User Guide
Synapse-MalwareBazaar User Guide
Synapse-MalwareBazaar adds new Storm commands to allow you to query the MalwareBazaar API.
Getting Started
Check with your Admin to enable permissions.
Examples
Enrich a Hash
Enrich some nodes with malwarebazaar.enrich and yield the results:
> inet:ipv4=1.2.3.4 | malwarebazaar.enrich --yield
WARNING: malwarebazaar.enrich: The --asof argument is deprecated and will be removed.
Search for samples
Pull in reports from MalwareBazaar for samples that have been tagged as keylogger
> malwarebazaar.query --tag keylogger --size 5 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:1d6694b7aa3340c6d744ec8f3d1e64caf255e1e5c27057f5bc43036374b69bb4
.created = 2024/05/08 16:22:49.486
.seen = ('2023/02/19 11:49:00.000', '2023/02/19 13:29:15.001')
:md5 = 70778c3ea9ceef2ce0a132a38780e850
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = eb5bc6ff6263b364dfbfb78bdb48ed59
:name = $rzfkipe.exe
:sha1 = 17a43b65f42c53a47fd44a259a625891bdcb8b3f
:sha256 = 1d6694b7aa3340c6d744ec8f3d1e64caf255e1e5c27057f5bc43036374b69bb4
:size = 2845312
#rep.malwarebazaar.adware
#rep.malwarebazaar.adware_extenbro
#rep.malwarebazaar.bestxsoftware
#rep.malwarebazaar.exe
#rep.malwarebazaar.free_zip_password_unlocker_setup
#rep.malwarebazaar.keylogger
#rep.malwarebazaar.signed
#rep.malwarebazaar.wampserver_3_phpmyadmin4_8_3
#rep.malwarebazaar.zip_password_unlocker
file:bytes=sha256:146cc76e1a90d0d35e0bdd020cba231b03ba9e09a0ae5f1cc242eb31f7c04773
.created = 2024/05/08 16:22:49.590
.seen = ('2023/01/15 05:13:18.000', '2023/01/15 06:27:13.001')
:md5 = 31624bc0e022bfc1fe8ba74f79c3d2bf
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = 1ea7d62fdbfa2db333e617f1d4ea213b
:name = _com_win.exe
:sha1 = 6cf0cc5844d750d97dee58c2fb9c168e0f4ef173
:sha256 = 146cc76e1a90d0d35e0bdd020cba231b03ba9e09a0ae5f1cc242eb31f7c04773
:size = 558080
#rep.malwarebazaar.exe
#rep.malwarebazaar.keylogger
#rep.malwarebazaar.spyware
file:bytes=sha256:29e6bb429ee855961a950274a54098093d63e341fa48128e3ace90a7dd9a0868
.created = 2024/05/08 16:22:49.624
.seen = ('2023/01/15 05:12:45.000', '2023/01/15 06:27:11.001')
:md5 = b00be08b710ffebb551facf042faa781
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = c99e9024e872ea3bdc977ec302877d4f
:name = windowsprocessagent.exe
:sha1 = f7474d2367ca51d690aab9881f1a793dd52f6429
:sha256 = 29e6bb429ee855961a950274a54098093d63e341fa48128e3ace90a7dd9a0868
:size = 701440
#rep.malwarebazaar.exe
#rep.malwarebazaar.keylogger
#rep.malwarebazaar.netwire
#rep.malwarebazaar.spyware
file:bytes=sha256:c3d211758a1061afe67cfeb1e63a4c3cc870534e8b6bab2fbb5423e56268ff96
.created = 2024/05/08 16:22:49.656
.seen = ('2022/12/28 07:58:10.000', '2022/12/28 07:58:10.001')
:md5 = 7ce0d79c8af824483f1b9fd6f30e456f
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = a6cec5b1a631d592d80900ab7e1de8df
:name = systemmanager.exe
:sha1 = 2292e366de09b5e6e07e3c6863fcc82945c231d1
:sha256 = c3d211758a1061afe67cfeb1e63a4c3cc870534e8b6bab2fbb5423e56268ff96
:size = 11913469
#rep.malwarebazaar.exe
#rep.malwarebazaar.keylogger
#rep.malwarebazaar.pyinstaller
#rep.malwarebazaar.spyware
file:bytes=sha256:9731df8f9863071116f4e48ebcc533bca161c0b7639e320d2c196f89cd0cf455
.created = 2024/05/08 16:22:49.689
.seen = ('2022/12/12 01:17:44.000', '2022/12/12 01:17:44.001')
:md5 = 12878903a4e1d6549d09aa3c82847f91
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
:name = wrk.exe
:sha1 = 7bc168e30f1fcf56fec2393a0fd72fab93cf535b
:sha256 = 9731df8f9863071116f4e48ebcc533bca161c0b7639e320d2c196f89cd0cf455
:size = 505856
#rep.malwarebazaar.exe
#rep.malwarebazaar.icarusstealer
#rep.malwarebazaar.keylogger
Pull in reports for samples that have the MalwareBazaar signature RedLineStealer:
> malwarebazaar.query --signature RedLineStealer --size 3 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:826c0ad3560a00bb95697992f9be32d689a6b64fa1f8c15624f4609690b641af
.created = 2024/05/08 16:22:49.964
.seen = ('2023/03/29 16:45:33.000', '2023/03/29 16:45:33.001')
:md5 = bdcab1bf5a4cf8188032c74451814fb5
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = 9ccce235b0948e702108d60e5a6f9990
:name = bdcab1bf5a4cf8188032c74451814fb5.exe
:sha1 = 032c229f562b28c60959bc3330188eb8b9f48704
:sha256 = 826c0ad3560a00bb95697992f9be32d689a6b64fa1f8c15624f4609690b641af
:size = 346192
#rep.malwarebazaar.exe
#rep.malwarebazaar.redlinestealer
file:bytes=sha256:35552b2143fde6ca97014cf6102aaaa38096cbf86619a5d64c4f686eb7d1356c
.created = 2024/05/08 16:22:49.999
.seen = ('2023/03/29 13:15:35.000', '2023/03/29 13:15:35.001')
:md5 = 83ad54c4e71d85c38c19e8bb4938701c
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = 303b4a863d3cdfccef2b33459673ef8a
:name = 83ad54c4e71d85c38c19e8bb4938701c.bin.exe
:sha1 = 785e1db14073f63dcfab6b93c05e1f6b2989e82c
:sha256 = 35552b2143fde6ca97014cf6102aaaa38096cbf86619a5d64c4f686eb7d1356c
:size = 310024
#rep.malwarebazaar.exe
#rep.malwarebazaar.redlinestealer
file:bytes=sha256:eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2
.created = 2024/05/08 16:22:50.030
.seen = ('2023/03/29 11:44:35.000', '2023/03/29 11:44:35.001')
:md5 = d0f2c42e26507a749f437978a214d0ee
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
:name = securiteinfo.com.trojan.generic.30090411.32199.879
:sha1 = b12faae780883321881f0f92d9d7ae7f5f784819
:sha256 = eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2
:size = 561152
#rep.malwarebazaar.exe
#rep.malwarebazaar.redlinestealer
Pull in reports for samples that have the imphash f34d5f2d4577ed6d9ceec516c1f5a744:
> malwarebazaar.query --imphash "f34d5f2d4577ed6d9ceec516c1f5a744" --yield --size 3
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:4a23db5ce6616e586397a0ac25de51cc1450f4217009715f8ac809b20d377b39
.created = 2024/05/08 16:22:50.303
.seen = ('2023/03/29 19:45:24.000', '2023/03/29 19:45:24.001')
:md5 = 01b694e73ae67576d5960eef85a9ad2f
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
:name = 01b694e73ae67576d5960eef85a9ad2f.exe
:sha1 = 05c2b455aa833d30e72f344da84fb1f0cc180bcb
:sha256 = 4a23db5ce6616e586397a0ac25de51cc1450f4217009715f8ac809b20d377b39
:size = 3266048
#rep.malwarebazaar.exe
#rep.malwarebazaar.quasarrat
#rep.malwarebazaar.rat
file:bytes=sha256:93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
.created = 2024/05/08 16:22:50.336
.seen = ('2023/03/29 19:30:10.000', '2023/03/29 19:30:10.001')
:md5 = 7be37dff77a6257da2b430ab7c483612
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
:name = bypass-defender.exe
:sha1 = 028356262caa0076adb3c0a0ad87e4418d386ec8
:sha256 = 93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
:size = 370176
#rep.malwarebazaar.exe
file:bytes=sha256:f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
.created = 2024/05/08 16:22:50.369
.seen = ('2023/03/29 19:18:57.000', '2023/03/29 19:18:57.001')
:md5 = 15995b0b1fc5dd82f1c3ba1b7b40c5d4
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
:name = xsudo.exe
:sha1 = 3b6a4a5b8b1107854e35b01cd28b4cce7a003413
:sha256 = f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
:size = 3996672
#rep.malwarebazaar.exe
Pull in reports for samples that are Windows executables:
> malwarebazaar.query --filetype exe --size 3 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:0771775f6646f28170c196d4ddba3ecdd1b0ada28c15dcc5b85f5c374c7b6987
.created = 2024/05/08 16:22:50.641
.seen = ('2023/03/29 17:25:43.000', '2023/03/29 17:25:43.001')
:md5 = 2d3b9b558e1bc916402f100ed14b0613
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
:name = tnt original invoice.exe
:sha1 = 5d515ae567a9f37df32fcf9c3a18a24b0ad07819
:sha256 = 0771775f6646f28170c196d4ddba3ecdd1b0ada28c15dcc5b85f5c374c7b6987
:size = 1333248
#rep.malwarebazaar.exe
#rep.malwarebazaar.remcosrat
#rep.malwarebazaar.tnt
file:bytes=sha256:9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
.created = 2024/05/08 16:22:50.674
.seen = ('2023/03/29 17:24:59.000', '2023/03/29 17:24:59.001')
:md5 = 398fc82f3d764c8890f09bfd3ccce7ce
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = 61259b55b8912888e90f516ca08dc514
:name = dhl express.exe
:sha1 = 1295e8e0ca1c240e0121c01e078f790456336fda
:sha256 = 9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
:size = 659137
#rep.malwarebazaar.dhl
#rep.malwarebazaar.exe
#rep.malwarebazaar.rat
#rep.malwarebazaar.remcosrat
file:bytes=sha256:9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
.created = 2024/05/08 16:22:50.707
.seen = ('2023/03/29 17:22:50.000', '2023/03/29 17:22:50.001')
:md5 = 90189f8dffe3cbfbb1dc181647b2219b
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
:name = 90189f8dffe3cbfbb1dc181647b2219b
:sha1 = 118060f3ce88ccf0b7d9d1777b5e93948d4b15fd
:sha256 = 9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
:size = 2458992
#rep.malwarebazaar.90189f8dffe3cbfbb1dc181647b2219b
#rep.malwarebazaar.exe
Pull in reports for samples that have a signing certificate with an Issuer common name of SSL.com EV Code Signing Intermediate CA RSA R3
> malwarebazaar.query --issuer-cn "SSL.com EV Code Signing Intermediate CA RSA R3" --size 3 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:1e2aaed890f3a5e5657d6806bcf6756bbdef9baeca203330ad862dcf47ddf885
.created = 2024/05/08 16:22:50.950
.seen = ('2023/03/24 18:41:57.000', '2023/03/24 18:41:57.001')
:md5 = d659e03354a9657001d5136308449d5c
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = 8a3f45460aa7178128f660fb37ed69e5
:name = docs_unpaid_#367.exe
:sha1 = 0f440e15ab54adf7f699d980fd436b3e5f03e20e
:sha256 = 1e2aaed890f3a5e5657d6806bcf6756bbdef9baeca203330ad862dcf47ddf885
:size = 635424
#rep.malwarebazaar.1105_software_llc
#rep.malwarebazaar.1883783121
#rep.malwarebazaar.exe
#rep.malwarebazaar.icedid
#rep.malwarebazaar.signed
file:bytes=sha256:009381653fade0d3b94ad0fa0a109c294ac55936a5d1ced44e18fb08188aa7df
.created = 2024/05/08 16:22:51.047
.seen = ('2023/03/23 18:18:04.000', '2023/03/23 18:18:04.001')
:md5 = d91dee9dfbdbf0b35593424723052a55
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = dff367c9375e1b68769b5ca3b25ac329
:name = contract_march_23_inv#305.exe
:sha1 = 813c274e68916cba601134f689788e938f7ef9e7
:sha256 = 009381653fade0d3b94ad0fa0a109c294ac55936a5d1ced44e18fb08188aa7df
:size = 400416
#rep.malwarebazaar.1105_software_llc
#rep.malwarebazaar.73743838
#rep.malwarebazaar.exe
#rep.malwarebazaar.icedid
#rep.malwarebazaar.signed
file:bytes=sha256:fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
.created = 2024/05/08 16:22:51.142
.seen = ('2023/03/21 19:48:25.000', '2023/03/21 19:48:25.001')
:md5 = 9044436ca8ddc3ed05c5a1ab87cbdb43
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = c90c1d9ea33b38d68a9f1fc5584c8fe9
:name = docs_03_21_inv#15.exe
:sha1 = 997bf9e5632f17bfad671b5252016effecc27533
:sha256 = fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
:size = 486944
#rep.malwarebazaar.3581911946
#rep.malwarebazaar.exe
#rep.malwarebazaar.icedid
#rep.malwarebazaar.signed
Pull in reports for samples that have a signing certificate with a Subject common name of Media Ground
> malwarebazaar.query --subject-cn "Media Ground" --size 3 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:02a8f0962681f2cf506deb96b80e2e4cfca38bd283decfb09f0a1f1c66814a4a
.created = 2024/05/08 16:22:51.445
.seen = ('2023/03/23 05:20:13.000', '2023/03/23 05:20:13.001')
:md5 = 06ed501084fee2629ec9ffa81ec35ad4
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = fe52af0d61c2219338f7536932f24ba9
:name = apphost.exe
:sha1 = c7dc21edf35431c194f1cc31ff1268ab5d0ca9c8
:sha256 = 02a8f0962681f2cf506deb96b80e2e4cfca38bd283decfb09f0a1f1c66814a4a
:size = 2062328
#rep.malwarebazaar.exe
#rep.malwarebazaar.signed
file:bytes=sha256:3d14b0bf0cad8d2e3653e6ab8b88d8d17ac30d327b169813e312ae2ba47ef8e8
.created = 2024/05/08 16:22:51.540
.seen = ('2022/07/22 11:29:53.000', '2022/07/22 12:41:04.001')
:md5 = bb17c073fc881149d1cf8fd7542ff574
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = 1b168e61bbb4539c14414dc31a5f20f0
:name = bb17c073fc881149d1cf8fd7542ff574
:sha1 = 8e0095e1944b59f5589d56c900b312bfb9d2cc4c
:sha256 = 3d14b0bf0cad8d2e3653e6ab8b88d8d17ac30d327b169813e312ae2ba47ef8e8
:size = 2076192
#rep.malwarebazaar.exe
#rep.malwarebazaar.opencti_br
#rep.malwarebazaar.sandboxed
#rep.malwarebazaar.signed
file:bytes=sha256:ca9d181306b7607f560c039e17892ac42bd2a4675aa7d08aa6c6487bde66fc21
.created = 2024/05/08 16:22:51.633
.seen = ('2022/07/14 03:47:20.000', '2022/07/15 02:48:33.001')
:md5 = 50891f2c0d78d16e6b5e6d2e5585fe1d
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = fdf4e5df6353f576a953124968747c3c
:name = 50891f2c0d78d16e6b5e6d2e5585fe1d
:sha1 = 4e61af453f9556eb4fec5d9cc8ecd4411a03802d
:sha256 = ca9d181306b7607f560c039e17892ac42bd2a4675aa7d08aa6c6487bde66fc21
:size = 2056736
#rep.malwarebazaar.exe
#rep.malwarebazaar.opencti_br
#rep.malwarebazaar.sandboxed
#rep.malwarebazaar.signed
Downloading Samples
Download a sample from MalwareBazaar and yield the results:
> hash:sha256=b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb | malwarebazaar.download --yield --size 1
fileparser parsing sha256: 9f4a58e7f1697ab821c57adfccf3a9231fa4bb1456f86f50c3fd0f87cc58d841
file:bytes=sha256:b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb
.created = 2024/05/08 16:22:55.453
:md5 = f86787ba86aa322039944d084648a82d
:mime = application/vnd.microsoft.portable-executable
:mime:pe:compiled = 2022/01/12 07:39:05.000
:mime:pe:imphash = f28ad02a4adb6c9c9717704f5e5b34ac
:mime:pe:pdbpath = c:/tokatoj84/jiyatilayipab-pogajagol.pdb
:mime:pe:richhdr = fb75f988562b01c2515bc5170090d8dc7279a6156541775363de2543fb0612b6
:mime:pe:size = 544768
:sha1 = b0017ebba5fba650bda154a7866ca570c7bb015f
:sha256 = b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb
:sha512 = 220a941d78b86a9c8ce0b48419333889bb2745d6d4dc646097a0814937c4b3030920b6c8a97e20343e1f410438c76d10be3f9f9362395377102f03ca987f74c7
:size = 435200
Download all the samples MalwareBazaar saw on a particular day:
> malwarebazaar.daily --date "2020-02-24" --yield
fileparser parsing sha256: 1a01aa4250c5c434f074ff1c6dbe91506520bd97d472d757b274ce77b1fcf796
file:bytes=sha256:1460604fef8913322d310b038f6be1c5dbd5b725296a02a4ba13ea4bb3b8329a
.created = 2024/05/08 16:23:07.046
:md5 = bd6c930b0a859e36f54dc02eb2b6cd34
:mime = text/plain
:sha1 = 509182f60b1c37f56e0eccf766ee1b15ecb15243
:sha256 = 1460604fef8913322d310b038f6be1c5dbd5b725296a02a4ba13ea4bb3b8329a
:sha512 = 30a9766fe09338b16726fb7dcd46a029682e389b654108378823946445ea59d8cb3ea5d943f6ce3c46fe14347bfc6752529f3612216a815cbbddc62ba183edfc
:size = 48883
file:bytes=sha256:59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797
.created = 2024/05/08 16:23:10.645
:md5 = ccd0309499150e378a9fed4cd01a0935
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = e4ce1c8f63c515374ec1ef07a94a20e2
:mime:pe:size = 135168
:sha1 = e8ae78cf81cc2f2e29558df03996bd8ee8880987
:sha256 = 59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797
:sha512 = b1878fbc83a5b6ec5cc9d8be9dfef61ef096760d60428cd18972301fa0312c00d8ec24cd8ac89ec37705eb1f42dcf0b4ba00949b8ca9d04ce69179c520019f3e
:size = 120320
Because MalwareBazaar packages all samples in encrypted ZIP archives, the archives returned by the MalwareBazaar API are sent to Synapse-FileParser to be extracted and parsed.
Ingesting the Code Signing Certificate Blocklist
Pull in the list of certificates that MalwareBazaar has flagged as being used by threat actors to sign malware:
> malwarebazaar.certs --yield --size 3
crypto:x509:cert=8948f6eebb4d58805b9c20beee092a7d
.created = 2024/05/08 16:23:12.011
:issuer = CN=SSL.com Code Signing Intermediate CA RSA R1
:serial = 000000003ab74a2ebf93447adb83554b5564fe03
:sha256 = 8ed289fcc40bbc150a52b733123f6094ccfb2c499d6e932b0d9a6001490fb7e6
:subject = CN=IMPERIOUS TECHNOLOGIES LIMITED
:validity:notafter = 2024/05/17 15:32:29.000
:validity:notbefore = 2023/05/19 15:32:29.000
#rep.malwarebazaar.redlinestealer
crypto:x509:cert=f8140eeeec77051fb6def90308728e23
.created = 2024/05/08 16:23:12.042
:issuer = CN=DigiCert EV Code Signing CA (SHA2)
:serial = 0000000008d4352185317271c1cec9d05c279af7
:sha256 = ec5200a97ca26f55a1ab0ad7923d9447fea473cc2e42dca69a70defe014624d6
:subject = CN=Retalit LLC
:validity:notafter = 2021/07/12 12:00:00.000
:validity:notbefore = 2020/08/05 00:00:00.000
#rep.malwarebazaar.buerloader
crypto:x509:cert=ec9438e253271afa4dacb7ae02ae4f43
.created = 2024/05/08 16:23:12.074
:issuer = CN=COMODO RSA Code Signing CA
:serial = 0000000090212473c706f523fe84bdb9a78a01f4
:sha256 = 6b18e9451c2e93564ed255e754b7e1cf0f817abda93015b21ae5e247c75f9d03
:subject = CN=DEMUS, OOO
:validity:notafter = 2018/07/17 23:59:59.000
:validity:notbefore = 2017/07/17 00:00:00.000
#rep.malwarebazaar.cerber
Use of meta:source nodes
Synapse-MalwareBazaar uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the MalwareBazaar API.
> meta:source=7d36740c97905575850895c1f05ebf74
meta:source=7d36740c97905575850895c1f05ebf74
.created = 2024/05/08 16:22:49.475
:name = malwarebazaar api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MalwareBazaar. The following example shows how to filter the results of a query to include only results observed by Synapse-MalwareBazaar:
> file:bytes:name="dhl express.exe" +{ <(seen)- meta:source=7d36740c97905575850895c1f05ebf74 }
file:bytes=sha256:9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
.created = 2024/05/08 16:22:50.674
.seen = ('2023/03/29 17:24:59.000', '2023/03/29 17:24:59.001')
:md5 = 398fc82f3d764c8890f09bfd3ccce7ce
:mime = application/vnd.microsoft.portable-executable
:mime:pe:imphash = 61259b55b8912888e90f516ca08dc514
:name = dhl express.exe
:sha1 = 1295e8e0ca1c240e0121c01e078f790456336fda
:sha256 = 9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
:size = 659137
#rep.malwarebazaar.dhl
#rep.malwarebazaar.exe
#rep.malwarebazaar.rat
#rep.malwarebazaar.remcosrat