Frequently Asked Questions (FAQ)
Got a question? Hopefully, you’ll find the answer here! If not, please contact us using the contact form below, managed by our partner, Spamhaus:
What impact does the MalwareBazaar data have?
So far, over 1'049'432 confirmed malware samples have been shared on the MalwareBazaar platform. With this intelligence, as a community, we have:
- Over 500 daily consumers relying on Malware Bazaar data feeds and exports to support threat intelligence practitioners to make the internet safer.
- Answered around 100 million API requests in 30 days (statistic from October 2024), providing real-time insights for threat hunting and mitigation.
- Assisted major law enforcement agencies in some of the biggest global takedown efforts, such as Operation Endgame.
Your data is also contributing to the effectiveness and impact of Spamhaus’ datasets to enhance email and network protection while providing more context-rich data for threat hunting.
Read more about the impact of your contributions here.
What's the difference to VirusTotal?
One of the first questions that propably comes to your mind is: What's the difference between MalwareBazaar and Virustotal? VirusTotal is a great resource for threat intel and hunting malware. Unlike MalwareBazaar, VirusTotal is also a multi anti-virus scanner that allows you to asses whether a certain file is malicious or benign. However, VirusTotal has a handful limitations:
- While you can upload as many files to VirusTotal as you want, downloading malware samples from VirusTotal is restricted to paying users only
- As of March 2020, only 1/3 of all uploaded files are detected by at least one AV-engine So it appears that 2/3 of all uploaded samples are benign
MalwareBazaar follows a different approach:
- MalwareBazaar only track malware samples. No Adware (PUA/PUP). No benign files
- MalwareBazaar is not a multi antivirus scanning engine
- You can upload and download as many malware samples as you want
- It's completely free!
What formats is the MalwareBazaar data available in?
You can access malware samples from MalwareBazaar through several methods:
- Browse the MalwareBazaar database
- Integrate via API
- Export using hash lists
- Real time feeds, provided by our partner, Spamhaus
- Additionally, malware samples shared through MalwareBazaar influence Spamhaus datasets.
Spamhaus datasets that leverage data from MalwareBazaar:
- Botnet Controller Dataset: A collection of IPv4 addresses hosting active botnet C2 servers, accessible through the Spamhaus Intelligence API, Spamhaus DNS Firewall and the Spamhaus BGP Firewall
- Hash Dataset: Includes cryptographic hashes linked to malicious content, used for protecting and/or filtering emails. This dataset is accessible through Spamhaus DNSBLs.
What files should I upload to MalwareBazaar?
Before you start to submit malware samples to MalwareBazaar, please read the following submission policy:
- Confirmed malware only: Please do only submit confirmed / vetted malware samples to MalwareBazaar. Do not submit any suspicious or benign files to MalwareBazaar.
- Adware is not malware: Unlike Malware, most common Adware (aka Potential Unwanted Programs - PUPs) do need some sort of user interaction. In many cases, they also come with a licence agreement that the user has to accept and that is more or less transparent with regards to what the Adware does. Please refrain from submitting Adware to MalwareBazaar.
- Fresh malware samples: There are gazillions malware samples out there. Please refrain from uploading malware samples older than 10 days to MalwareBazaar.
- No file infectors / worms: Please refrain from uploading file infectors and/or or worms to MalwareBazaar
Note: Should you repeatedly violate the submission policy documented above, your account may get banned from contributing to MalwareBazaar.
Code Signing Certificate Blocklist (CSCB)
MalwareBazaar maintains a list of code signing certificates used by threat actors to sign malware. Code signing certificates are dumped by ReversingLabs A1000 Malware Analysis Platform and manually vetted by abuse.ch. The CSCB is being generated every 5 minutes and availabe in CSV format. It can be downloaded here:
Can I use data from MalwareBazaar commercially?
Use of the API by companies, networks, or individuals with commercial or for- profit needs may require a paid subscription for the enhanced abuse.ch commercial API. The commercial API comes with additional benefits, such as better reliability and statibility as well as a unified query language across all abuse.ch APIs. Further information can be found below.
Download limit on the file download API
MalwareBazaar runs on Google Cloud infrastructure. Sadly, network egress traffic from Google Cloud is extremely expensive. We therefore had to restrict the number of file downloads on our file download API to 2,000 per IP address/day. For bulk downloads we recommend you to use the hourly and daily file exports of MalwareBazaar served by our datalake:
- MalwareBazaar hourly malware batches (ZIP password: infected)
- MalwareBazaar daily malware batches (ZIP password: infected)
Should you have valid reasons to download more than 2,000 malware samples through the file download API per day, feel free to reach out to us using the Spamhaus Technology contact form:
https://www.spamhaus.com/#contact-form
Terms Of Use
This API is available free of charge under the fair use principles. Use of the API by companies, networks, or individuals with commercial or for- profit needs may require a paid subscription for the enhanced abuse.ch commercial API. The commercial API comes with additional benefits, such as better reliability and statibility as well as a unified query language across all abuse.ch APIs. Further information can be found below.
By using this API, you agree to the Terms Of Use: