User Guide

Synapse-MalwareBazaar User Guide

Synapse-MalwareBazaar adds new Storm commands to allow you to query the MalwareBazaar API.

Getting Started

Check with your Admin to enable permissions.

Examples

Enrich a Hash

Enrich some nodes with malwarebazaar.enrich and yield the results:

> inet:ipv4=1.2.3.4 | malwarebazaar.enrich --yield
WARNING: malwarebazaar.enrich: The --asof argument is deprecated and will be removed.

Search for samples

Pull in reports from MalwareBazaar for samples that have been tagged as keylogger

> malwarebazaar.query --tag keylogger --size 5 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:1d6694b7aa3340c6d744ec8f3d1e64caf255e1e5c27057f5bc43036374b69bb4
        .created = 2024/07/19 02:27:58.844
        .seen = ('2023/02/19 11:49:00.000', '2023/02/19 13:29:15.001')
        :md5 = 70778c3ea9ceef2ce0a132a38780e850
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = eb5bc6ff6263b364dfbfb78bdb48ed59
        :name = $rzfkipe.exe
        :sha1 = 17a43b65f42c53a47fd44a259a625891bdcb8b3f
        :sha256 = 1d6694b7aa3340c6d744ec8f3d1e64caf255e1e5c27057f5bc43036374b69bb4
        :size = 2845312
        #rep.malwarebazaar.adware
        #rep.malwarebazaar.adware_extenbro
        #rep.malwarebazaar.bestxsoftware
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.free_zip_password_unlocker_setup
        #rep.malwarebazaar.keylogger
        #rep.malwarebazaar.signed
        #rep.malwarebazaar.wampserver_3_phpmyadmin4_8_3
        #rep.malwarebazaar.zip_password_unlocker
file:bytes=sha256:146cc76e1a90d0d35e0bdd020cba231b03ba9e09a0ae5f1cc242eb31f7c04773
        .created = 2024/07/19 02:27:58.953
        .seen = ('2023/01/15 05:13:18.000', '2023/01/15 06:27:13.001')
        :md5 = 31624bc0e022bfc1fe8ba74f79c3d2bf
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 1ea7d62fdbfa2db333e617f1d4ea213b
        :name = _com_win.exe
        :sha1 = 6cf0cc5844d750d97dee58c2fb9c168e0f4ef173
        :sha256 = 146cc76e1a90d0d35e0bdd020cba231b03ba9e09a0ae5f1cc242eb31f7c04773
        :size = 558080
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.keylogger
        #rep.malwarebazaar.spyware
file:bytes=sha256:29e6bb429ee855961a950274a54098093d63e341fa48128e3ace90a7dd9a0868
        .created = 2024/07/19 02:27:58.987
        .seen = ('2023/01/15 05:12:45.000', '2023/01/15 06:27:11.001')
        :md5 = b00be08b710ffebb551facf042faa781
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = c99e9024e872ea3bdc977ec302877d4f
        :name = windowsprocessagent.exe
        :sha1 = f7474d2367ca51d690aab9881f1a793dd52f6429
        :sha256 = 29e6bb429ee855961a950274a54098093d63e341fa48128e3ace90a7dd9a0868
        :size = 701440
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.keylogger
        #rep.malwarebazaar.netwire
        #rep.malwarebazaar.spyware
file:bytes=sha256:c3d211758a1061afe67cfeb1e63a4c3cc870534e8b6bab2fbb5423e56268ff96
        .created = 2024/07/19 02:27:59.021
        .seen = ('2022/12/28 07:58:10.000', '2022/12/28 07:58:10.001')
        :md5 = 7ce0d79c8af824483f1b9fd6f30e456f
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = a6cec5b1a631d592d80900ab7e1de8df
        :name = systemmanager.exe
        :sha1 = 2292e366de09b5e6e07e3c6863fcc82945c231d1
        :sha256 = c3d211758a1061afe67cfeb1e63a4c3cc870534e8b6bab2fbb5423e56268ff96
        :size = 11913469
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.keylogger
        #rep.malwarebazaar.pyinstaller
        #rep.malwarebazaar.spyware
file:bytes=sha256:9731df8f9863071116f4e48ebcc533bca161c0b7639e320d2c196f89cd0cf455
        .created = 2024/07/19 02:27:59.055
        .seen = ('2022/12/12 01:17:44.000', '2022/12/12 01:17:44.001')
        :md5 = 12878903a4e1d6549d09aa3c82847f91
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = wrk.exe
        :sha1 = 7bc168e30f1fcf56fec2393a0fd72fab93cf535b
        :sha256 = 9731df8f9863071116f4e48ebcc533bca161c0b7639e320d2c196f89cd0cf455
        :size = 505856
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.icarusstealer
        #rep.malwarebazaar.keylogger

Pull in reports for samples that have the MalwareBazaar signature RedLineStealer:

> malwarebazaar.query --signature RedLineStealer --size 3 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:826c0ad3560a00bb95697992f9be32d689a6b64fa1f8c15624f4609690b641af
        .created = 2024/07/19 02:27:59.341
        .seen = ('2023/03/29 16:45:33.000', '2023/03/29 16:45:33.001')
        :md5 = bdcab1bf5a4cf8188032c74451814fb5
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 9ccce235b0948e702108d60e5a6f9990
        :name = bdcab1bf5a4cf8188032c74451814fb5.exe
        :sha1 = 032c229f562b28c60959bc3330188eb8b9f48704
        :sha256 = 826c0ad3560a00bb95697992f9be32d689a6b64fa1f8c15624f4609690b641af
        :size = 346192
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.redlinestealer
file:bytes=sha256:35552b2143fde6ca97014cf6102aaaa38096cbf86619a5d64c4f686eb7d1356c
        .created = 2024/07/19 02:27:59.375
        .seen = ('2023/03/29 13:15:35.000', '2023/03/29 13:15:35.001')
        :md5 = 83ad54c4e71d85c38c19e8bb4938701c
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 303b4a863d3cdfccef2b33459673ef8a
        :name = 83ad54c4e71d85c38c19e8bb4938701c.bin.exe
        :sha1 = 785e1db14073f63dcfab6b93c05e1f6b2989e82c
        :sha256 = 35552b2143fde6ca97014cf6102aaaa38096cbf86619a5d64c4f686eb7d1356c
        :size = 310024
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.redlinestealer
file:bytes=sha256:eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2
        .created = 2024/07/19 02:27:59.410
        .seen = ('2023/03/29 11:44:35.000', '2023/03/29 11:44:35.001')
        :md5 = d0f2c42e26507a749f437978a214d0ee
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = securiteinfo.com.trojan.generic.30090411.32199.879
        :sha1 = b12faae780883321881f0f92d9d7ae7f5f784819
        :sha256 = eb8a15b1a42127970e7facc6133131dcc073a201419d8cc88c3c316819d1c2a2
        :size = 561152
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.redlinestealer

Pull in reports for samples that have the imphash f34d5f2d4577ed6d9ceec516c1f5a744:

> malwarebazaar.query --imphash "f34d5f2d4577ed6d9ceec516c1f5a744" --yield --size 3
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:4a23db5ce6616e586397a0ac25de51cc1450f4217009715f8ac809b20d377b39
        .created = 2024/07/19 02:27:59.693
        .seen = ('2023/03/29 19:45:24.000', '2023/03/29 19:45:24.001')
        :md5 = 01b694e73ae67576d5960eef85a9ad2f
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = 01b694e73ae67576d5960eef85a9ad2f.exe
        :sha1 = 05c2b455aa833d30e72f344da84fb1f0cc180bcb
        :sha256 = 4a23db5ce6616e586397a0ac25de51cc1450f4217009715f8ac809b20d377b39
        :size = 3266048
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.quasarrat
        #rep.malwarebazaar.rat
file:bytes=sha256:93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
        .created = 2024/07/19 02:27:59.727
        .seen = ('2023/03/29 19:30:10.000', '2023/03/29 19:30:10.001')
        :md5 = 7be37dff77a6257da2b430ab7c483612
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = bypass-defender.exe
        :sha1 = 028356262caa0076adb3c0a0ad87e4418d386ec8
        :sha256 = 93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9
        :size = 370176
        #rep.malwarebazaar.exe
file:bytes=sha256:f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
        .created = 2024/07/19 02:27:59.760
        .seen = ('2023/03/29 19:18:57.000', '2023/03/29 19:18:57.001')
        :md5 = 15995b0b1fc5dd82f1c3ba1b7b40c5d4
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = xsudo.exe
        :sha1 = 3b6a4a5b8b1107854e35b01cd28b4cce7a003413
        :sha256 = f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35
        :size = 3996672
        #rep.malwarebazaar.exe

Pull in reports for samples that are Windows executables:

> malwarebazaar.query --filetype exe --size 3 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:0771775f6646f28170c196d4ddba3ecdd1b0ada28c15dcc5b85f5c374c7b6987
        .created = 2024/07/19 02:28:00.040
        .seen = ('2023/03/29 17:25:43.000', '2023/03/29 17:25:43.001')
        :md5 = 2d3b9b558e1bc916402f100ed14b0613
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = tnt original invoice.exe
        :sha1 = 5d515ae567a9f37df32fcf9c3a18a24b0ad07819
        :sha256 = 0771775f6646f28170c196d4ddba3ecdd1b0ada28c15dcc5b85f5c374c7b6987
        :size = 1333248
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.remcosrat
        #rep.malwarebazaar.tnt
file:bytes=sha256:9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
        .created = 2024/07/19 02:28:00.074
        .seen = ('2023/03/29 17:24:59.000', '2023/03/29 17:24:59.001')
        :md5 = 398fc82f3d764c8890f09bfd3ccce7ce
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 61259b55b8912888e90f516ca08dc514
        :name = dhl express.exe
        :sha1 = 1295e8e0ca1c240e0121c01e078f790456336fda
        :sha256 = 9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
        :size = 659137
        #rep.malwarebazaar.dhl
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.rat
        #rep.malwarebazaar.remcosrat
file:bytes=sha256:9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
        .created = 2024/07/19 02:28:00.109
        .seen = ('2023/03/29 17:22:50.000', '2023/03/29 17:22:50.001')
        :md5 = 90189f8dffe3cbfbb1dc181647b2219b
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = 90189f8dffe3cbfbb1dc181647b2219b
        :sha1 = 118060f3ce88ccf0b7d9d1777b5e93948d4b15fd
        :sha256 = 9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
        :size = 2458992
        #rep.malwarebazaar.90189f8dffe3cbfbb1dc181647b2219b
        #rep.malwarebazaar.exe

Pull in reports for samples that have a signing certificate with an Issuer common name of SSL.com EV Code Signing Intermediate CA RSA R3

> malwarebazaar.query --issuer-cn "SSL.com EV Code Signing Intermediate CA RSA R3" --size 3 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:1e2aaed890f3a5e5657d6806bcf6756bbdef9baeca203330ad862dcf47ddf885
        .created = 2024/07/19 02:28:00.356
        .seen = ('2023/03/24 18:41:57.000', '2023/03/24 18:41:57.001')
        :md5 = d659e03354a9657001d5136308449d5c
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 8a3f45460aa7178128f660fb37ed69e5
        :name = docs_unpaid_#367.exe
        :sha1 = 0f440e15ab54adf7f699d980fd436b3e5f03e20e
        :sha256 = 1e2aaed890f3a5e5657d6806bcf6756bbdef9baeca203330ad862dcf47ddf885
        :size = 635424
        #rep.malwarebazaar.1105_software_llc
        #rep.malwarebazaar.1883783121
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.icedid
        #rep.malwarebazaar.signed
file:bytes=sha256:009381653fade0d3b94ad0fa0a109c294ac55936a5d1ced44e18fb08188aa7df
        .created = 2024/07/19 02:28:00.456
        .seen = ('2023/03/23 18:18:04.000', '2023/03/23 18:18:04.001')
        :md5 = d91dee9dfbdbf0b35593424723052a55
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = dff367c9375e1b68769b5ca3b25ac329
        :name = contract_march_23_inv#305.exe
        :sha1 = 813c274e68916cba601134f689788e938f7ef9e7
        :sha256 = 009381653fade0d3b94ad0fa0a109c294ac55936a5d1ced44e18fb08188aa7df
        :size = 400416
        #rep.malwarebazaar.1105_software_llc
        #rep.malwarebazaar.73743838
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.icedid
        #rep.malwarebazaar.signed
file:bytes=sha256:fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
        .created = 2024/07/19 02:28:00.552
        .seen = ('2023/03/21 19:48:25.000', '2023/03/21 19:48:25.001')
        :md5 = 9044436ca8ddc3ed05c5a1ab87cbdb43
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = c90c1d9ea33b38d68a9f1fc5584c8fe9
        :name = docs_03_21_inv#15.exe
        :sha1 = 997bf9e5632f17bfad671b5252016effecc27533
        :sha256 = fe908cbcbbdea11d0540e038a23f1a377ab0861ad5f6d013ed22dbf02b943032
        :size = 486944
        #rep.malwarebazaar.3581911946
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.icedid
        #rep.malwarebazaar.signed

Pull in reports for samples that have a signing certificate with a Subject common name of Media Ground

> malwarebazaar.query --subject-cn "Media Ground" --size 3 --yield
WARNING: malwarebazaar.query: The --asof argument is deprecated and will be removed.
file:bytes=sha256:02a8f0962681f2cf506deb96b80e2e4cfca38bd283decfb09f0a1f1c66814a4a
        .created = 2024/07/19 02:28:00.858
        .seen = ('2023/03/23 05:20:13.000', '2023/03/23 05:20:13.001')
        :md5 = 06ed501084fee2629ec9ffa81ec35ad4
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = fe52af0d61c2219338f7536932f24ba9
        :name = apphost.exe
        :sha1 = c7dc21edf35431c194f1cc31ff1268ab5d0ca9c8
        :sha256 = 02a8f0962681f2cf506deb96b80e2e4cfca38bd283decfb09f0a1f1c66814a4a
        :size = 2062328
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.signed
file:bytes=sha256:3d14b0bf0cad8d2e3653e6ab8b88d8d17ac30d327b169813e312ae2ba47ef8e8
        .created = 2024/07/19 02:28:00.956
        .seen = ('2022/07/22 11:29:53.000', '2022/07/22 12:41:04.001')
        :md5 = bb17c073fc881149d1cf8fd7542ff574
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 1b168e61bbb4539c14414dc31a5f20f0
        :name = bb17c073fc881149d1cf8fd7542ff574
        :sha1 = 8e0095e1944b59f5589d56c900b312bfb9d2cc4c
        :sha256 = 3d14b0bf0cad8d2e3653e6ab8b88d8d17ac30d327b169813e312ae2ba47ef8e8
        :size = 2076192
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.opencti_br
        #rep.malwarebazaar.sandboxed
        #rep.malwarebazaar.signed
file:bytes=sha256:ca9d181306b7607f560c039e17892ac42bd2a4675aa7d08aa6c6487bde66fc21
        .created = 2024/07/19 02:28:01.052
        .seen = ('2022/07/14 03:47:20.000', '2022/07/15 02:48:33.001')
        :md5 = 50891f2c0d78d16e6b5e6d2e5585fe1d
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = fdf4e5df6353f576a953124968747c3c
        :name = 50891f2c0d78d16e6b5e6d2e5585fe1d
        :sha1 = 4e61af453f9556eb4fec5d9cc8ecd4411a03802d
        :sha256 = ca9d181306b7607f560c039e17892ac42bd2a4675aa7d08aa6c6487bde66fc21
        :size = 2056736
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.opencti_br
        #rep.malwarebazaar.sandboxed
        #rep.malwarebazaar.signed

Downloading Samples

Download a sample from MalwareBazaar and yield the results:

> hash:sha256=b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb | malwarebazaar.download --yield --size 1
fileparser parsing sha256: 9f4a58e7f1697ab821c57adfccf3a9231fa4bb1456f86f50c3fd0f87cc58d841
file:bytes=sha256:b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb
        .created = 2024/07/19 02:28:05.196
        :md5 = f86787ba86aa322039944d084648a82d
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:compiled = 2022/01/12 07:39:05.000
        :mime:pe:imphash = f28ad02a4adb6c9c9717704f5e5b34ac
        :mime:pe:pdbpath = c:/tokatoj84/jiyatilayipab-pogajagol.pdb
        :mime:pe:richhdr = fb75f988562b01c2515bc5170090d8dc7279a6156541775363de2543fb0612b6
        :mime:pe:size = 544768
        :sha1 = b0017ebba5fba650bda154a7866ca570c7bb015f
        :sha256 = b25276475053e1d4abdb00ae75ac931bd554cd508d17d54733f39643c4c697cb
        :sha512 = 220a941d78b86a9c8ce0b48419333889bb2745d6d4dc646097a0814937c4b3030920b6c8a97e20343e1f410438c76d10be3f9f9362395377102f03ca987f74c7
        :size = 435200

Download all the samples MalwareBazaar saw on a particular day:

> malwarebazaar.daily --date "2020-02-24" --yield
fileparser parsing sha256: 1a01aa4250c5c434f074ff1c6dbe91506520bd97d472d757b274ce77b1fcf796
file:bytes=sha256:1460604fef8913322d310b038f6be1c5dbd5b725296a02a4ba13ea4bb3b8329a
        .created = 2024/07/19 02:28:17.345
        :md5 = bd6c930b0a859e36f54dc02eb2b6cd34
        :mime = text/plain
        :sha1 = 509182f60b1c37f56e0eccf766ee1b15ecb15243
        :sha256 = 1460604fef8913322d310b038f6be1c5dbd5b725296a02a4ba13ea4bb3b8329a
        :sha512 = 30a9766fe09338b16726fb7dcd46a029682e389b654108378823946445ea59d8cb3ea5d943f6ce3c46fe14347bfc6752529f3612216a815cbbddc62ba183edfc
        :size = 48883
file:bytes=sha256:59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797
        .created = 2024/07/19 02:28:21.256
        :md5 = ccd0309499150e378a9fed4cd01a0935
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = e4ce1c8f63c515374ec1ef07a94a20e2
        :mime:pe:size = 135168
        :sha1 = e8ae78cf81cc2f2e29558df03996bd8ee8880987
        :sha256 = 59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797
        :sha512 = b1878fbc83a5b6ec5cc9d8be9dfef61ef096760d60428cd18972301fa0312c00d8ec24cd8ac89ec37705eb1f42dcf0b4ba00949b8ca9d04ce69179c520019f3e
        :size = 120320

Because MalwareBazaar packages all samples in encrypted ZIP archives, the archives returned by the MalwareBazaar API are sent to Synapse-FileParser to be extracted and parsed.

Ingesting the Code Signing Certificate Blocklist

Pull in the list of certificates that MalwareBazaar has flagged as being used by threat actors to sign malware:

> malwarebazaar.certs --yield --size 3
crypto:x509:cert=8948f6eebb4d58805b9c20beee092a7d
        .created = 2024/07/19 02:28:22.693
        :issuer = CN=SSL.com Code Signing Intermediate CA RSA R1
        :serial = 000000003ab74a2ebf93447adb83554b5564fe03
        :sha256 = 8ed289fcc40bbc150a52b733123f6094ccfb2c499d6e932b0d9a6001490fb7e6
        :subject = CN=IMPERIOUS TECHNOLOGIES LIMITED
        :validity:notafter = 2024/05/17 15:32:29.000
        :validity:notbefore = 2023/05/19 15:32:29.000
        #rep.malwarebazaar.redlinestealer
crypto:x509:cert=f8140eeeec77051fb6def90308728e23
        .created = 2024/07/19 02:28:22.725
        :issuer = CN=DigiCert EV Code Signing CA (SHA2)
        :serial = 0000000008d4352185317271c1cec9d05c279af7
        :sha256 = ec5200a97ca26f55a1ab0ad7923d9447fea473cc2e42dca69a70defe014624d6
        :subject = CN=Retalit LLC
        :validity:notafter = 2021/07/12 12:00:00.000
        :validity:notbefore = 2020/08/05 00:00:00.000
        #rep.malwarebazaar.buerloader
crypto:x509:cert=ec9438e253271afa4dacb7ae02ae4f43
        .created = 2024/07/19 02:28:22.756
        :issuer = CN=COMODO RSA Code Signing CA
        :serial = 0000000090212473c706f523fe84bdb9a78a01f4
        :sha256 = 6b18e9451c2e93564ed255e754b7e1cf0f817abda93015b21ae5e247c75f9d03
        :subject = CN=DEMUS, OOO
        :validity:notafter = 2018/07/17 23:59:59.000
        :validity:notbefore = 2017/07/17 00:00:00.000
        #rep.malwarebazaar.cerber

Use of meta:source nodes

Synapse-MalwareBazaar uses a meta:source node and -(seen)> light weight edges to track nodes observed from the MalwareBazaar API.

> meta:source=7d36740c97905575850895c1f05ebf74
meta:source=7d36740c97905575850895c1f05ebf74
        .created = 2024/07/19 02:27:58.833
        :name = malwarebazaar api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MalwareBazaar. The following example shows how to filter the results of a query to include only results observed by Synapse-MalwareBazaar:

> file:bytes:name="dhl express.exe" +{ <(seen)- meta:source=7d36740c97905575850895c1f05ebf74 }
file:bytes=sha256:9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
        .created = 2024/07/19 02:28:00.074
        .seen = ('2023/03/29 17:24:59.000', '2023/03/29 17:24:59.001')
        :md5 = 398fc82f3d764c8890f09bfd3ccce7ce
        :mime = application/vnd.microsoft.portable-executable
        :mime:pe:imphash = 61259b55b8912888e90f516ca08dc514
        :name = dhl express.exe
        :sha1 = 1295e8e0ca1c240e0121c01e078f790456336fda
        :sha256 = 9ec82cb81f4c7cea29eb80fc7d6e2840cc8252c9bd48ee3f10e21a272558c37f
        :size = 659137
        #rep.malwarebazaar.dhl
        #rep.malwarebazaar.exe
        #rep.malwarebazaar.rat
        #rep.malwarebazaar.remcosrat