nuclei-templates/token-spray/api-malwarebazaar.yaml

id: api-malwarebazaar

info:
  name: MalwareBazaar API Test
  author: daffainfo
  severity: info
  reference:
    - https://bazaar.abuse.ch/api/
    - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/MalwareBazaar.md
  tags: token-spray,malwarebazaar

self-contained: true
requests:
  - raw:
      - |
        POST https://mb-api.abuse.ch/api/v1 HTTP/1.1
        Host: mb-api.abuse.ch
        API-KEY: {{token}}
        Content-Length: 0
        Content-Type: multipart/form-data; boundary=545d0ca717a743c3bd4fa575585f74c6

        --545d0ca717a743c3bd4fa575585f74c6
        Content-Disposition: form-data; name="json_data"
        Content-Type: application/json

        {"tags": ["exe", "test"], "references": {"twitter": ["https://twitter.com/abuse_ch/status/1224269018506330112"], "malpedia": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"], "joe_sandbox": ["https://www.joesecurity.org/reports/1", "https://www.joesecurity.org/reports/2"], "links": ["https://urlhaus.abuse.ch/url/306613/"], "any_run": ["https://app.any.run/tasks/1", "https://app.any.run/tasks/2"]}, "context": {"comment": "this malware sample is very nasty!", "dropped_by_md5": ["68b329da9893e34099c7d8ad5cb9c940"], "dropped_by_malware": ["Gozi"], "dropped_by_sha256": ["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"]}, "anonymous": 1, "delivery_method": "email_attachment"}
        --545d0ca717a743c3bd4fa575585f74c6
        Content-Disposition: form-data; name="file"; filename="1.txt"

        dssd

        --545d0ca717a743c3bd4fa575585f74c6--

    matchers:
      - type: word
        part: body
        words:
          - '"query_status": "inserted"'
          - '"query_status": "file_already_known"'
        condition: or
Create api-malwarebazaar.yaml 2021-11-16 23:00:22 +00:00			`id: api-malwarebazaar`

			`info:`
			`name: MalwareBazaar API Test`
			`author: daffainfo`
			`severity: info`
			`reference:`
			`- https://bazaar.abuse.ch/api/`
			`- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/MalwareBazaar.md`
			`tags: token-spray,malwarebazaar`

			`self-contained: true`
			`requests:`
			`- raw:`
			`- \|`
Update api-malwarebazaar.yaml 2021-11-17 07:54:00 +00:00			`POST https://mb-api.abuse.ch/api/v1 HTTP/1.1`
Create api-malwarebazaar.yaml 2021-11-16 23:00:22 +00:00			`Host: mb-api.abuse.ch`
			`API-KEY: {{token}}`
			`Content-Length: 0`
Update api-malwarebazaar.yaml 2021-11-17 08:02:02 +00:00			`Content-Type: multipart/form-data; boundary=545d0ca717a743c3bd4fa575585f74c6`

			`--545d0ca717a743c3bd4fa575585f74c6`
			`Content-Disposition: form-data; name="json_data"`
			`Content-Type: application/json`

			{"tags": ["exe", "test"], "references": {"twitter": ["https://twitter.com/abuse_ch/status/1224269018506330112"], "malpedia": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"], "joe_sandbox": ["https://www.joesecurity.org/reports/1", "https://www.joesecurity.org/reports/2"], "links": ["https://urlhaus.abuse.ch/url/306613/"], "any_run": ["https://app.any.run/tasks/1", "https://app.any.run/tasks/2"]}, "context": {"comment": "this malware sample is very nasty!", "dropped_by_md5": ["68b329da9893e34099c7d8ad5cb9c940"], "dropped_by_malware": ["Gozi"], "dropped_by_sha256": ["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"]}, "anonymous": 1, "delivery_method": "email_attachment"}
			`--545d0ca717a743c3bd4fa575585f74c6`
			`Content-Disposition: form-data; name="file"; filename="1.txt"`

			`dssd`

			`--545d0ca717a743c3bd4fa575585f74c6--`
Update api-malwarebazaar.yaml 2021-11-17 08:03:49 +00:00
Create api-malwarebazaar.yaml 2021-11-16 23:00:22 +00:00			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- '"query_status": "inserted"'`
			`- '"query_status": "file_already_known"'`
			`condition: or`