1/
Query Code Signing Certificates (by Serial Number)
You can get a list of malware samples (max 100) that are signed with a code sign certificate identified by a specific Serial Number
by query the API as follow (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_certificate | |
subject_cn | 51CD5393514F7ACE2B407C3DBFB09D8D | Serial number of the code signing certificate |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b30... | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type_mime | application/x-dosexec | MIME file type |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B0918704... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U... | ssdeep |
magika | pebin | AI power file type identification (Magika) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
trid | n/a | TrID file identifier (TrID) |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
cscb_listed | Code Signing Certificate Blocklist (CSCB) status (True or False ) | |
cscb_reason | Code Signing Certificate Blocklist (CSCB) listing reason |
Here's a sample wget request on how to query the API for a issuer_cn
:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_certificate&serial_number=51CD5393514F7ACE2B407C3DBFB09D8D" https://mb-api.abuse.ch/api/v1/
Update an entry
You can update an existing entry by sending a HTTP POST
request to https://mb-api.abuse.ch/api/v1/
as documented below (using HTTP POST form data). Please note that you can only update entries that you have created by your own.
Key | Example | Comment |
---|---|---|
sha256_hash | 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d | SHA256 hash of the malware sample you want to update |
key | The information you want to add. Possible values: | |
add_tag | Add a tag | |
remove_tag | Remove a tag | |
urlhaus | Link to URLhaus entry | |
any_run | Link to ANY.RUN report | |
joe_sandbox | Link to JoeSandbox report | |
malpedia | Link to Malepdia entry | |
twitter | Link to Tweet | |
links | Link to website | |
dropped_by_md5 | Malware (MD5 hash) that dropped this sample | |
dropped_by_sha256 | Malware (SHA256 hash) that dropped this sample | |
dropped_by_malware | Malware family name that dropped this sample | |
dropping_md5 | Malware (MD5 hash) that got dropped by this sample | |
dropping_sha256 | Malware (SHA256 hash) that got dropped by this sample | |
dropping_malware | Malware family name that got dropped by this sample | |
comment | Your comment on the malware sample | |
value | https://twitter.com/abuse_ch/status/1230163243093630980 | Value you want to add |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
no_api_key | You did not provide an API key. You can obtain one here | |
user_blacklisted | Your API key is blacklisted. Please contact us through the Spamhaus Technology contact form: https://www.spamhaus.com/#contact-form | |
hash_not_found | The file (hash) you wanted to update is unknown to MalwareBazaar | |
illegal_hash | The hash you provided is not a valid SHA256 hash | |
permission_denied | The database entry you have tried to update is not owned by your account | |
unknown_key | The key (add parameter) you wanted to update is not known | |
exists | The key -> value already exists | |
updated | Entry has been updated |
Here's a sample python3 script that submits malware sample to MalwareBazaar:
#!/usr/bin/env python3 import requests import json headers = { 'Auth-Key': 'YOUR-AUTH-KEY' } data = { 'query': 'update', 'sha256_hash': 'd9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77b', 'key': 'links', 'value': 'https://www.abuse.ch' } response = requests.post('https://mb-api.abuse.ch/api/v1/', data=data, timeout=15, headers=headers) print(response.content.decode("utf-8", "ignore"))
Add a comment
You can comment a malware sample by sending a HTTP POST
request to https://mb-api.abuse.ch/api/v1/
as documented below (using HTTP POST form data).
Key | Example | Comment |
---|---|---|
query | add_comment | |
sha256_hash | 094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d | SHA256 hash of the malware sample you want comment |
comment | Swiss chocolate is the best chocolate | Your comment on the sample |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | http_post_expected | The API expected a HTTP POST request |
no_api_key | You did not provide an API key. You can obtain one here | |
user_blacklisted | Your API key is blacklisted. Please contact us through the Spamhaus Technology contact form: https://www.spamhaus.com/#contact-form | |
hash_not_found | The file (hash) you wanted to comment is unknown to MalwareBazaar | |
illegal_hash | The hash you provided is not a valid SHA256 hash | |
success | The comment has been saved successfully |
Here's a sample python3 script for commenting a malware sample:
#!/usr/bin/env python3 import requests import json headers = { 'Auth-Key': 'YOUR-AUTH-KEY' } data = { 'query': 'add_comment', 'sha256_hash': 'd9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77b', 'comment': 'Swiss chocolate is the best chocolate' } response = requests.post('https://mb-api.abuse.ch/api/v1/', data=data, timeout=15, headers=headers) print(response.content.decode("utf-8", "ignore"))
Query latest malware samples (recent additions)
I you can retrieve a list of malware samples added to MalwareBazaar within the last 60 minutes as documented below (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_recent | |
selector | time | Get additions made within the past 60 minutes |
Alternatively, you can query the API for the most recent 100 additions as documented below:
Key | Example | Comment |
---|---|---|
query | get_recent | |
selector | 100 | Get the latest 100 additions |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | ok | All good! |
no_selector | No selector provided. Please use either time or limit as selector | |
unknown_selector | Unknown selector provided. Please use either time or limit as selector | |
no_results | Your query yield no results | |
sha256_hash | e167b20f1acf48f7ce0ae33a218e2c1b300b41c012ededf03e7a3522a4ebe95e | SHA256 hash of the malware sample |
sha3_384_hash | 19142fcef2eb63b4a000506d81218... | SHA3-384 hash of the malware sample |
sha1_hash | eb0e81598d8526d88cac4695a3e9360cc8fbb331 | SHA1 hash of the malware sample |
md5_hash | 7338b335ad5471cb67658f27836374f0 | MD5 hash of the malware sample |
first_seen | 2020-02-28 05:57:01 | TS when the file has been first seen by MalwareBazaar (UTC) |
last_seen | 2020-03-01 08:11:45 | TS when the file has been last seen by MalwareBazaar (UTC) |
file_name | Jamil Marzouka Co.pdf.jar | Malware sample's file name |
file_size | 62118 | File size in bytes |
file_type | jar | File type |
reporter | viql | Twitter handle of the report (or anonymous for anonymous submissions) |
anonymous | 0 | 1 (true) or 0 (false) |
signature | Adwind | Malware family (if available) |
imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | imphash (only available for PE executables) |
tlsh | 11B2194E3FA98856C4BC177486B5965003B09187... | Trend Micro Locality Sensitive Hash (tlsh) |
telfhash | 1E634BC4B643D9F2ED0602B52477EF338E76F5B... | Trend Micro ELF Hash (telfhash) |
gimphash | 3870859e16c5541b4a6d2b3ce6e8b... | imphash equivalent for Go binaries (gimphash) |
ssdeep | 1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZVB0pI6lxYGinsPF9WPz | ssdeep |
magika | pebin | AI power file type identification (Magika) |
trid | n/a | TrID file identifier (TrID) |
dhash_icon | f8dcbeffbffecee8 | In case the file is a PE executable: dhash of the samples icon |
tags | Adwind, jar, qua | list of tags |
code_sign | subject_cn | Subject Common Name (CN) |
issuer_cn | Issuer Common Name (CN) | |
algorithm | Algorithm used | |
valid_from | Datetime valid from | |
valid_to | Datetime valid to (expire date) | |
serial_number | Serial number | |
intelligence | clamav | List of ClamAV detections (offical and unofficial rules) |
downloads | number (int) of downloads from MalwareBazaar | |
uploads | number (int) of uploads to MalwareBazaar | |
mail | Mail intelligence using spamtrap data |
Here's a sample wget request on how to fetch a list of recent malware samples for the past 60 minutes:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_recent&selector=time" https://mb-api.abuse.ch/api/v1/
A response from the API looks like this:
{ "query_status": "ok", "data": [ { "sha256_hash": "e167b20f1acf48f7ce0ae33a218e2c1b300b41c012ededf03e7a3522a4ebe95e", "sha1_hash": "eb0e81598d8526d88cac4695a3e9360cc8fbb331", "md5_hash": "7338b335ad5471cb67658f27836374f0", "first_seen": "2020-03-01 05:57:01", "last_seen": null, "file_name": "file", "file_size": 145408, "file_type_mime": "application\/x-dosexec", "file_type": "exe", "reporter": "viql", "anonymous": 0, "signature": "RevengeRAT", "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", "tlsh": "11B2194E3FA98856C4BC177486B5965003B091870423EE2FCDC550CBAFB3AD92D88AF9", "ssdeep": "1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZVB0pI6lxYGinsPF9WPz:7dPIocwpPMGP9SBlxp+st9gTp5", "magika": "pebin", "tags": [ "revengerat" ], "intelligence": { "clamav": "Win.Trojan.Generic-6332612-0", "downloads": "0", "uploads": "1", "mail": null } }, { "sha256_hash": "7c032beb567b18670073727a6b1fba146e2daf128c5abd51279c7ad0b7d3c482", "sha1_hash": "9189b6d2493ef46e9bc100c8703e2562982a98fc", "md5_hash": "c7a583745df676615eb1b7cab158d397", "first_seen": "2020-02-18 10:43:15", "last_seen": null, "file_name": "Jamil Marzouka Co.pdf.jar", "file_size": 62118, "file_type_mime": "application\/zip", "file_type": "jar", "reporter": "abuse_ch", "anonymous": 0, "signature": "Adwind", "imphash": null, "tlsh": "11B2194E3FA98856C4BC177486B5965003B091870423EE2FCDC550CBAFB3AD92D88AF9", "ssdeep": "1536:3M+ZXQ4\/0d0JUxYpugXo9dboZ89cn+xzl0rHfFcMjrYaOK+UyBstRgFq:3M+Np0dKUGLo9doZMXxp43uszgFq", "magika": "jar", "tags": [ "Adwind", "jar", "qua" ], "intelligence": { "clamav": null, "downloads": "0", "uploads": "1", "mail": { "IT": "low", "Generic": "low" } } } ] }
Query Code Signing Certificate Blocklist (CSCB)
You can dump the content of the MalwareBazaar Code Signing Certificate Blocklist (CSCB) as documented below (using HTTP POST form data):
Key | Example | Comment |
---|---|---|
query | get_cscb |
Possible response values are:
Key | Value | Comment |
---|---|---|
query_status | ok | All good! |
time_stamp | 2020-11-02 08:33:54 | Timestamp (UTC) when the code signing certificate has been added to the blocklist |
serial_number | 6CFA5050C819C4ACBB8FA75979688DFF | Serial number of the code signing certificate |
thumbprint | E7241394097402BF9E32C87CADA4BA5E0D1E.... | Thumbprint of the code signing certificate |
thumbprint_algorithm | SHA256 | Thumbprint algorithm |
subject_cn | Elite Web Development Ltd. | Certificate subject (CN) |
issuer_cn | Sectigo RSA Code Signing CA | Certificate issuer (CN) |
valid_from | Jul 2 00:00:00 2020 GMT | Certificate issued date |
valid_to | Jul 2 23:59:59 2021 GMT | Certificate expiration date |
cscb_listed | True | Code Signing Certificate Blocklist (CSCB) status (True or False ) |
cscb_reason | CobaltStrike | Code Signing Certificate Blocklist (CSCB) listing reason |
Here's a sample wget request on how to fetch a list the CSCB:
wget --header "Auth-Key: YOUR-AUTH-KEY-HERE" --post-data "query=get_cscb" https://mb-api.abuse.ch/api/v1/
A response from the API looks like this:
{ "time_stamp": "2020-11-02 08:33:54", "serial_number": "6CFA5050C819C4ACBB8FA75979688DFF", "thumbprint": "E7241394097402BF9E32C87CADA4BA5E0D1E9923F028683713C2F339F6F59FA9", "thumbprint_algorithm": "SHA256", "subject_cn": "Elite Web Development Ltd.", "issuer_cn": "Sectigo RSA Code Signing CA", "valid_from": "Jul 2 00:00:00 2020 GMT", "valid_to": "Jul 2 23:59:59 2021 GMT", "cscb_listed": true, "cscb_reason": "CobaltStrike" }, { "time_stamp": "2020-11-02 08:33:37", "serial_number": "B8164F7143E1A313003AB0C834562F1F", "thumbprint": "263C636C5DE68F0CD2ADF31B7AEBC18A5E00FC47A5E2124E2A5613B9A0247C1E", "thumbprint_algorithm": "SHA256", "subject_cn": "Ekitai Data Inc.", "issuer_cn": "Sectigo RSA Code Signing CA", "valid_from": "Aug 25 00:00:00 2020 GMT", "valid_to": "Aug 25 23:59:59 2021 GMT", "cscb_listed": true, "cscb_reason": "TA505" }, { "time_stamp": "2020-11-02 08:33:33", "serial_number": "E3C7CC0950152E9CEEAD4304D01F6C89", "thumbprint": "82975E3E21E8FD37BB723DE6FDB6E18DF9D0E55F0067CC77DD571A52025C6724", "thumbprint_algorithm": "SHA256", "subject_cn": "DNS KOMPLEKT", "issuer_cn": "Sectigo RSA Code Signing CA", "valid_from": "Jun 8 00:00:00 2020 GMT", "valid_to": "Jun 8 23:59:59 2021 GMT", "cscb_listed": true, "cscb_reason": "Gozi" }
Download hourly malware batches
MalwareBazaar generates hourly batches of fresh malware samples. The hourly batches are generated every hour. Please consider that it takes a few minutes to generate the batch. The hourly batches are available here:
Download daily malware batches
MalwareBazaar generates daily batches of fresh malware samples. The daily batches are generated once a day at midnight (00:00 UTC). Please consider that it takes a few minutes to generate the batch. The daily batches are available here:
Example python3 scripts
We have wrote a couple of python sample script that show you how to interact with the MalwareBazaar API. These scripts are available on our Github:
@cocaman has created a github repository with a handful example scripts on how to leverage the MalwareBazaar API:
Additional sample scripts how to query the MalwareBazaar API can be found here:
Terms of Services (ToS)
By using the website of MalwareBazaar, or any of the services / datasets referenced above, you agree that:
- All datasets offered by MalwareBazaar can be used for both, commercial and non-commercial purpose without any limitations (CC0)
- Any data offered by MalwareBazaar is served as it is on best effort
- MalwareBazaar can not be held liable for any false positive or damage caused by the use of the website or the datasets offered above
- Any submission to MalwareBazaar will be treated and shared under TLP:CLEAR and under Creative Commons No Rights Reserved (CC0)
- It is forbidden to use MalwareBazaar to distribute malware and/or infect any devices for malicious purpose