DOCUMENT LIBRARY
1.0.0
DOCUMENT LIBRARY
1.0.0
MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the InfoSec community, AV vendors, and threat intelligence providers.
This document provides information about the MalwareBazaar Connector, which facilitates automated interactions, with a MalwareBazaar server using FortiSOAR™ playbooks. Add the MalwareBazaar Connector as a step in FortiSOAR™ playbooks and perform automated operations with MalwareBazaar.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.4.3-3280
MalwareBazaar API Version Tested On: v1
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-malwarebazaar
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the MalwareBazaar connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the MalwareBazaar server to connect and perform automated operations. |
| API Key | Specify the API key to access the endpoint to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get File Hash Reputation | Retrieves a report from MalwareBazaar, for the file that you have submitted for determining if it is suspicious, based on the file hash value you have specified. | get_filehash_reputation Investigation |
| Get Malware Samples | Downloads malware samples from MalwareBazaar based on the file hash you have specified.
NOTE: Any malware sample you download from MalwareBazaar is zipped and password protected using the password: |
get_malware_samples Investigation |
| Add a Comment to Malware Sample | Add a comment to a specified malware sample in MalwareBazaar based on the file hash and the comment that you specified.
NOTE: This operation requires the API Key. |
add_comment_to_malware_sample Investigation |
| Parameter | Description |
|---|---|
| File Hash | Specify the file hash of the file for which you want to retrieve the report from MalwareBazaar. |
The output contains the following populated JSON schema:
{
"query_status": "",
"data": [
{
"sha256_hash": "",
"sha3_384_hash": "",
"sha1_hash": "",
"md5_hash": "",
"first_seen": "",
"last_seen": "",
"file_name": "",
"file_size": "",
"file_type_mime": "",
"file_type": "",
"reporter": "",
"origin_country": "",
"anonymous": "",
"signature": "",
"imphash": "",
"tlsh": "",
"telfhash": "",
"gimphash": "",
"ssdeep": "",
"dhash_icon": "",
"comment": "",
"archive_pw": "",
"tags": [],
"code_sign": "",
"delivery_method": "",
"intelligence": {
"clamav": [],
"downloads": "",
"uploads": "",
"mail": ""
},
"file_information": "",
"ole_information": [],
"yara_rules": [
{
"rule_name": "",
"author": "",
"description": "",
"reference": ""
}
],
"vendor_intel": {
"YOROI_YOMI": {
"detection": "",
"score": ""
},
"Triage": {
"malware_family": "",
"score": "",
"link": "",
"tags": [],
"signatures": [
{
"signature": "",
"score": ""
}
],
"malware_config": []
},
"ReversingLabs": {
"threat_name": "",
"status": "",
"first_seen": "",
"scanner_count": "",
"scanner_match": "",
"scanner_percent": ""
},
"Spamhaus_HBL": [
{
"detection": "",
"link": ""
}
]
},
"comments": [
{
"id": "",
"date_added": "",
"twitter_handle": "",
"display_name": "",
"comment": ""
}
]
}
]
}
| Parameter | Description |
|---|---|
| File Hash | Specify the file hash of the file for which you want to download malware samples from MalwareBazaar. The samples are zipped and password protected using the password: infected.
NOTE: You can only specify the SHA256 hash value of the file. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"workspaces": [],
"description": ""
}
| Parameter | Description |
|---|---|
| File Hash | Specify the file hash of the file, whose malware sample you retrieved, to add a comment.
NOTE: You can only specify the SHA256 hash value. |
| Comment | Specify the comment to be added to the specified file. |
The output contains the following populated JSON schema:
{
"query_status": ""
}
The Sample - MalwareBazaar - 1.0.0 playbook collection comes bundled with the MalwareBazaar connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MalwareBazaar connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the InfoSec community, AV vendors, and threat intelligence providers.
This document provides information about the MalwareBazaar Connector, which facilitates automated interactions, with a MalwareBazaar server using FortiSOAR™ playbooks. Add the MalwareBazaar Connector as a step in FortiSOAR™ playbooks and perform automated operations with MalwareBazaar.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.4.3-3280
MalwareBazaar API Version Tested On: v1
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-malwarebazaar
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the MalwareBazaar connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the MalwareBazaar server to connect and perform automated operations. |
| API Key | Specify the API key to access the endpoint to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get File Hash Reputation | Retrieves a report from MalwareBazaar, for the file that you have submitted for determining if it is suspicious, based on the file hash value you have specified. | get_filehash_reputation Investigation |
| Get Malware Samples | Downloads malware samples from MalwareBazaar based on the file hash you have specified.
NOTE: Any malware sample you download from MalwareBazaar is zipped and password protected using the password: |
get_malware_samples Investigation |
| Add a Comment to Malware Sample | Add a comment to a specified malware sample in MalwareBazaar based on the file hash and the comment that you specified.
NOTE: This operation requires the API Key. |
add_comment_to_malware_sample Investigation |
| Parameter | Description |
|---|---|
| File Hash | Specify the file hash of the file for which you want to retrieve the report from MalwareBazaar. |
The output contains the following populated JSON schema:
{
"query_status": "",
"data": [
{
"sha256_hash": "",
"sha3_384_hash": "",
"sha1_hash": "",
"md5_hash": "",
"first_seen": "",
"last_seen": "",
"file_name": "",
"file_size": "",
"file_type_mime": "",
"file_type": "",
"reporter": "",
"origin_country": "",
"anonymous": "",
"signature": "",
"imphash": "",
"tlsh": "",
"telfhash": "",
"gimphash": "",
"ssdeep": "",
"dhash_icon": "",
"comment": "",
"archive_pw": "",
"tags": [],
"code_sign": "",
"delivery_method": "",
"intelligence": {
"clamav": [],
"downloads": "",
"uploads": "",
"mail": ""
},
"file_information": "",
"ole_information": [],
"yara_rules": [
{
"rule_name": "",
"author": "",
"description": "",
"reference": ""
}
],
"vendor_intel": {
"YOROI_YOMI": {
"detection": "",
"score": ""
},
"Triage": {
"malware_family": "",
"score": "",
"link": "",
"tags": [],
"signatures": [
{
"signature": "",
"score": ""
}
],
"malware_config": []
},
"ReversingLabs": {
"threat_name": "",
"status": "",
"first_seen": "",
"scanner_count": "",
"scanner_match": "",
"scanner_percent": ""
},
"Spamhaus_HBL": [
{
"detection": "",
"link": ""
}
]
},
"comments": [
{
"id": "",
"date_added": "",
"twitter_handle": "",
"display_name": "",
"comment": ""
}
]
}
]
}
| Parameter | Description |
|---|---|
| File Hash | Specify the file hash of the file for which you want to download malware samples from MalwareBazaar. The samples are zipped and password protected using the password: infected.
NOTE: You can only specify the SHA256 hash value of the file. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"workspaces": [],
"description": ""
}
| Parameter | Description |
|---|---|
| File Hash | Specify the file hash of the file, whose malware sample you retrieved, to add a comment.
NOTE: You can only specify the SHA256 hash value. |
| Comment | Specify the comment to be added to the specified file. |
The output contains the following populated JSON schema:
{
"query_status": ""
}
The Sample - MalwareBazaar - 1.0.0 playbook collection comes bundled with the MalwareBazaar connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MalwareBazaar connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.