New module for Malware Bazaar API

Posted on by

After this post in August 2021 about MALWARE Bazaar “Download daily malware batches” on the SANS InfoSec Handlers Diary Blog, I thought that a PowerShell module using the API would be welcome.

I’m releasing the first 13 functions that perform a GET from the API without needing a private key:

Let’s see what it can do:

You can check if a particular malware sample is known to MalwareBazaar by query the API for the corresponding hash

Get-MalwareBazaarSampleHash -Hash '7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754' -Verbose

You can get a list of malware samples (max 1’000) associated with a specific tag

Get-MalwareBazaarSampleTag -Tag TrickBot -Limit 50 |ogv

You can get a list of recent malware samples (max 1’000) associated with a specific signature

Get-MalwareBazaarSampleSignature -Signature TrickBot -Limit 50

You can get a list of recent malware samples (max 1’000) having a specific filetype

Get-MalwareBazaarSampleFileType -FileType elf -Limit 50 | ogv

You can get a list of recent malware samples (max 1’000) associated with a specific ClamAV signature

Get-MalwareBazaarSampleClamAVSignature -Signature 'Doc.Downloader.Emotet-7580152-0' -Limit 50 | ogv

You can get a list of malware samples (max 1’000) associated with a specific imphash

Get-MalwareBazaarSampleImpHash -Hash '45d579faec0eaf279c0841b2233727cf' -Limit 50 | ogv

You can get a list of malware samples (max 1’000) associated with a specific TLSH hash

Get-MalwareBazaarSampleTLSH -Hash '4FB44AC6A19643BBEE8766FF358AC55DBC13D91C1B4DB4FBC789AA020A31B05ED12350' -Limit 50 | ogv

You can get a list of malware samples (max 1’000) associated with a specific telfhash hash

Get-MalwareBazaarSampleTelfhash -Hash 'ea2106f51e7e58d9b7e4a400c29b5f623d5df13b299037a00463e93033abe466069c7a' -Limit 50|ogv

You can get a list of malware samples (PE executables only, max 1’000) that are having a specific icon using the icon’s dhash.

Get-MalwareBazaarSampleIconDhash -Hash '48b9b2b0e8c18c90' -Limit 50 | ogv

You can get a list of malware samples (max 1’000) associated with a specific YARA rule

Get-MalwareBazaarSampleYaraRule -RuleName 'win_remcos_g0' -Limit 50 | ogv

You can get a list of malware samples (max 100) that are using code signing certificate issued by a certain Certificate Authority (Issuer CN) or you can get a list of malware samples (max 100) that are signed with a code signing certificate that matches a certain Subject Common Name (CN)

Get-MalwareBazaarSampleCodeSigningCertificate -Issuer 'Sectigo RSA Code Signing CA' | ogv
# or
Get-MalwareBazaarSampleCodeSigningCertificate -Subject 'Ekitai Data Inc.' |ogv

You can dump the content of the MalwareBazaar Code Signing Certificate Blocklist (CSCB)

 Get-MalwareBazaarSampleCodeSigningCertificateBlockList | ogv

You can retrieve a list of malware samples added to MalwareBazaar within the last 60 minutes

Get-MalwareBazaarSampleRecent -By 'Limit'|ogv

The module is available on the PowerShell gallery.

If you see issues, you can open an issue on its github repo using this link.

Enjoy 😎

1 thought on “New module for Malware Bazaar API

  1. Pingback: Dew Drop – March 15, 2023 (#3900) – Morning Dew by Alvin Ashcraft

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.