nuclei-templates/http/token-spray/api-malwarebazaar.yaml

47 lines
2.0 KiB
YAML

id: api-malwarebazaar
info:
name: MalwareBazaar API Test
author: daffainfo
severity: info
description: Collect and share malware samples
reference:
- https://bazaar.abuse.ch/api/
- https://github.com/daffainfo/all-about-apikey/tree/main/malwarebazaar
metadata:
max-request: 1
tags: token-spray,malwarebazaar,intrusive
self-contained: true
http:
- raw:
- |
POST https://mb-api.abuse.ch/api/v1 HTTP/1.1
Host: mb-api.abuse.ch
API-KEY: {{token}}
Content-Length: 0
Content-Type: multipart/form-data; boundary=545d0ca717a743c3bd4fa575585f74c6
--545d0ca717a743c3bd4fa575585f74c6
Content-Disposition: form-data; name="json_data"
Content-Type: application/json
{"tags": ["exe", "test"], "references": {"twitter": ["https://twitter.com/abuse_ch/status/1224269018506330112"], "malpedia": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"], "joe_sandbox": ["https://www.joesecurity.org/reports/1", "https://www.joesecurity.org/reports/2"], "links": ["https://urlhaus.abuse.ch/url/306613/"], "any_run": ["https://app.any.run/tasks/1", "https://app.any.run/tasks/2"]}, "context": {"comment": "this malware sample is very nasty!", "dropped_by_md5": ["68b329da9893e34099c7d8ad5cb9c940"], "dropped_by_malware": ["Gozi"], "dropped_by_sha256": ["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"]}, "anonymous": 1, "delivery_method": "email_attachment"}
--545d0ca717a743c3bd4fa575585f74c6
Content-Disposition: form-data; name="file"; filename="1.txt"
dssd
--545d0ca717a743c3bd4fa575585f74c6--
matchers:
- type: word
part: body
words:
- '"query_status": "inserted"'
- '"query_status": "file_already_known"'
condition: or
# digest: 4b0a00483046022100f5d19c2f0a4b8aaf9f21dd936fba07954a82d880f3c014db4faba4fb2a535538022100bf2a275e923f4190c5b7d398ac019329cdb75af155007fe5b6822fc577741533:922c64590222798bb761d5b6d8e72950