User Guide
Synapse-Malshare User Guide
Synapse-Malshare adds new Storm commands to allow you to query the Malshare API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> malshare.setup.apikey --self myapikey
Setting Synapse-Malshare API key for the current user.
Interacting with the Malshare API
Use the malshare search API to enrich a hash:sha256
node:
> [hash:sha256=82c919f10dc993802d023ab3acee4684cd07eaae230c10445a43b71b9027e999] | malshare.details --yield
file:bytes=sha256:82c919f10dc993802d023ab3acee4684cd07eaae230c10445a43b71b9027e999
.created = 2024/12/20 18:07:40.306
.seen = ('2021/06/24 01:38:29.000', '2021/06/24 01:38:29.001')
:md5 = bac3368b2583e9e57063b5ffaf8361c3
:mime = application/vnd.microsoft.portable-executable
:sha1 = 6cb14dc158f430fc56be1797dd66165516e87bad
:sha256 = 82c919f10dc993802d023ab3acee4684cd07eaae230c10445a43b71b9027e999
To bypass caching for enrichment:
> [hash:md5=4d1232a146efa85ede351baca7ad63a4] | malshare.details --yield --asof now
WARNING: malshare.details: The --asof argument is deprecated and will be removed.
file:bytes=sha256:164f76f3f36a0ab200178e13e67c22b96ca892665a20414c39744a3a18be190d
.created = 2024/12/20 18:07:41.281
.seen = ('2021/09/30 14:01:41.000', '2021/09/30 14:01:41.001')
:md5 = 4d1232a146efa85ede351baca7ad63a4
:mime = application/vnd.microsoft.portable-executable
:sha1 = 31bbebb02878d0df4be588f4ec052a1e3dc16cde
:sha256 = 164f76f3f36a0ab200178e13e67c22b96ca892665a20414c39744a3a18be190d
Ingest the list of hashes that were uploaded in the last 24 hours:
> malshare.lastday --yield --size 3
file:bytes=sha256:f78eb94e3db90c907ba145930fa9cb023302354a4c23ee3a80309178721c9a04
.created = 2024/12/20 18:07:41.653
:md5 = 1cd6c19a08f66b74c077235c8738af7c
:sha1 = 25a4b4da1c3f925e13105e8d6e74e9aceec01caf
:sha256 = f78eb94e3db90c907ba145930fa9cb023302354a4c23ee3a80309178721c9a04
file:bytes=sha256:a1654ed72e64dda94118fa5784026892ea9b04c78513f8b171193d8b825fd98a
.created = 2024/12/20 18:07:41.697
:md5 = d598e5f6bad58b843eca56284d4683d4
:sha1 = ec25d08693074cbfa52282249e7b4a5cb2575488
:sha256 = a1654ed72e64dda94118fa5784026892ea9b04c78513f8b171193d8b825fd98a
file:bytes=sha256:c22c6ec278798fdf1e5f1602f0ce81c394a517577b1ee26d1ba876a1432070e7
.created = 2024/12/20 18:07:41.734
:md5 = 0991b035a33a4610fda88a6050378cee
:sha1 = 468c5850398d28c5f55fb9d2f47bbd229c73098a
:sha256 = c22c6ec278798fdf1e5f1602f0ce81c394a517577b1ee26d1ba876a1432070e7
Print out usage stats and API limits:
> malshare.quota
Queries Remaining: 1999
Max Allowed Queries (Daily): 2000
To pull down and yield out the list of the 10 most recent sources as inet:url nodes:
> malshare.sources --yield --size 10
inet:url=http://asdasd68.mitiendanube.com/
.created = 2024/12/20 18:07:41.935
:base = http://asdasd68.mitiendanube.com/
:fqdn = asdasd68.mitiendanube.com
:params =
:path = /
:port = 80
:proto = http
inet:url=https://www.agroexportavocados.com/includes/www.made-in-china.com/index.php
.created = 2024/12/20 18:07:41.969
:base = https://www.agroexportavocados.com/includes/www.made-in-china.com/index.php
:fqdn = www.agroexportavocados.com
:params =
:path = /includes/www.made-in-china.com/index.php
:port = 443
:proto = https
inet:url=https://561808.selcdn.ru/webdata-sharepiont-resources/[email protected]
.created = 2024/12/20 18:07:41.990
:base = https://561808.selcdn.ru/webdata-sharepiont-resources/index6.html
:fqdn = 561808.selcdn.ru
:params = [email protected]
:path = /webdata-sharepiont-resources/index6.html
:port = 443
:proto = https
inet:url=http://creditag40.temp.swtest.ru/C-Agricole/c781f9c295a32db/region.php?particulier=
.created = 2024/12/20 18:07:42.011
:base = http://creditag40.temp.swtest.ru/C-Agricole/c781f9c295a32db/region.php
:fqdn = creditag40.temp.swtest.ru
:params = ?particulier=
:path = /C-Agricole/c781f9c295a32db/region.php
:port = 80
:proto = http
inet:url=http://cagricoleg.temp.swtest.ru/C-Agricoleeee/C-Agricole/06eecc0508e2567/region.php?particulier=
.created = 2024/12/20 18:07:42.033
:base = http://cagricoleg.temp.swtest.ru/C-Agricoleeee/C-Agricole/06eecc0508e2567/region.php
:fqdn = cagricoleg.temp.swtest.ru
:params = ?particulier=
:path = /C-Agricoleeee/C-Agricole/06eecc0508e2567/region.php
:port = 80
:proto = http
inet:url=https://secure.runescape.com-vc.ru/m=weblogin/loginform361,133,993,49673444,1
.created = 2024/12/20 18:07:42.053
:base = https://secure.runescape.com-vc.ru/m=weblogin/loginform361,133,993,49673444,1
:fqdn = secure.runescape.com-vc.ru
:params =
:path = /m=weblogin/loginform361,133,993,49673444,1
:port = 443
:proto = https
inet:url=http://paypal.com.new-gangnam.com/
.created = 2024/12/20 18:07:42.075
:base = http://paypal.com.new-gangnam.com/
:fqdn = paypal.com.new-gangnam.com
:params =
:path = /
:port = 80
:proto = http
inet:url=http://ramsolar.net/cs/1%202.html
.created = 2024/12/20 18:07:42.097
:base = http://ramsolar.net/cs/1%202.html
:fqdn = ramsolar.net
:params =
:path = /cs/1%202.html
:port = 80
:proto = http
inet:url=http://kasihverwidjaja1.gq/2k2tuanphi
.created = 2024/12/20 18:07:42.117
:base = http://kasihverwidjaja1.gq/2k2tuanphi
:fqdn = kasihverwidjaja1.gq
:params =
:path = /2k2tuanphi
:port = 80
:proto = http
inet:url=https://tasnimchoudhury.com/cddd
.created = 2024/12/20 18:07:42.138
:base = https://tasnimchoudhury.com/cddd
:fqdn = tasnimchoudhury.com
:params =
:path = /cddd
:port = 443
:proto = https
Use of meta:source
nodes
Synapse-Malshare uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the Malshare API.
> meta:source=ee334dfb3fd8e1e19e8faf264e9188d3
meta:source=ee334dfb3fd8e1e19e8faf264e9188d3
.created = 2024/12/20 18:07:40.270
:name = malshare api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Malshare. The following example shows how to filter the results of a query to include only results observed by Synapse-Malshare:
> #cool.tag.lift +{ <(seen)- meta:source=ee334dfb3fd8e1e19e8faf264e9188d3 }