User Guide

Synapse-Malshare User Guide

Synapse-Malshare adds new Storm commands to allow you to query the Malshare API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> malshare.setup.apikey --self myapikey
Setting Synapse-Malshare API key for the current user.

Interacting with the Malshare API

Use the malshare search API to enrich a hash:sha256 node:

> [hash:sha256=82c919f10dc993802d023ab3acee4684cd07eaae230c10445a43b71b9027e999] | malshare.details --yield
file:bytes=sha256:82c919f10dc993802d023ab3acee4684cd07eaae230c10445a43b71b9027e999
        .created = 2024/11/19 21:21:31.721
        .seen = ('2021/06/24 01:38:29.000', '2021/06/24 01:38:29.001')
        :md5 = bac3368b2583e9e57063b5ffaf8361c3
        :mime = application/vnd.microsoft.portable-executable
        :sha1 = 6cb14dc158f430fc56be1797dd66165516e87bad
        :sha256 = 82c919f10dc993802d023ab3acee4684cd07eaae230c10445a43b71b9027e999

To bypass caching for enrichment:

> [hash:md5=4d1232a146efa85ede351baca7ad63a4] | malshare.details --yield --asof now
WARNING: malshare.details: The --asof argument is deprecated and will be removed.
file:bytes=sha256:164f76f3f36a0ab200178e13e67c22b96ca892665a20414c39744a3a18be190d
        .created = 2024/11/19 21:21:32.747
        .seen = ('2021/09/30 14:01:41.000', '2021/09/30 14:01:41.001')
        :md5 = 4d1232a146efa85ede351baca7ad63a4
        :mime = application/vnd.microsoft.portable-executable
        :sha1 = 31bbebb02878d0df4be588f4ec052a1e3dc16cde
        :sha256 = 164f76f3f36a0ab200178e13e67c22b96ca892665a20414c39744a3a18be190d

Ingest the list of hashes that were uploaded in the last 24 hours:

> malshare.lastday --yield --size 3
file:bytes=sha256:f78eb94e3db90c907ba145930fa9cb023302354a4c23ee3a80309178721c9a04
        .created = 2024/11/19 21:21:33.149
        :md5 = 1cd6c19a08f66b74c077235c8738af7c
        :sha1 = 25a4b4da1c3f925e13105e8d6e74e9aceec01caf
        :sha256 = f78eb94e3db90c907ba145930fa9cb023302354a4c23ee3a80309178721c9a04
file:bytes=sha256:a1654ed72e64dda94118fa5784026892ea9b04c78513f8b171193d8b825fd98a
        .created = 2024/11/19 21:21:33.197
        :md5 = d598e5f6bad58b843eca56284d4683d4
        :sha1 = ec25d08693074cbfa52282249e7b4a5cb2575488
        :sha256 = a1654ed72e64dda94118fa5784026892ea9b04c78513f8b171193d8b825fd98a
file:bytes=sha256:c22c6ec278798fdf1e5f1602f0ce81c394a517577b1ee26d1ba876a1432070e7
        .created = 2024/11/19 21:21:33.236
        :md5 = 0991b035a33a4610fda88a6050378cee
        :sha1 = 468c5850398d28c5f55fb9d2f47bbd229c73098a
        :sha256 = c22c6ec278798fdf1e5f1602f0ce81c394a517577b1ee26d1ba876a1432070e7

Print out usage stats and API limits:

> malshare.quota
Queries Remaining: 1999
Max Allowed Queries (Daily): 2000

To pull down and yield out the list of the 10 most recent sources as inet:url nodes:

> malshare.sources --yield --size 10
inet:url=http://asdasd68.mitiendanube.com/
        .created = 2024/11/19 21:21:33.442
        :base = http://asdasd68.mitiendanube.com/
        :fqdn = asdasd68.mitiendanube.com
        :params =
        :path = /
        :port = 80
        :proto = http
inet:url=https://www.agroexportavocados.com/includes/www.made-in-china.com/index.php
        .created = 2024/11/19 21:21:33.479
        :base = https://www.agroexportavocados.com/includes/www.made-in-china.com/index.php
        :fqdn = www.agroexportavocados.com
        :params =
        :path = /includes/www.made-in-china.com/index.php
        :port = 443
        :proto = https
inet:url=https://561808.selcdn.ru/webdata-sharepiont-resources/[email protected]
        .created = 2024/11/19 21:21:33.501
        :base = https://561808.selcdn.ru/webdata-sharepiont-resources/index6.html
        :fqdn = 561808.selcdn.ru
        :params = [email protected]
        :path = /webdata-sharepiont-resources/index6.html
        :port = 443
        :proto = https
inet:url=http://creditag40.temp.swtest.ru/C-Agricole/c781f9c295a32db/region.php?particulier=
        .created = 2024/11/19 21:21:33.524
        :base = http://creditag40.temp.swtest.ru/C-Agricole/c781f9c295a32db/region.php
        :fqdn = creditag40.temp.swtest.ru
        :params = ?particulier=
        :path = /C-Agricole/c781f9c295a32db/region.php
        :port = 80
        :proto = http
inet:url=http://cagricoleg.temp.swtest.ru/C-Agricoleeee/C-Agricole/06eecc0508e2567/region.php?particulier=
        .created = 2024/11/19 21:21:33.549
        :base = http://cagricoleg.temp.swtest.ru/C-Agricoleeee/C-Agricole/06eecc0508e2567/region.php
        :fqdn = cagricoleg.temp.swtest.ru
        :params = ?particulier=
        :path = /C-Agricoleeee/C-Agricole/06eecc0508e2567/region.php
        :port = 80
        :proto = http
inet:url=https://secure.runescape.com-vc.ru/m=weblogin/loginform361,133,993,49673444,1
        .created = 2024/11/19 21:21:33.570
        :base = https://secure.runescape.com-vc.ru/m=weblogin/loginform361,133,993,49673444,1
        :fqdn = secure.runescape.com-vc.ru
        :params =
        :path = /m=weblogin/loginform361,133,993,49673444,1
        :port = 443
        :proto = https
inet:url=http://paypal.com.new-gangnam.com/
        .created = 2024/11/19 21:21:33.593
        :base = http://paypal.com.new-gangnam.com/
        :fqdn = paypal.com.new-gangnam.com
        :params =
        :path = /
        :port = 80
        :proto = http
inet:url=http://ramsolar.net/cs/1%202.html
        .created = 2024/11/19 21:21:33.616
        :base = http://ramsolar.net/cs/1%202.html
        :fqdn = ramsolar.net
        :params =
        :path = /cs/1%202.html
        :port = 80
        :proto = http
inet:url=http://kasihverwidjaja1.gq/2k2tuanphi
        .created = 2024/11/19 21:21:33.639
        :base = http://kasihverwidjaja1.gq/2k2tuanphi
        :fqdn = kasihverwidjaja1.gq
        :params =
        :path = /2k2tuanphi
        :port = 80
        :proto = http
inet:url=https://tasnimchoudhury.com/cddd
        .created = 2024/11/19 21:21:33.660
        :base = https://tasnimchoudhury.com/cddd
        :fqdn = tasnimchoudhury.com
        :params =
        :path = /cddd
        :port = 443
        :proto = https

Use of meta:source nodes

Synapse-Malshare uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Malshare API.

> meta:source=ee334dfb3fd8e1e19e8faf264e9188d3
meta:source=ee334dfb3fd8e1e19e8faf264e9188d3
        .created = 2024/11/19 21:21:31.682
        :name = malshare api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Malshare. The following example shows how to filter the results of a query to include only results observed by Synapse-Malshare:

> #cool.tag.lift +{ <(seen)- meta:source=ee334dfb3fd8e1e19e8faf264e9188d3 }