id: api-malwarebazaar info: name: MalwareBazaar API Test author: daffainfo severity: info description: Collect and share malware samples reference: - https://bazaar.abuse.ch/api/ - https://github.com/daffainfo/all-about-apikey/tree/main/malwarebazaar metadata: max-request: 1 tags: token-spray,malwarebazaar,intrusive self-contained: true http: - raw: - | POST https://mb-api.abuse.ch/api/v1 HTTP/1.1 Host: mb-api.abuse.ch API-KEY: {{token}} Content-Length: 0 Content-Type: multipart/form-data; boundary=545d0ca717a743c3bd4fa575585f74c6 --545d0ca717a743c3bd4fa575585f74c6 Content-Disposition: form-data; name="json_data" Content-Type: application/json {"tags": ["exe", "test"], "references": {"twitter": ["https://twitter.com/abuse_ch/status/1224269018506330112"], "malpedia": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"], "joe_sandbox": ["https://www.joesecurity.org/reports/1", "https://www.joesecurity.org/reports/2"], "links": ["https://urlhaus.abuse.ch/url/306613/"], "any_run": ["https://app.any.run/tasks/1", "https://app.any.run/tasks/2"]}, "context": {"comment": "this malware sample is very nasty!", "dropped_by_md5": ["68b329da9893e34099c7d8ad5cb9c940"], "dropped_by_malware": ["Gozi"], "dropped_by_sha256": ["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"]}, "anonymous": 1, "delivery_method": "email_attachment"} --545d0ca717a743c3bd4fa575585f74c6 Content-Disposition: form-data; name="file"; filename="1.txt" dssd --545d0ca717a743c3bd4fa575585f74c6-- matchers: - type: word part: body words: - '"query_status": "inserted"' - '"query_status": "file_already_known"' condition: or # digest: 4b0a00483046022100f5d19c2f0a4b8aaf9f21dd936fba07954a82d880f3c014db4faba4fb2a535538022100bf2a275e923f4190c5b7d398ac019329cdb75af155007fe5b6822fc577741533:922c64590222798bb761d5b6d8e72950