User Guide

Synapse-MalwareBazaar User Guide

Synapse-MalwareBazaar adds new Storm commands to allow you to query the MalwareBazaar API.

Getting Started

Check with your Admin to enable permissions.

Examples

Setting your personal API key

To set-up a personal use API key:

> malwarebazaar.config.add myconfig myapikey --scope self --tag-prefix "my.foo.malwarebazaar"
Synapse-MalwareBazaar config "myconfig" added

List available configurations

To list the available configurations, use the malwarebazaar.config.list command:

> malwarebazaar.config.list
 name                      | scope    | owner
===========================|==========|====================================================
 myconfig                  | user     | root

To view the tag prefix of a configuration, use the vault.list --name <name> command where <name> is synapse-malwarebazaar:<config name>:

> vault.list --name synapse-malwarebazaar:myconfig
Available Vaults
----------------
Vault: 40579bdcb1dd5384e0d0ba0603a715f4
  Name: synapse-malwarebazaar:myconfig
  Type: synapse-malwarebazaar
  Scope: user
  Permissions:
    Users:
      root: admin
    Roles: None
  Configs:
    proxy: true
    ssl_verify: true
    tag_prefix: my.foo.malwarebazaar

Enrich a Hash

Enrich some nodes with malwarebazaar.enrich and yield the results:

> inet:ipv4=1.2.3.4 | malwarebazaar.enrich --yield

Search for samples

Pull in reports from MalwareBazaar for samples that have been tagged as keylogger

> malwarebazaar.query --tag keylogger --size 5 --yield
file:bytes=sha256:1d6694b7aa3340c6d744ec8f3d1e64caf255e1e5c27057f5bc43036374b69bb4
        .created = 2025/05/30 19:32:17.789
        .seen = ('2023/02/19 11:49:00.000', '2023/02/19 13:29:15.001')
        :md5 = 70778c3ea9ceef2ce0a132a38780e850
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = eb5bc6ff6263b364dfbfb78bdb48ed59
        :name = $rzfkipe.exe
        :sha1 = 17a43b65f42c53a47fd44a259a625891bdcb8b3f
        :sha256 = 1d6694b7aa3340c6d744ec8f3d1e64caf255e1e5c27057f5bc43036374b69bb4
        :size = 2845312
        #my.foo.malwarebazaar.adware
        #my.foo.malwarebazaar.adware_extenbro
        #my.foo.malwarebazaar.bestxsoftware
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.free_zip_password_unlocker_setup
        #my.foo.malwarebazaar.keylogger
        #my.foo.malwarebazaar.signed
        #my.foo.malwarebazaar.wampserver_3_phpmyadmin4_8_3
        #my.foo.malwarebazaar.zip_password_unlocker
file:bytes=sha256:146cc76e1a90d0d35e0bdd020cba231b03ba9e09a0ae5f1cc242eb31f7c04773
        .created = 2025/05/30 19:32:17.805
        .seen = ('2023/01/15 05:13:18.000', '2023/01/15 06:27:13.001')
        :md5 = 31624bc0e022bfc1fe8ba74f79c3d2bf
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 1ea7d62fdbfa2db333e617f1d4ea213b
        :name = _com_win.exe
        :sha1 = 6cf0cc5844d750d97dee58c2fb9c168e0f4ef173
        :sha256 = 146cc76e1a90d0d35e0bdd020cba231b03ba9e09a0ae5f1cc242eb31f7c04773
        :size = 558080
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.keylogger
        #my.foo.malwarebazaar.spyware
file:bytes=sha256:29e6bb429ee855961a950274a54098093d63e341fa48128e3ace90a7dd9a0868
        .created = 2025/05/30 19:32:17.810
        .seen = ('2023/01/15 05:12:45.000', '2023/01/15 06:27:11.001')
        :md5 = b00be08b710ffebb551facf042faa781
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = c99e9024e872ea3bdc977ec302877d4f
        :name = windowsprocessagent.exe
        :sha1 = f7474d2367ca51d690aab9881f1a793dd52f6429
        :sha256 = 29e6bb429ee855961a950274a54098093d63e341fa48128e3ace90a7dd9a0868
        :size = 701440
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.keylogger
        #my.foo.malwarebazaar.netwire
        #my.foo.malwarebazaar.spyware
file:bytes=sha256:c3d211758a1061afe67cfeb1e63a4c3cc870534e8b6bab2fbb5423e56268ff96
        .created = 2025/05/30 19:32:17.815
        .seen = ('2022/12/28 07:58:10.000', '2022/12/28 07:58:10.001')
        :md5 = 7ce0d79c8af824483f1b9fd6f30e456f
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = a6cec5b1a631d592d80900ab7e1de8df
        :name = systemmanager.exe
        :sha1 = 2292e366de09b5e6e07e3c6863fcc82945c231d1
        :sha256 = c3d211758a1061afe67cfeb1e63a4c3cc870534e8b6bab2fbb5423e56268ff96
        :size = 11913469
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.keylogger
        #my.foo.malwarebazaar.pyinstaller
        #my.foo.malwarebazaar.spyware
file:bytes=sha256:9731df8f9863071116f4e48ebcc533bca161c0b7639e320d2c196f89cd0cf455
        .created = 2025/05/30 19:32:17.820
        .seen = ('2022/12/12 01:17:44.000', '2022/12/12 01:17:44.001')
        :md5 = 12878903a4e1d6549d09aa3c82847f91
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = wrk.exe
        :sha1 = 7bc168e30f1fcf56fec2393a0fd72fab93cf535b
        :sha256 = 9731df8f9863071116f4e48ebcc533bca161c0b7639e320d2c196f89cd0cf455
        :size = 505856
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.icarusstealer
        #my.foo.malwarebazaar.keylogger

Pull in reports for samples that have the MalwareBazaar signature RedLineStealer:

> malwarebazaar.query --signature RedLineStealer --size 3 --yield
file:bytes=sha256:826c0ad3560a00bb95697992f9be32d689a6b64fa1f8c15624f4609690b641af
        .created = 2025/05/30 19:32:17.870
        .seen = ('2023/03/29 16:45:33.000', '2023/03/29 16:45:33.001')
        :md5 = bdcab1bf5a4cf8188032c74451814fb5
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 9ccce235b0948e702108d60e5a6f9990
        :name = bdcab1bf5a4cf8188032c74451814fb5.exe
        :sha1 = 032c229f562b28c60959bc3330188eb8b9f48704
        :sha256 = 826c0ad3560a00bb95697992f9be32d689a6b64fa1f8c15624f4609690b641af
        :size = 346192
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.redlinestealer
file:bytes=sha256:35552b2143fde6ca97014cf6102aaaa38096cbf86619a5d64c4f686eb7d1356c
        .created = 2025/05/30 19:32:17.876
        .seen = ('2023/03/29 13:15:35.000', '2023/03/29 13:15:35.001')
        :md5 = 83ad54c4e71d85c38c19e8bb4938701c
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 303b4a863d3cdfccef2b33459673ef8a
        :name = 83ad54c4e71d85c38c19e8bb4938701c.bin.exe
        :sha1 = 785e1db14073f63dcfab6b93c05e1f6b2989e82c
        :sha256 = 35552b2143fde6ca97014cf6102aaaa38096cbf86619a5d64c4f686eb7d1356c
        :size = 310024
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.redlinestealer
file:bytes=sha256:eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2
        .created = 2025/05/30 19:32:17.880
        .seen = ('2023/03/29 11:44:35.000', '2023/03/29 11:44:35.001')
        :md5 = d0f2c42e26507a749f437978a214d0ee
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = securiteinfo.com.trojan.generic.30090411.32199.879
        :sha1 = b12faae780883321881f0f92d9d7ae7f5f784819
        :sha256 = eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2
        :size = 561152
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.redlinestealer

Pull in reports for samples that have the imphash f34d5f2d4577ed6d9ceec516c1f5a744:

> malwarebazaar.query --imphash "f34d5f2d4577ed6d9ceec516c1f5a744" --yield --size 3
file:bytes=sha256:4a23db5ce6616e586397a0ac25de51cc1450f4217009715f8ac809b20d377b39
        .created = 2025/05/30 19:32:17.928
        .seen = ('2023/03/29 19:45:24.000', '2023/03/29 19:45:24.001')
        :md5 = 01b694e73ae67576d5960eef85a9ad2f
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = 01b694e73ae67576d5960eef85a9ad2f.exe
        :sha1 = 05c2b455aa833d30e72f344da84fb1f0cc180bcb
        :sha256 = 4a23db5ce6616e586397a0ac25de51cc1450f4217009715f8ac809b20d377b39
        :size = 3266048
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.quasarrat
        #my.foo.malwarebazaar.rat
file:bytes=sha256:93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
        .created = 2025/05/30 19:32:17.934
        .seen = ('2023/03/29 19:30:10.000', '2023/03/29 19:30:10.001')
        :md5 = 7be37dff77a6257da2b430ab7c483612
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = bypass-defender.exe
        :sha1 = 028356262caa0076adb3c0a0ad87e4418d386ec8
        :sha256 = 93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
        :size = 370176
        #my.foo.malwarebazaar.exe
file:bytes=sha256:f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
        .created = 2025/05/30 19:32:17.938
        .seen = ('2023/03/29 19:18:57.000', '2023/03/29 19:18:57.001')
        :md5 = 15995b0b1fc5dd82f1c3ba1b7b40c5d4
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = xsudo.exe
        :sha1 = 3b6a4a5b8b1107854e35b01cd28b4cce7a003413
        :sha256 = f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
        :size = 3996672
        #my.foo.malwarebazaar.exe

Pull in reports for samples that are Windows executables:

> malwarebazaar.query --filetype exe --size 3 --yield
file:bytes=sha256:0771775f6646f28170c196d4ddba3ecdd1b0ada28c15dcc5b85f5c374c7b6987
        .created = 2025/05/30 19:32:17.987
        .seen = ('2023/03/29 17:25:43.000', '2023/03/29 17:25:43.001')
        :md5 = 2d3b9b558e1bc916402f100ed14b0613
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = tnt original invoice.exe
        :sha1 = 5d515ae567a9f37df32fcf9c3a18a24b0ad07819
        :sha256 = 0771775f6646f28170c196d4ddba3ecdd1b0ada28c15dcc5b85f5c374c7b6987
        :size = 1333248
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.remcosrat
        #my.foo.malwarebazaar.tnt
file:bytes=sha256:9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
        .created = 2025/05/30 19:32:17.992
        .seen = ('2023/03/29 17:24:59.000', '2023/03/29 17:24:59.001')
        :md5 = 398fc82f3d764c8890f09bfd3ccce7ce
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 61259b55b8912888e90f516ca08dc514
        :name = dhl express.exe
        :sha1 = 1295e8e0ca1c240e0121c01e078f790456336fda
        :sha256 = 9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
        :size = 659137
        #my.foo.malwarebazaar.dhl
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.rat
        #my.foo.malwarebazaar.remcosrat
file:bytes=sha256:9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
        .created = 2025/05/30 19:32:17.997
        .seen = ('2023/03/29 17:22:50.000', '2023/03/29 17:22:50.001')
        :md5 = 90189f8dffe3cbfbb1dc181647b2219b
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = 90189f8dffe3cbfbb1dc181647b2219b
        :sha1 = 118060f3ce88ccf0b7d9d1777b5e93948d4b15fd
        :sha256 = 9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
        :size = 2458992
        #my.foo.malwarebazaar.90189f8dffe3cbfbb1dc181647b2219b
        #my.foo.malwarebazaar.exe

Pull in reports for samples that have a signing certificate with an Issuer common name of SSL.com EV Code Signing Intermediate CA RSA R3

> malwarebazaar.query --issuer-cn "SSL.com EV Code Signing Intermediate CA RSA R3" --size 3 --yield
file:bytes=sha256:1e2aaed890f3a5e5657d6806bcf6756bbdef9baeca203330ad862dcf47ddf885
        .created = 2025/05/30 19:32:18.025
        .seen = ('2023/03/24 18:41:57.000', '2023/03/24 18:41:57.001')
        :md5 = d659e03354a9657001d5136308449d5c
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 8a3f45460aa7178128f660fb37ed69e5
        :name = docs_unpaid_#367.exe
        :sha1 = 0f440e15ab54adf7f699d980fd436b3e5f03e20e
        :sha256 = 1e2aaed890f3a5e5657d6806bcf6756bbdef9baeca203330ad862dcf47ddf885
        :size = 635424
        #my.foo.malwarebazaar.1105_software_llc
        #my.foo.malwarebazaar.1883783121
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.icedid
        #my.foo.malwarebazaar.signed
file:bytes=sha256:009381653fade0d3b94ad0fa0a109c294ac55936a5d1ced44e18fb08188aa7df
        .created = 2025/05/30 19:32:18.036
        .seen = ('2023/03/23 18:18:04.000', '2023/03/23 18:18:04.001')
        :md5 = d91dee9dfbdbf0b35593424723052a55
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = dff367c9375e1b68769b5ca3b25ac329
        :name = contract_march_23_inv#305.exe
        :sha1 = 813c274e68916cba601134f689788e938f7ef9e7
        :sha256 = 009381653fade0d3b94ad0fa0a109c294ac55936a5d1ced44e18fb08188aa7df
        :size = 400416
        #my.foo.malwarebazaar.1105_software_llc
        #my.foo.malwarebazaar.73743838
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.icedid
        #my.foo.malwarebazaar.signed
file:bytes=sha256:fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
        .created = 2025/05/30 19:32:18.044
        .seen = ('2023/03/21 19:48:25.000', '2023/03/21 19:48:25.001')
        :md5 = 9044436ca8ddc3ed05c5a1ab87cbdb43
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = c90c1d9ea33b38d68a9f1fc5584c8fe9
        :name = docs_03_21_inv#15.exe
        :sha1 = 997bf9e5632f17bfad671b5252016effecc27533
        :sha256 = fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
        :size = 486944
        #my.foo.malwarebazaar.3581911946
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.icedid
        #my.foo.malwarebazaar.signed

Pull in reports for samples that have a signing certificate with a Subject common name of Media Ground

> malwarebazaar.query --subject-cn "Media Ground" --size 3 --yield
file:bytes=sha256:02a8f0962681f2cf506deb96b80e2e4cfca38bd283decfb09f0a1f1c66814a4a
        .created = 2025/05/30 19:32:18.077
        .seen = ('2023/03/23 05:20:13.000', '2023/03/23 05:20:13.001')
        :md5 = 06ed501084fee2629ec9ffa81ec35ad4
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = fe52af0d61c2219338f7536932f24ba9
        :name = apphost.exe
        :sha1 = c7dc21edf35431c194f1cc31ff1268ab5d0ca9c8
        :sha256 = 02a8f0962681f2cf506deb96b80e2e4cfca38bd283decfb09f0a1f1c66814a4a
        :size = 2062328
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.signed
file:bytes=sha256:3d14b0bf0cad8d2e3653e6ab8b88d8d17ac30d327b169813e312ae2ba47ef8e8
        .created = 2025/05/30 19:32:18.086
        .seen = ('2022/07/22 11:29:53.000', '2022/07/22 12:41:04.001')
        :md5 = bb17c073fc881149d1cf8fd7542ff574
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 1b168e61bbb4539c14414dc31a5f20f0
        :name = bb17c073fc881149d1cf8fd7542ff574
        :sha1 = 8e0095e1944b59f5589d56c900b312bfb9d2cc4c
        :sha256 = 3d14b0bf0cad8d2e3653e6ab8b88d8d17ac30d327b169813e312ae2ba47ef8e8
        :size = 2076192
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.opencti_br
        #my.foo.malwarebazaar.sandboxed
        #my.foo.malwarebazaar.signed
file:bytes=sha256:ca9d181306b7607f560c039e17892ac42bd2a4675aa7d08aa6c6487bde66fc21
        .created = 2025/05/30 19:32:18.094
        .seen = ('2022/07/14 03:47:20.000', '2022/07/15 02:48:33.001')
        :md5 = 50891f2c0d78d16e6b5e6d2e5585fe1d
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = fdf4e5df6353f576a953124968747c3c
        :name = 50891f2c0d78d16e6b5e6d2e5585fe1d
        :sha1 = 4e61af453f9556eb4fec5d9cc8ecd4411a03802d
        :sha256 = ca9d181306b7607f560c039e17892ac42bd2a4675aa7d08aa6c6487bde66fc21
        :size = 2056736
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.opencti_br
        #my.foo.malwarebazaar.sandboxed
        #my.foo.malwarebazaar.signed

Downloading Samples

Download a sample from MalwareBazaar and yield the results:

> hash:sha256=b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb | malwarebazaar.download --yield --size 1
fileparser parsing sha256: 9f4a58e7f1697ab821c57adfccf3a9231fa4bb1456f86f50c3fd0f87cc58d841
file:bytes=sha256:b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb
        .created = 2025/05/30 19:32:20.412
        :md5 = f86787ba86aa322039944d084648a82d
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:compiled = 2022/01/12 07:39:05.000
        :mime:pe:imphash = f28ad02a4adb6c9c9717704f5e5b34ac
        :mime:pe:pdbpath = c:/tokatoj84/jiyatilayipab-pogajagol.pdb
        :mime:pe:richhdr = fb75f988562b01c2515bc5170090d8dc7279a6156541775363de2543fb0612b6
        :mime:pe:size = 544768
        :name = b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb.exe
        :sha1 = b0017ebba5fba650bda154a7866ca570c7bb015f
        :sha256 = b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb
        :sha512 = 220a941d78b86a9c8ce0b48419333889bb2745d6d4dc646097a0814937c4b3030920b6c8a97e20343e1f410438c76d10be3f9f9362395377102f03ca987f74c7
        :size = 435200

Download all the samples MalwareBazaar saw on a particular day:

> malwarebazaar.daily --date "2020-02-24" --yield
fileparser parsing sha256: 1a01aa4250c5c434f074ff1c6dbe91506520bd97d472d757b274ce77b1fcf796
file:bytes=sha256:1460604fef8913322d310b038f6be1c5dbd5b725296a02a4ba13ea4bb3b8329a
        .created = 2025/05/30 19:32:23.358
        :md5 = bd6c930b0a859e36f54dc02eb2b6cd34
        :mime = text/plain
        :name = 1460604fef8913322d310b038f6be1c5dbd5b725296a02a4ba13ea4bb3b8329a.js
        :sha1 = 509182f60b1c37f56e0eccf766ee1b15ecb15243
        :sha256 = 1460604fef8913322d310b038f6be1c5dbd5b725296a02a4ba13ea4bb3b8329a
        :sha512 = 30a9766fe09338b16726fb7dcd46a029682e389b654108378823946445ea59d8cb3ea5d943f6ce3c46fe14347bfc6752529f3612216a815cbbddc62ba183edfc
        :size = 48883
file:bytes=sha256:59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797
        .created = 2025/05/30 19:32:23.487
        :md5 = ccd0309499150e378a9fed4cd01a0935
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = e4ce1c8f63c515374ec1ef07a94a20e2
        :mime:pe:size = 135168
        :name = 59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797.exe
        :sha1 = e8ae78cf81cc2f2e29558df03996bd8ee8880987
        :sha256 = 59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797
        :sha512 = b1878fbc83a5b6ec5cc9d8be9dfef61ef096760d60428cd18972301fa0312c00d8ec24cd8ac89ec37705eb1f42dcf0b4ba00949b8ca9d04ce69179c520019f3e
        :size = 120320

Because MalwareBazaar packages all samples in encrypted ZIP archives, the archives returned by the MalwareBazaar API are sent to Synapse-FileParser to be extracted and parsed.

Ingesting the Code Signing Certificate Blocklist

Pull in the list of certificates that MalwareBazaar has flagged as being used by threat actors to sign malware:

> malwarebazaar.certs --yield --size 3
crypto:x509:cert=8948f6eebb4d58805b9c20beee092a7d
        .created = 2025/05/30 19:32:23.875
        :issuer = CN=SSL.com Code Signing Intermediate CA RSA R1
        :serial = 000000003ab74a2ebf93447adb83554b5564fe03
        :sha256 = 8ed289fcc40bbc150a52b733123f6094ccfb2c499d6e932b0d9a6001490fb7e6
        :subject = CN=IMPERIOUS TECHNOLOGIES LIMITED
        :validity:notafter = 2024/05/17 15:32:29.000
        :validity:notbefore = 2023/05/19 15:32:29.000
        #my.foo.malwarebazaar.redlinestealer
crypto:x509:cert=f8140eeeec77051fb6def90308728e23
        .created = 2025/05/30 19:32:23.879
        :issuer = CN=DigiCert EV Code Signing CA (SHA2)
        :serial = 0000000008d4352185317271c1cec9d05c279af7
        :sha256 = ec5200a97ca26f55a1ab0ad7923d9447fea473cc2e42dca69a70defe014624d6
        :subject = CN=Retalit LLC
        :validity:notafter = 2021/07/12 12:00:00.000
        :validity:notbefore = 2020/08/05 00:00:00.000
        #my.foo.malwarebazaar.buerloader
crypto:x509:cert=ec9438e253271afa4dacb7ae02ae4f43
        .created = 2025/05/30 19:32:23.882
        :issuer = CN=COMODO RSA Code Signing CA
        :serial = 0000000090212473c706f523fe84bdb9a78a01f4
        :sha256 = 6b18e9451c2e93564ed255e754b7e1cf0f817abda93015b21ae5e247c75f9d03
        :subject = CN=DEMUS, OOO
        :validity:notafter = 2018/07/17 23:59:59.000
        :validity:notbefore = 2017/07/17 00:00:00.000
        #my.foo.malwarebazaar.cerber

Use of meta:source nodes

Synapse-MalwareBazaar uses a meta:source node and -(seen)> light weight edges to track nodes observed from the MalwareBazaar API.

> meta:source=7d36740c97905575850895c1f05ebf74
meta:source=7d36740c97905575850895c1f05ebf74
        .created = 2025/05/30 19:32:17.788
        :name = malwarebazaar api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MalwareBazaar. The following example shows how to filter the results of a query to include only results observed by Synapse-MalwareBazaar:

> file:bytes:name="dhl express.exe" +{ <(seen)- meta:source=7d36740c97905575850895c1f05ebf74 }
file:bytes=sha256:9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
        .created = 2025/05/30 19:32:17.992
        .seen = ('2023/03/29 17:24:59.000', '2023/03/29 17:24:59.001')
        :md5 = 398fc82f3d764c8890f09bfd3ccce7ce
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 61259b55b8912888e90f516ca08dc514
        :name = dhl express.exe
        :sha1 = 1295e8e0ca1c240e0121c01e078f790456336fda
        :sha256 = 9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
        :size = 659137
        #my.foo.malwarebazaar.dhl
        #my.foo.malwarebazaar.exe
        #my.foo.malwarebazaar.rat
        #my.foo.malwarebazaar.remcosrat