Malwarebazaar

malwarebazaar is a platform for sharing and analyzing malware samples, fostering collaboration among cybersecurity professionals malwarebazaar is a community driven platform for sharing and analyzing malware samples it allows users to upload, query, and comment on malware samples, facilitating collaborative threat intelligence by integrating malwarebazaar with swimlane turbine, users can automate the enrichment of threat intelligence, streamline malware analysis, and enhance their security operations this integration empowers security teams to efficiently manage malware data, improve incident response times, and leverage community insights for proactive threat mitigation limitations none to date supported versions this malwarebazaar connector uses the latest version prerequisites before you can use the malwarebazaar connector for turbine, you'll need access to the malwarebazaar api this requires the following api key authentication using the following parameters url the endpoint for accessing the malwarebazaar api auth key a unique key provided by malwarebazaar for authenticating api requests authentication methods to effectively utilize the malwarebazaar connector within swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the malwarebazaar api auth key your personal authentication key to access the malwarebazaar services capabilities this malwarebazaar connector provides the following capabilities add a comment query a malware sample upload malware samples add a comment add a comment to a specific malware sample in malwarebazaar using the provided data body click here https //bazaar abuse ch/api/#commenting query a malware sample check the presence of a specific malware sample in the malwarebazaar database using the provided data body click here https //bazaar abuse ch/api/#query hash upload malware samples upload malware samples directly to malwarebazaar for analysis and sharing with the cybersecurity community click here https //bazaar abuse ch/api/#upload additional documentation malwarebazaar connector documentation https //docs swimlane com/connectors/malwarebazaarmalwarebazaar api documentation https //bazaar abuse ch/api/#python configurations malwarebazaar urlhaus authentication authenticates using host url and auth key to access configuration parameters parameter description type required url a url to the target host string required auth key the authentication key for accessing the api string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add a comment add a comment to a malware sample in malwarebazaar using the specified data body endpoint url api/v1/ method post input argument name type required description data body object required response data data body query string required the query type for the api data body sha256 hash string required the sha256 hash of the malware sample to which the comment is added data body comment string required the comment to be added to the malware sample input example {"data body" {"query" "add comment","sha256 hash" "d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77b","comment" "swiss chocolate is the best chocolate"}} output parameter type description status code number http status code of the response reason string response reason phrase query status string status value output example {"status code" 200,"response headers" {"server" "nginx/1 22 1","date" "thu, 14 aug 2025 06 47 50 gmt","content type" "application/json","content length" "33","strict transport security" "max age=15768000 ; includesubdomains, max age=31536000; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","expect ct" "enforce, max age=86400","content security policy" "default src 'se query a malware sample check for a specific malware sample in the malwarebazaar database using the provided data body endpoint url api/v1/ method post input argument name type required description data body object required response data data body query string required the query type for the api data body hash string required sha256, md5 or sha1 hash of the malware sample you want to query input example {"data body" {"query" "get info","hash" "094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d"}} output parameter type description status code number http status code of the response reason string response reason phrase query status string status value data array response data output example {"status code" 200,"response headers" {"server" "nginx/1 22 1","date" "thu, 14 aug 2025 06 44 30 gmt","content type" "application/json","transfer encoding" "chunked","strict transport security" "max age=15768000 ; includesubdomains, max age=31536000; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","expect ct" "enforce, max age=86400","content security policy" "default upload malware samples upload malware samples to malwarebazaar for analysis and community sharing requires file inputs endpoint url api/v1/ method post input argument name type required description file object optional the malware sample you want to upload file file string optional parameter for upload malware samples file file name string optional name of the resource anonymous number optional if set to 1, your submission will be anonymous delivery method string optional delivery method used to spread this malware sample tags array optional list of tags allowed characters are \[a za z0 9 ] references object optional references for this malware sample references any run array optional parameter for upload malware samples references joe sandbox array optional parameter for upload malware samples references malpedia array optional parameter for upload malware samples references twitter array optional parameter for upload malware samples references links array optional parameter for upload malware samples context object optional context for this malware sample context dropped by md5 array optional parameter for upload malware samples context dropped by sha256 array optional parameter for upload malware samples context dropped by malware array optional parameter for upload malware samples context comment string optional parameter for upload malware samples input example {"json body" {"anonymous" 1,"delivery method" "email attachment","tags" \["exe","test"],"references" {"any run" \["https //app any run/tasks/1","https //app any run/tasks/2"],"joe sandbox" \["https //www joesecurity org/reports/1","https //www joesecurity org/reports/2"],"malpedia" \["https //malpedia caad fkie fraunhofer de/details/win gozi"],"twitter" \["https //twitter com/abuse ch/status/1224269018506330112"],"links" \["https //urlhaus abuse ch/url/306613/"]},"context" {"dropped by md5" \["68b329da9893e34099c7d8ad5cb9c940"],"dropped by sha256" \["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b","4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"],"dropped by malware" \["gozi"],"comment" "this malware sample is very nasty!"}}} output parameter type description status code number http status code of the response reason string response reason phrase query status string status value output example {"status code" 200,"response headers" {"server" "nginx/1 22 1","date" "tue, 19 aug 2025 07 46 34 gmt","content type" "application/json","content length" "34","strict transport security" "max age=15768000 ; includesubdomains, max age=31536000; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","expect ct" "enforce, max age=86400","content security policy" "default src 'se response headers header description example alt svc http response header alt svc h3=" 443 "; ma=2592000,h3 29=" 443 "; ma=2592000 content length the length of the response body in bytes 34 content security policy http response header content security policy default src 'self'; style src 'self'; script src 'self'; img src 'self'; object src 'none' content type the media type of the resource application/json cross origin embedder policy http response header cross origin embedder policy require corp; report to="default" cross origin opener policy http response header cross origin opener policy same origin; report to="default" cross origin resource policy http response header cross origin resource policy same site date the date and time at which the message was originated thu, 14 aug 2025 06 44 30 gmt expect ct http response header expect ct enforce, max age=86400 permissions policy http response header permissions policy accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture in picture=(), speaker=(), usb=(), vr=() referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server nginx/1 22 1 strict transport security http response header strict transport security max age=15768000 ; includesubdomains, max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked via http response header via 1 1 google x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block