Malwarebazaar

the malwarebazaar connector allows automated interaction with the malwarebazaar database, facilitating malware sample management and threat intelligence malwarebazaar is a community driven project that collects and shares malware samples, providing security researchers and incident responders with valuable threat intelligence the malwarebazaar connector for swimlane turbine enables users to add comments to malware samples, query specific malware samples, and upload new malware samples directly from the swimlane platform this integration empowers end users to enrich their threat intelligence, contribute to the cybersecurity community, and streamline malware analysis workflows without the need for complex coding limitations none to date supported versions this malwarebazaar connector uses the latest version additional docs https //bazaar abuse ch/api/#python prerequisites to effectively utilize the malwarebazaar connector within swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the malwarebazaar api auth key your personal authentication key to access malwarebazaar's services authentication methods to effectively utilize the malwarebazaar connector within swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the malwarebazaar api auth key your personal authentication key to access the malwarebazaar services capabilities this malwarebazaar connector provides the following capabilities add a comment query a malware sample upload malware samples add a comment add a comment to a specific malware sample in malwarebazaar using the provided data body https //bazaar abuse ch/api/#commenting query a malware sample check the presence of a specific malware sample in the malwarebazaar database using the provided data body https //bazaar abuse ch/api/#query hash upload malware samples upload malware samples directly to malwarebazaar for analysis and sharing with the cybersecurity community https //bazaar abuse ch/api/#upload configurations malwarebazaar urlhaus authentication authenticates using host url and auth key to access configuration parameters parameter description type required url a url to the target host string required auth key the authentication key for accessing the api string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add a comment add a comment to a malware sample in malwarebazaar with the specified data body endpoint url api/v1/ method post input argument name type required description data body object required response data data body query string required the query type for the api data body sha256 hash string required the sha256 hash of the malware sample to which the comment is added data body comment string required the comment to be added to the malware sample input example {"data body" {"query" "add comment","sha256 hash" "d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77b","comment" "swiss chocolate is the best chocolate"}} output parameter type description status code number http status code of the response reason string response reason phrase query status string status value output example {"status code" 200,"response headers" {"server" "nginx/1 22 1","date" "thu, 14 aug 2025 06 47 50 gmt","content type" "application/json","content length" "33","strict transport security" "max age=15768000 ; includesubdomains, max age=31536000; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","expect ct" "enforce, max age=86400","content security policy" "default src 'se query a malware sample checks for a specific malware sample in the malwarebazaar database using the provided data body endpoint url api/v1/ method post input argument name type required description data body object required response data data body query string required the query type for the api data body hash string required sha256, md5 or sha1 hash of the malware sample you want to query input example {"data body" {"query" "get info","hash" "094fd325049b8a9cf6d3e5ef2a6d4cc6a567d7d49c35f8bb8dd9e3c6acf3d78d"}} output parameter type description status code number http status code of the response reason string response reason phrase query status string status value data array response data output example {"status code" 200,"response headers" {"server" "nginx/1 22 1","date" "thu, 14 aug 2025 06 44 30 gmt","content type" "application/json","transfer encoding" "chunked","strict transport security" "max age=15768000 ; includesubdomains, max age=31536000; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","expect ct" "enforce, max age=86400","content security policy" "default upload malware samples upload malware samples to malwarebazaar for analysis and community sharing, requiring file inputs endpoint url api/v1/ method post input argument name type required description file object optional the malware sample you want to upload file file string optional parameter for upload malware samples file file name string optional name of the resource anonymous number optional if set to 1, your submission will be anonymous delivery method string optional delivery method used to spread this malware sample tags array optional list of tags allowed characters are \[a za z0 9 ] references object optional references for this malware sample references any run array optional parameter for upload malware samples references joe sandbox array optional parameter for upload malware samples references malpedia array optional parameter for upload malware samples references twitter array optional parameter for upload malware samples references links array optional parameter for upload malware samples context object optional context for this malware sample context dropped by md5 array optional parameter for upload malware samples context dropped by sha256 array optional parameter for upload malware samples context dropped by malware array optional parameter for upload malware samples context comment string optional parameter for upload malware samples input example {"json body" {"anonymous" 1,"delivery method" "email attachment","tags" \["exe","test"],"references" {"any run" \["https //app any run/tasks/1","https //app any run/tasks/2"],"joe sandbox" \["https //www joesecurity org/reports/1","https //www joesecurity org/reports/2"],"malpedia" \["https //malpedia caad fkie fraunhofer de/details/win gozi"],"twitter" \["https //twitter com/abuse ch/status/1224269018506330112"],"links" \["https //urlhaus abuse ch/url/306613/"]},"context" {"dropped by md5" \["68b329da9893e34099c7d8ad5cb9c940"],"dropped by sha256" \["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b","4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"],"dropped by malware" \["gozi"],"comment" "this malware sample is very nasty!"}}} output parameter type description status code number http status code of the response reason string response reason phrase query status string status value output example {"status code" 200,"response headers" {"server" "nginx/1 22 1","date" "tue, 19 aug 2025 07 46 34 gmt","content type" "application/json","content length" "34","strict transport security" "max age=15768000 ; includesubdomains, max age=31536000; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","expect ct" "enforce, max age=86400","content security policy" "default src 'se response headers header description example alt svc http response header alt svc h3=" 443 "; ma=2592000,h3 29=" 443 "; ma=2592000 content length the length of the response body in bytes 33 content security policy http response header content security policy default src 'self'; style src 'self'; script src 'self'; img src 'self'; object src 'none' content type the media type of the resource application/json cross origin embedder policy http response header cross origin embedder policy require corp; report to="default" cross origin opener policy http response header cross origin opener policy same origin; report to="default" cross origin resource policy http response header cross origin resource policy same site date the date and time at which the message was originated thu, 14 aug 2025 06 47 50 gmt expect ct http response header expect ct enforce, max age=86400 permissions policy http response header permissions policy accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture in picture=(), speaker=(), usb=(), vr=() referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server nginx/1 22 1 strict transport security http response header strict transport security max age=15768000 ; includesubdomains, max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked via http response header via 1 1 google x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block