id: api-malwarebazaar

info:
  name: MalwareBazaar API Test
  author: daffainfo
  severity: info
  description: Collect and share malware samples
  reference:
    - https://bazaar.abuse.ch/api/
    - https://github.com/daffainfo/all-about-apikey/tree/main/malwarebazaar
  tags: token-spray,malwarebazaar

self-contained: true
requests:
  - raw:
      - |
        POST https://mb-api.abuse.ch/api/v1 HTTP/1.1
        Host: mb-api.abuse.ch
        API-KEY: {{token}}
        Content-Length: 0
        Content-Type: multipart/form-data; boundary=545d0ca717a743c3bd4fa575585f74c6

        --545d0ca717a743c3bd4fa575585f74c6
        Content-Disposition: form-data; name="json_data"
        Content-Type: application/json

        {"tags": ["exe", "test"], "references": {"twitter": ["https://twitter.com/abuse_ch/status/1224269018506330112"], "malpedia": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"], "joe_sandbox": ["https://www.joesecurity.org/reports/1", "https://www.joesecurity.org/reports/2"], "links": ["https://urlhaus.abuse.ch/url/306613/"], "any_run": ["https://app.any.run/tasks/1", "https://app.any.run/tasks/2"]}, "context": {"comment": "this malware sample is very nasty!", "dropped_by_md5": ["68b329da9893e34099c7d8ad5cb9c940"], "dropped_by_malware": ["Gozi"], "dropped_by_sha256": ["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"]}, "anonymous": 1, "delivery_method": "email_attachment"}
        --545d0ca717a743c3bd4fa575585f74c6
        Content-Disposition: form-data; name="file"; filename="1.txt"

        dssd

        --545d0ca717a743c3bd4fa575585f74c6--

    matchers:
      - type: word
        part: body
        words:
          - '"query_status": "inserted"'
          - '"query_status": "file_already_known"'
        condition: or