vulnerability

Stories From An IT Security Professional

MalwareBazaar by abuse.ch – Python Scripts

On

MalwareBazaar by abuse.ch – Python Scripts

By Corsin Camichel
Screenshot of Malware Bazaar web database

MalwareBazaar is a project operated by abuse.ch. The purpose of the project is to collect and share malware samples, helping IT-security researchers and threat analyst protecting their constituency and customers from cyber threats.

abuse.ch MalwareBazaar

Now that abuse.ch has launched their newest service, the MalwareBazaar I am very happy to share some of the python scripts I created for the service. The scripts allow you to use the API to upload malware files, download files, modify your own uploads, add comments, get a list of the most recent uploads or get information about a specific sha256 hash.

All files can be downloaded from my GitHub repository
https://github.com/cocaman/malware-bazaar

Please add your own API key to the python scripts. To get an API key for MalwareBazaar, log in with your Twitter account and browse to your MalwareBazaar account.

Upload a malicious file/sample

$ bazaar_upload.py -h
usage: bazaar_upload.py [-h] -f FILE

Upload a malware sample to Malware Bazaar by abuse.ch

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File to upload (required)

Downloading or get information on a malicious file/sample

$ bazaar_download.py -h
usage: bazaar_download.py [-h] -s HASH [-u] [-i]

Download a malware sample from Malware Bazaar by abuse.ch

optional arguments:
  -h, --help            show this help message and exit
  -s HASH, --hash HASH  File hash (sha256) to download
  -u, --unzip           Unzip the downloaded file
  -i, --info            Get information on a hash (do not download file)

Add a comment to a malicious file/sample

$ bazaar_add_comment.py -h
usage: bazaar_add_comment.py [-h] -s HASH -c COMMENT

Add a comment to a sample on Malware Bazaar by abuse.ch

optional arguments:
  -h, --help            show this help message and exit
  -s HASH, --hash HASH  Hash of the file (required)
  -c COMMENT, --comment COMMENT
                        Comment to add (required)

List the most recent samples (last 60 minutes or last 100 uploads)

$ bazaar_list_samples.py -h
usage: bazaar_list_samples.py [-h] [-s SELECTOR] [-f FIELD]

Get most recent samples on Malware Bazaar by abuse.ch

optional arguments:
  -h, --help            show this help message and exit
  -s SELECTOR, --selector SELECTOR
                        Selector type you want
  -f FIELD, --field FIELD
                        Single field you want

Update values or information on a malicious file you uploaded

$ bazaar_update.py -h
usage: bazaar_update.py [-h] -s HASH -k KEY -v VALUE

Update a malware sample on Malware Bazaar by abuse.ch. Notice: You can only
update your own samples.

optional arguments:
  -h, --help            show this help message and exit
  -s HASH, --hash HASH  Hash to update (required)
  -k KEY, --key KEY     Key (required)
  -v VALUE, --value VALUE
                        Value (required)

You can add the following fields with the script (see API for reference):

  • ‘urlhaus’, ‘any_run’, ‘joe_sandbox’, ‘malpedia’, ‘twitter’, ‘links’, ‘dropped_by_md5’, ‘dropped_by_sha256’, ‘dropped_by_malware’, ‘dropping_md5’, ‘dropping_sha256’, ‘dropping’, ‘add_tag’, ‘remove_tag’, ‘comment’

One thought on “MalwareBazaar by abuse.ch – Python Scripts

  1. Hello,

    trying to analyse e.g. 7fa94fbd85d8ff81131e2a049e55df3b7805ad8e258974d47f360dbfb4ea03d9 with oledump, zipdump and opening with LibreOffice (Linux) I failed to find the malicious code. Is there a way without using Excel?

    regards

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *