Frequently Asked Questions (FAQ)

Having questions? I hope that they are getting answerd here! If not, please do not hesitate to contact us through the Spamhaus Technology contact form:
https://www.spamhaus.com/contact-us-abuse-ch/

Why MalwareBazaar? What's the difference to VirusTotal? What kind of files should I upload to MalwareBazaar? Code Signing Certificate Blocklist (CSCB) Can I use data from MalwareBazaar commercially? Terms of Services (ToS)

Why MalwareBazaar?


As many IT-security researchers, I'm heavily using public available information (OSINT) for hunting down new cyber threats. OSINT is a great resource for this threat intelligence! However, I often get confronted with a simple but severe problem: malware samples referenced in blog posts, whitepaper or mentioned on social media like Twitter are usually not easily accessible. You need to register on gazillion different online anti-virus scan engines, sandboxes or malware databases in order to finally obtain the malware sample you need for your analysis. And it is getting worse: Some of these platforms come with download restrictions (you can only download a specific number of malware samples per day), some other platforms are available for paying users only. This is a huge pain for me in my daily work, and I'm sure for many other IT-security researchers out there too.

I've therefore asked myself: why do I have to register on 35457 different platforms? And why should I pay for downloading malware samples?

This was the motivation for launching MalwareBazaar: A malware corpus where IT-security researchers can easily share malware samples with the community without hitting download restrictions all the time or having to pay expensive subscription fees.

What's the difference to VirusTotal?


One of the first questions that propably comes to your mind is: What's the difference between MalwareBazaar and Virustotal? VirusTotal is a great resource for threat intel and hunting malware. Unlike MalwareBazaar, VirusTotal is also a multi anti-virus scanner that allows you to asses whether a certain file is malicious or benign. However, VirusTotal has a handful limitations:

MalwareBazaar follows a different approach:

What files should I upload to MalwareBazaar?


Before you start to submit malware samples to MalwareBazaar, please read the following submission policy:

Note: Should you repeatedly violate the submission policy documented above, your account may get banned from contributing to MalwareBazaar.

Code Signing Certificate Blocklist (CSCB)


MalwareBazaar maintains a list of code signing certificates used by threat actors to sign malware. Code signing certificates are dumped by ReversingLabs A1000 Malware Analysis Platform and manually vetted by abuse.ch. The CSCB is being generated every 5 minutes and availabe in CSV format. It can be downloaded here:

Can I use data from MalwareBazaar commercially?


Yes! You can use any data provided by MalwareBazaar for commercial and non-commercial purpose - for free. This includes reselling or ingeration into commercial products. However, I kindly ask you to have a quick look at the (very short) Terms of Services (ToS) at the end of this FAQ.

Download limit on the file download API


MalwareBazaar runs on Google Cloud infrastructure. Sadly, network egress traffic from Google Cloud is extremely expensive. We therefore had to restrict the number of file downloads on our file download API to 2,000 per IP address/day. For bulk downloads we recommend you to use the hourly and daily file exports of MalwareBazaar served by our datalake:

Should you have valid reasons to download more than 2,000 malware samples through the file download API per day, feel free to reach out to us using the Spamhaus Technology contact form:
https://www.spamhaus.com/#contact-form

Terms of Services (ToS)


By using the website of MalwareBazaar or any of it's services / datasets, you agree that: