MalwareBazaar API

MalwareBazaar offers the following APIs to not only submit (upload) or download malware samples but also to do automated bulk queries obtaining intel form MalwareBazaar.

API key Submission Policy Submit (upload) a malware sample Retrieve (download) a malware sample Query a malware sample (hash) Query tag Query signature Query filetype Query ClamAV signature Query imphash Query TLSH Query telfhash Query gimphash Query icon dhash Query YARA rule Query Code Signing Certificates (by Issuer CN) Query Code Signing Certificates (by Subject CN) Query Code Signing Certificates (by Serial Number) Update an entry Add a comment Query latest malware samples (recent additions) Query Code Signing Certificate Blocklist (CSCB) Download hourly malware batches Download daily malware batches Example python3 scripts Terms of Services (ToS)

API-Key


In order to submit (upload) a malware sample to MalwareBazaar, an API key is needed. You can obtain one by logging in to MalwareBazaar with your Twitter account. Afterwards you can access your API key in your Account settings.

Submission Policy


Before you start to submit malware samples to MalwareBazaar, please read the following submission policy:

Note: Should you repeatedly violate the submission policy documented above, your account may get banned from contributing to MalwareBazaar.

Upload malware samples


You can upload (submit) malware samples to MalwareBazaar by using the API documented below, sending a multipart form POST request with file (the actual file you want to submit) and json_data (see documentation below) to https://mb-api.abuse.ch/api/v1/.

KeyRequired?CommentExample
anonymousNoIf set to 1, your submission will be anonymous. Default: 00
fileYesThe malware sample you want to upload 
tagsNoList of tags. Allowed characters: [A-Za-z0-9.- ]exe
referencesNoReferences for this malware sample
KeyExample
urlhaushttps://urlhaus.abuse.ch/url/318612/
any_runhttps://app.any.run/tasks/XYZ
joe_sandboxhttps://www.joesecurity.org/reports/XYZ/
malpediahttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
twitterhttps://twitter.com/abuse_ch/status/1224269018506330112
linkshttps://domain.tld/blog/interesting-malware.php
contextNoContext for this malware sample
KeyExample
dropped_by_md568b329da9893e34099c7d8ad5cb9c940
dropped_by_sha25601ba4719c80b6fe911b091a7c...
dropped_by_malwareGozi
dropping_md55fb882846518a38b42b74348bb3a838b
dropping_sha256ddf42fa0c0c9f5e7c33dfe7cc6743...
dropping_malwareLoki
commentThis malware sample is very nasty!
delivery_methodNoDelivery method used to spread this malware sample
ValueMeaning
email_attachmentDistributed via e-mail attachment
email_linkDistributed via e-mail link
web_downloadDistributed via web download
web_drive-byDistributed via drive-by
multipleMultiple delivery methods used
otherOther delivery methods used

To authenticate your request, you must send the HTTP header API-KEY with your personal API-Key with every request. You can view your API-Key here.
Example HTTP header:

API-KEY: XYZ123

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
no_api_keyYou did not provide an API key. You can obtain one here
user_blacklistedYour API key is blacklisted. Please contact us through the Spamhaus Technology contact form:
https://www.spamhaus.com/#contact-form
file_already_knownThe malware sample you have tried to submit is already known
insertedThe malware sample has been inserted into MalwareBazaar
file_expectedYou did not send any file

Here's a sample python3 script that submits malware sample to MalwareBazaar

#!/usr/bin/env python3
import requests
import sys
import json

if len(sys.argv) > 1:
    file = sys.argv[1]
else:
    print("Usage: python3 malware_Bazaar_submit.py <file>")
    quit()

headers = {'API-KEY': 'XYZ123'}
data = {
    'anonymous': 1,
    'delivery_method': 'email_attachment',
    'tags': [
        'exe',
        'test'
    ],
    'references': {
            'any_run': [
                'https://app.any.run/tasks/1',
                'https://app.any.run/tasks/2'
            ],
            'joe_sandbox': [
                'https://www.joesecurity.org/reports/1',
                'https://www.joesecurity.org/reports/2'
            ],
            'malpedia': [
                'https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi'
            ],
            'twitter': [
                'https://twitter.com/abuse_ch/status/1224269018506330112'
            ],
            'links': [
                'https://urlhaus.abuse.ch/url/306613/',
            ]
    },
    'context': {
            'dropped_by_md5': [
                '68b329da9893e34099c7d8ad5cb9c940'
            ],
            'dropped_by_sha256': [
                '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b',
                '4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865'
            ],
            'dropped_by_malware': [
                'Gozi'
            ],
            'comment': 'this malware sample is very nasty!'
    }
}
files = {
    'json_data': (None, json.dumps(data), 'application/json'),
    'file': (open(file,'rb'))
    }
response = requests.post('https://mb-api.abuse.ch/api/v1/', files=files, verify=False, headers=headers)
        

Retrieve (download) a malware sample


You can download (fetch) malware samples from MalwareBazaar by using the API documented below, sending an HTTP POST request to https://mb-api.abuse.ch/api/v1/. Please note that any malware sample you download from MalwareBazaar will be zipped and password protected using the password "infected" (without "").

Please note that there is a daily limit for file downloads on the API that is documented here.

KeyExampleComment
queryget_file 
sha256_hash094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78dSHA256 hash of the malware sample you want to download

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
illegal_sha256_hashIllegal SHA256 hash provided
no_sha256_hashNo SHA256 hash provided
file_not_foundThe file was not found or is unknown to MalwareBazaar

Here's a sample wget request on how to fetch a file:

wget --post-data "query=get_file&sha256_hash=094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d" https://mb-api.abuse.ch/api/v1/
        

Query a malware sample (hash)


You can check if a particular malware sample is known to MalwareBazaar by query the API for the corresponding hash (using HTTP POST form data):

KeyExampleComment
queryget_info 
hash094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78dSHA256, MD5 or SHA1 hash of the malware sample you want to query

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
hash_not_foundThe file (hash) you wanted to query is unknown to MalwareBazaar
illegal_hashThe hash you provided is not a valid SHA256 hash
no_hash_providedYou did not provide a hash
sha256_hashe167b20f1acf48f7ce0ae33a218e...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
origin_countryUSTwo letter country code of the country where the sample was uploaded from
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0oc...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
archive_pw1515In case the file is a password protected archive: The password to decrypt the archive
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason
delivery_methodemail_attachmentDistributed via e-mail attachment
email_linkDistributed via e-mail link
web_downloadDistributed via web download
web_drive-byDistributed via drive-by
multipleMultiple delivery methods used
otherOther delivery methods used
file_informationvariousContextual information about the file sample
yara_rulesrule_nameName of the YARA rule that triggered
authorAuthor of the YARA rule
descriptionDescription of the YARA rule
referenceReference of the YARA rule
ole_informationoleidResults from oleid
olevbaResults from olevba
vendor_intelANY.RUNDynamic malware analysis from ANY.RUN
CAPEDynamic malware analysis from CAPE Sandbox
CERT-PL_MWDBThreat intel from CERT.PL Malware Database
vxCubeDynamic malware analysis from Dr.Web vxCube
DocGuardOffice document reputation from DocGuad
FileScan-IOMalware analysis service from FileScan.IO
InQuest LabsFile reputation service from InQuest Labs
IntezerCode analysis from Intezer
ReversingLabsFile reputation & intelligence from ReversingLabs TitaniumCloud
Spamhaus_HBLFile reputation from Spamhaus Hash Blocklist (HBL)
TriageDynamic malware analysis from Hatching Triage
UnpacMeMalware unpacking service from UnpacMe
VMRayDynamic malware analysis from VMRay
YOROI_YOMIDynamic malware analysis from YOROI YOMI
commentsidUnique id that identifies this comment
date_addedTimestamp (UTC) when this comment has been made
twitter_handleTwitter handle who wrote this comment
display_nameTwitter display name
commentThe comment itself

Here's a sample wget request on how to query the API for a hash:

wget --post-data "query=get_info&hash=7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754" https://mb-api.abuse.ch/api/v1/
        

Query tag


You can get a list of malware samples (max 1'000) associated with a specific tag by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_taginfo 
tagTrickBotTag you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
tag_not_foundThe tag you wanted to query is unknown to MalwareBazaar
illegal_tagNo valid tag provided
no_tag_providedYou did not provide a tag
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B091870...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0oc...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a tag:

wget --post-data "query=get_taginfo&tag=TrickBot&limit=50" https://mb-api.abuse.ch/api/v1/
        

Query signature


You can get a list of recent malware samples (max 1'000) associated with a specific signature by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_siginfo 
signatureTrickBotTag you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
signature_not_foundThe signature you wanted to query is unknown to MalwareBazaar
illegal_signatureThe text you provided is not a valid signature
no_signature_providedYou did not provide a signature
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b3...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B0918...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a signature:

wget --post-data "query=get_siginfo&signature=TrickBot&limit=50" https://mb-api.abuse.ch/api/v1/
        

Query filetype


You can get a list of recent malware samples (max 1'000) having a specifc filetype by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_file_type 
file_typeelfTag you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
illegal_file_typeThe text you provided is not a valid file_type
no_file_typeYou did not provide a file_type
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b3...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B0918...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a file_type:

wget --post-data "query=get_file_type&file_type=elf&limit=10" https://mb-api.abuse.ch/api/v1/
        

Query ClamAV signature


You can get a list of recent malware samples (max 1'000) associated with a specific ClamAV signature by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_clamavinfo 
clamavDoc.Downloader.Emotet-7580152-0ClamAV signature you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
clamav_not_foundThe clamav signature you wanted to query is unknown to MalwareBazaar
illegal_clamavThe text you provided is not a valid ClamAV signature
no_clamav_providedYou did not provide a clamav signature
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b300b41...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B09187...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a clamav signature:

wget --post-data "query=get_clamavinfo&clamav=Doc.Downloader.Emotet-7580152-0&limit=50" https://mb-api.abuse.ch/api/v1/
        

Query imphash


You can get a list of malware samples (max 1'000) associated with a specific imphash by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_imphash 
imphash45d579faec0eaf279c0841b2233727cfimphash you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
illegal_imphashThe text you provided is not a valid imphash signature
no_imphashYou did not provide a imphash signature
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b300b41...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B09187...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a imphash:

wget --post-data "query=get_imphash&imphash=45d579faec0eaf279c0841b2233727cf&limit=50" https://mb-api.abuse.ch/api/v1/
        

Query TLSH


You can get a list of malware samples (max 1'000) associated with a specific TLSH hash by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_tlsh 
tlsh4FB44AC6A19643BBEE8766FF358AC55D...TLSH hash you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
illegal_tlshThe text you provided is not a valid tlsh signature
no_tlshYou did not provide a tlsh signature
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b300b41...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B09187...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a TLSH hash:

wget --post-data "query=get_tlsh&tlsh=4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4FBC789AA020A31B05ED12350&limit=50" https://mb-api.abuse.ch/api/v1/
        

Query telfhash


You can get a list of malware samples (max 1'000) associated with a specific telfhash hash by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_telfhash 
telfhash1E634BC4B643D9F2ED0602B52477EF33...telfhash hash you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
illegal_telfhashThe text you provided is not a valid telfhash signature
no_telfhashYou did not provide a telfhash
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b300b41...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B09187...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a TLSH hash:

wget --post-data "query=get_telfhash&telfhash=ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037a00463e93033abe466069c7a&limit=50" https://mb-api.abuse.ch/api/v1/
        

Query gimphash


You can get a list of malware samples (max 1'000) associated with a specific gimphash by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_gimphash 
gimphash3870859e16c5541b4a6d2b3ce....gimphash hash you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
illegal_gimphashThe hash you provided is not a valid gimphash
no_gimphashYou did not provide a gimphash
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b300b41...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B09187...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a TLSH hash:

wget --post-data "query=get_gimphash&gimphash=50f5783c2188897815d9b34a77aa4df70ac96a71542ddc79b94fef8ce7ba2120&limit=50" https://mb-api.abuse.ch/api/v1/
        

Query icon dhash


You can get a list of malware samples (PE executables only, max 1'000) that are having a specific icon using the icon's dhash. In order to do so, you must query t he API as follow (using HTTP POST form data):

KeyExampleComment
queryget_dhash_icon 
dhash_icon48b9b2b0e8c18c90The icon's dhash you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
illegal_dhash_iconThe text you provided is not a valid dhash signature
no_imphashYou did not provide a dhash signature
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b300b41...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B09187...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZ...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a TLSH hash:

wget -O - --post-data "query=get_dhash_icon&dhash_icon=48b9b2b0e8c18c90&limit=5" https://mb-api.abuse.ch/api/v1/
        

You can caluclate the dhash of an icon from a PE32 executable by using the following script:

Query YARA rule


You can get a list of malware samples (max 1'000) associated with a specific YARA rule by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_yarainfo 
yara_rulewin_remcos_g0Name of the YARA rule (rule_name) you want to get malware samples for
limit50Optional: Max number of results you want to display (default: 100, max: 1'000)

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
yara_not_foundThe yara_rule you wanted to query is unknown to MalwareBazaar
illegal_yara_ruleThe text you provided is not a valid yara_rule
no_yara_rule_providedYou did not provide a yara_rule
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b30...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B0918704...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to query the API for a yara_rule:

wget --post-data "query=get_yarainfo&yara_rule=win_remcos_g0&limit=50" https://mb-api.abuse.ch/api/v1/
        

Query Code Signing Certificates (by Issuer CN)


You can get a list of malware samples (max 100) that are using code sign certificate issued by a certain Certificate Authority (Issuer CN) by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_issuerinfo 
issuer_cnSectigo RSA Code Signing CAExact Issuer Common Name (CN) of the certificate authority that issued the certificate

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
illegal_issuer_cnThe value you provided is not a valid issuer_cn
no_issuer_cnYou did not provide a issuer_cn
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b30...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B0918704...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason

Here's a sample wget request on how to query the API for a issuer_cn:

wget --post-data "query=get_issuerinfo&issuer_cn=Sectigo RSA Code Signing CA" https://mb-api.abuse.ch/api/v1/
        

Query Code Signing Certificates (by Subject CN)


You can get a list of malware samples (max 100) that are signed with a code sign certificate that matches a certain Subject Common Name (CN) by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_subjectinfo 
subject_cnEkitai Data Inc.Exact Subject Common Name (CN) of the code signing certificate

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b30...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B0918704...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason

Here's a sample wget request on how to query the API for a issuer_cn:

wget --post-data "query=get_subjectinfo&subject_cn=Ekitai Data Inc." https://mb-api.abuse.ch/api/v1/
        

Query Code Signing Certificates (by Serial Number)


You can get a list of malware samples (max 100) that are signed with a code sign certificate identified by a specific Serial Number by query the API as follow (using HTTP POST form data):

KeyExampleComment
queryget_certificate 
subject_cn51CD5393514F7ACE2B407C3DBFB09D8DSerial number of the code signing certificate

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b30...SHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_type_mimeapplication/x-dosexecMIME file type
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B0918704...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U...ssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
cscb_listedCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCode Signing Certificate Blocklist (CSCB) listing reason

Here's a sample wget request on how to query the API for a issuer_cn:

wget --post-data "query=get_certificate&serial_number=51CD5393514F7ACE2B407C3DBFB09D8D" https://mb-api.abuse.ch/api/v1/
        

Update an entry


You can update an existing entry by sending a HTTP POST request to https://mb-api.abuse.ch/api/v1/ as documented below (using HTTP POST form data). Please note that you can only update entries that you have created by your own.

KeyExampleComment
API-KEYXYZ123Your personal API-Key. You can obtain one here
queryupdate 
sha256_hash094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78dSHA256 hash of the malware sample you want to update
keyThe information you want to add. Possible values:
add_tagAdd a tag
remove_tagRemove a tag
urlhausLink to URLhaus entry
any_runLink to ANY.RUN report
joe_sandboxLink to JoeSandbox report
malpediaLink to Malepdia entry
twitterLink to Tweet
linksLink to website
dropped_by_md5Malware (MD5 hash) that dropped this sample
dropped_by_sha256Malware (SHA256 hash) that dropped this sample
dropped_by_malwareMalware family name that dropped this sample
dropping_md5Malware (MD5 hash) that got dropped by this sample
dropping_sha256Malware (SHA256 hash) that got dropped by this sample
dropping_malwareMalware family name that got dropped by this sample
commentYour comment on the malware sample
valuehttps://twitter.com/abuse_ch/status/1230163243093630980Value you want to add

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
no_api_keyYou did not provide an API key. You can obtain one here
user_blacklistedYour API key is blacklisted. Please contact us through the Spamhaus Technology contact form:
https://www.spamhaus.com/#contact-form
hash_not_foundThe file (hash) you wanted to update is unknown to MalwareBazaar
illegal_hashThe hash you provided is not a valid SHA256 hash
permission_deniedThe database entry you have tried to update is not owned by your account
unknown_keyThe key (add parameter) you wanted to update is not known
existsThe key -> value already exists
updatedEntry has been updated

Here's a sample python3 script that submits malware sample to MalwareBazaar:

  #!/usr/bin/env python3
  import requests
  import json

  headers = { 'API-KEY': 'XYZ' }

  data = {
      'query': 'update',
      'sha256_hash': 'd9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77b',
      'key': 'links',
      'value': 'https://www.abuse.ch'
  }

  response = requests.post('https://mb-api.abuse.ch/api/v1/', data=data, timeout=15, headers=headers)
  print(response.content.decode("utf-8", "ignore"))
        

Add a comment


You can comment a malware sample by sending a HTTP POST request to https://mb-api.abuse.ch/api/v1/ as documented below (using HTTP POST form data).

KeyExampleComment
API-KEYXYZ123Your personal API-Key. You can obtain one here
queryadd_comment 
sha256_hash094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78dSHA256 hash of the malware sample you want comment
commentSwiss chocolate is the best chocolateYour comment on the sample

Possible response values are:

KeyValueComment
query_statushttp_post_expectedThe API expected a HTTP POST request
no_api_keyYou did not provide an API key. You can obtain one here
user_blacklistedYour API key is blacklisted. Please contact us through the Spamhaus Technology contact form:
https://www.spamhaus.com/#contact-form
hash_not_foundThe file (hash) you wanted to comment is unknown to MalwareBazaar
illegal_hashThe hash you provided is not a valid SHA256 hash
successThe comment has been saved successfully

Here's a sample python3 script for commenting a malware sample:

  #!/usr/bin/env python3
  import requests
  import json

  headers = { 'API-KEY': 'XYZ' }

  data = {
      'query': 'add_comment',
      'sha256_hash': 'd9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77b',
      'comment': 'Swiss chocolate is the best chocolate'
  }

  response = requests.post('https://mb-api.abuse.ch/api/v1/', data=data, timeout=15, headers=headers)
  print(response.content.decode("utf-8", "ignore"))
        

Query latest malware samples (recent additions)


I you can retrieve a list of malware samples added to MalwareBazaar within the last 60 minutes as documented below (using HTTP POST form data):

KeyExampleComment
queryget_recent 
selectortimeGet additions made within the past 60 minutes

Alternatively, you can query the API for the most recent 100 additions as documented below:

KeyExampleComment
queryget_recent 
selector100Get the latest 100 additions

Possible response values are:

KeyValueComment
query_statusokAll good!
no_selectorNo selector provided. Please use either time or limit as selector
unknown_selectorUnknown selector provided. Please use either time or limit as selector
no_resultsYour query yield no results
sha256_hashe167b20f1acf48f7ce0ae33a218e2c1b300b41c012ededf03e7a3522a4ebe95eSHA256 hash of the malware sample
sha3_384_hash19142fcef2eb63b4a000506d81218...SHA3-384 hash of the malware sample
sha1_hasheb0e81598d8526d88cac4695a3e9360cc8fbb331SHA1 hash of the malware sample
md5_hash7338b335ad5471cb67658f27836374f0MD5 hash of the malware sample
first_seen2020-02-28 05:57:01TS when the file has been first seen by MalwareBazaar (UTC)
last_seen2020-03-01 08:11:45TS when the file has been last seen by MalwareBazaar (UTC)
file_nameJamil Marzouka Co.pdf.jarMalware sample's file name
file_size62118File size in bytes
file_typejarFile type
reporterviqlTwitter handle of the report (or anonymous for anonymous submissions)
anonymous01 (true) or 0 (false)
signatureAdwindMalware family (if available)
imphashf34d5f2d4577ed6d9ceec516c1f5a744imphash (only available for PE executables)
tlsh11B2194E3FA98856C4BC177486B5965003B09187...Trend Micro Locality Sensitive Hash (tlsh)
telfhash1E634BC4B643D9F2ED0602B52477EF338E76F5B...Trend Micro ELF Hash (telfhash)
gimphash3870859e16c5541b4a6d2b3ce6e8b...imphash equivalent for Go binaries (gimphash)
ssdeep1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZVB0pI6lxYGinsPF9WPzssdeep
dhash_iconf8dcbeffbffecee8In case the file is a PE executable: dhash of the samples icon
tagsAdwind, jar, qualist of tags
code_signsubject_cnSubject Common Name (CN)
issuer_cnIssuer Common Name (CN)
algorithmAlgorithm used
valid_fromDatetime valid from
valid_toDatetime valid to (expire date)
serial_numberSerial number
intelligenceclamavList of ClamAV detections (offical and unofficial rules)
downloadsnumber (int) of downloads from MalwareBazaar
uploadsnumber (int) of uploads to MalwareBazaar
mailMail intelligence using spamtrap data

Here's a sample wget request on how to fetch a list of recent malware samples for the past 60 minutes:

wget --post-data "query=get_recent&selector=time" https://mb-api.abuse.ch/api/v1/
        

A response from the API looks like this:

    {
    	"query_status": "ok",
    	"data": [
        {
    			"sha256_hash": "e167b20f1acf48f7ce0ae33a218e2c1b300b41c012ededf03e7a3522a4ebe95e",
    			"sha1_hash": "eb0e81598d8526d88cac4695a3e9360cc8fbb331",
    			"md5_hash": "7338b335ad5471cb67658f27836374f0",
    			"first_seen": "2020-03-01 05:57:01",
    			"last_seen": null,
    			"file_name": "file",
    			"file_size": 145408,
    			"file_type_mime": "application\/x-dosexec",
    			"file_type": "exe",
    			"reporter": "viql",
    			"anonymous": 0,
    			"signature": "RevengeRAT",
    			"imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
          "tlsh": "11B2194E3FA98856C4BC177486B5965003B091870423EE2FCDC550CBAFB3AD92D88AF9",
    			"ssdeep": "1536:sGZWpdxayQAcj7gwluW14Z2II0ocL8ppVy8U+M76JMaDZVB0pI6lxYGinsPF9WPz:7dPIocwpPMGP9SBlxp+st9gTp5",
    			"tags": [
    				"revengerat"
    			],
    			"intelligence": {
    				"clamav": "Win.Trojan.Generic-6332612-0",
    				"downloads": "0",
    				"uploads": "1",
    				"mail": null
    			}
    		},
    		{
    			"sha256_hash": "7c032beb567b18670073727a6b1fba146e2daf128c5abd51279c7ad0b7d3c482",
    			"sha1_hash": "9189b6d2493ef46e9bc100c8703e2562982a98fc",
    			"md5_hash": "c7a583745df676615eb1b7cab158d397",
    			"first_seen": "2020-02-18 10:43:15",
    			"last_seen": null,
    			"file_name": "Jamil Marzouka Co.pdf.jar",
    			"file_size": 62118,
    			"file_type_mime": "application\/zip",
    			"file_type": "jar",
    			"reporter": "abuse_ch",
    			"anonymous": 0,
    			"signature": "Adwind",
    			"imphash": null,
          "tlsh": "11B2194E3FA98856C4BC177486B5965003B091870423EE2FCDC550CBAFB3AD92D88AF9",
    			"ssdeep": "1536:3M+ZXQ4\/0d0JUxYpugXo9dboZ89cn+xzl0rHfFcMjrYaOK+UyBstRgFq:3M+Np0dKUGLo9doZMXxp43uszgFq",
    			"tags": [
    				"Adwind",
    				"jar",
    				"qua"
    			],
    			"intelligence": {
    				"clamav": null,
    				"downloads": "0",
    				"uploads": "1",
    				"mail": {
    					"IT": "low",
    					"Generic": "low"
    				}
    			}
    		}
    	]
    }
      

Query Code Signing Certificate Blocklist (CSCB)


You can dump the content of the MalwareBazaar Code Signing Certificate Blocklist (CSCB) as documented below (using HTTP POST form data):

KeyExampleComment
queryget_cscb 

Possible response values are:

KeyValueComment
query_statusokAll good!
time_stamp2020-11-02 08:33:54Timestamp (UTC) when the code signing certificate has been added to the blocklist
serial_number6CFA5050C819C4ACBB8FA75979688DFFSerial number of the code signing certificate
thumbprintE7241394097402BF9E32C87CADA4BA5E0D1E....Thumbprint of the code signing certificate
thumbprint_algorithmSHA256Thumbprint algorithm
subject_cnElite Web Development Ltd.Certificate subject (CN)
issuer_cnSectigo RSA Code Signing CACertificate issuer (CN)
valid_fromJul 2 00:00:00 2020 GMTCertificate issued date
valid_toJul 2 23:59:59 2021 GMTCertificate expiration date
cscb_listedTrueCode Signing Certificate Blocklist (CSCB) status (True or False)
cscb_reasonCobaltStrikeCode Signing Certificate Blocklist (CSCB) listing reason

Here's a sample wget request on how to fetch a list the CSCB:

      wget --post-data "query=get_cscb" https://mb-api.abuse.ch/api/v1/
        

A response from the API looks like this:

{
  "time_stamp": "2020-11-02 08:33:54",
  "serial_number": "6CFA5050C819C4ACBB8FA75979688DFF",
  "thumbprint": "E7241394097402BF9E32C87CADA4BA5E0D1E9923F028683713C2F339F6F59FA9",
  "thumbprint_algorithm": "SHA256",
  "subject_cn": "Elite Web Development Ltd.",
  "issuer_cn": "Sectigo RSA Code Signing CA",
  "valid_from": "Jul  2 00:00:00 2020 GMT",
  "valid_to": "Jul  2 23:59:59 2021 GMT",
  "cscb_listed": true,
  "cscb_reason": "CobaltStrike"
},
{
  "time_stamp": "2020-11-02 08:33:37",
  "serial_number": "B8164F7143E1A313003AB0C834562F1F",
  "thumbprint": "263C636C5DE68F0CD2ADF31B7AEBC18A5E00FC47A5E2124E2A5613B9A0247C1E",
  "thumbprint_algorithm": "SHA256",
  "subject_cn": "Ekitai Data Inc.",
  "issuer_cn": "Sectigo RSA Code Signing CA",
  "valid_from": "Aug 25 00:00:00 2020 GMT",
  "valid_to": "Aug 25 23:59:59 2021 GMT",
  "cscb_listed": true,
  "cscb_reason": "TA505"
},
{
  "time_stamp": "2020-11-02 08:33:33",
  "serial_number": "E3C7CC0950152E9CEEAD4304D01F6C89",
  "thumbprint": "82975E3E21E8FD37BB723DE6FDB6E18DF9D0E55F0067CC77DD571A52025C6724",
  "thumbprint_algorithm": "SHA256",
  "subject_cn": "DNS KOMPLEKT",
  "issuer_cn": "Sectigo RSA Code Signing CA",
  "valid_from": "Jun  8 00:00:00 2020 GMT",
  "valid_to": "Jun  8 23:59:59 2021 GMT",
  "cscb_listed": true,
  "cscb_reason": "Gozi"
}
        

Download hourly malware batches


MalwareBazaar generates hourly batches of fresh malware samples. The hourly batches are generated every hour. Please consider that it takes a few minutes to generate the batch. The hourly batches are available here:

Download daily malware batches


MalwareBazaar generates daily batches of fresh malware samples. The daily batches are generated once a day at midnight (00:00 UTC). Please consider that it takes a few minutes to generate the batch. The daily batches are available here:

Example python3 scripts


@cocaman has created a github repository with a handful example scripts on how to leverage the MalwareBazaar API:

Additional sample scripts how to query the MalwareBazaar API can be found here:

Terms of Services (ToS)


By using the website of MalwareBazaar, or any of the services / datasets referenced above, you agree that: