MalwareBazaar API Test

ID: api-malwarebazaar

Severity: info

Author: daffainfo

Tags: token-spray,malwarebazaar,intrusive

Description

Collect and share malware samples

YAML Source

id: api-malwarebazaar

info:
  name: MalwareBazaar API Test
  author: daffainfo
  severity: info
  description: Collect and share malware samples
  reference:
    - https://bazaar.abuse.ch/api/
    - https://github.com/daffainfo/all-about-apikey/tree/main/malwarebazaar
  metadata:
    max-request: 1
  tags: token-spray,malwarebazaar,intrusive

self-contained: true

http:
  - raw:
      - |
        POST https://mb-api.abuse.ch/api/v1 HTTP/1.1
        Host: mb-api.abuse.ch
        API-KEY: {{token}}
        Content-Length: 0
        Content-Type: multipart/form-data; boundary=545d0ca717a743c3bd4fa575585f74c6

        --545d0ca717a743c3bd4fa575585f74c6
        Content-Disposition: form-data; name="json_data"
        Content-Type: application/json

        {"tags": ["exe", "test"], "references": {"twitter": ["https://twitter.com/abuse_ch/status/1224269018506330112"], "malpedia": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"], "joe_sandbox": ["https://www.joesecurity.org/reports/1", "https://www.joesecurity.org/reports/2"], "links": ["https://urlhaus.abuse.ch/url/306613/"], "any_run": ["https://app.any.run/tasks/1", "https://app.any.run/tasks/2"]}, "context": {"comment": "this malware sample is very nasty!", "dropped_by_md5": ["68b329da9893e34099c7d8ad5cb9c940"], "dropped_by_malware": ["Gozi"], "dropped_by_sha256": ["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"]}, "anonymous": 1, "delivery_method": "email_attachment"}
        --545d0ca717a743c3bd4fa575585f74c6
        Content-Disposition: form-data; name="file"; filename="1.txt"

        dssd

        --545d0ca717a743c3bd4fa575585f74c6--

    matchers:
      - type: word
        part: body
        words:
          - '"query_status": "inserted"'
          - '"query_status": "file_already_known"'
        condition: or
# digest: 490a0046304402200f6b4c961f458105eedec7f471e16b86bba9424fbf4b5a4edb58e6aa78cc839f0220038d7c979addcd1202ff9afcca1a46b17c369b830d725c8cdbbbda9acd9eded4:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/token-spray/api-malwarebazaar.yaml"

View on Github