diff --git a/analyzers/MalwareBazaar/MalwareBazaar.json b/analyzers/MalwareBazaar/MalwareBazaar.json
new file mode 100644
index 0000000..13b4329
--- /dev/null
+++ b/analyzers/MalwareBazaar/MalwareBazaar.json
@@ -0,0 +1,19 @@
+{
+ "name": "MalwareBazaar",
+ "author": "Andrea Garavaglia, Davide Arcuri - LDO-CERT",
+ "license": "AGPL-V3",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "version": "1.0",
+ "baseConfig": "MalwareBazaar",
+ "description": "Search hashes on MalwareBazaar.",
+ "dataTypeList": ["domain", "fqdn", "url", "hash", "ip"],
+ "command": "MalwareBazaar/MalwareBazaar_analyzer.py",
+ "configurationItems": [ {
+ "name": "api_key",
+ "description": "MalwareBazaar api key",
+ "multi": false,
+ "required": true,
+ "type": "string"
+ }
+ ]
+}
diff --git a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
new file mode 100755
index 0000000..0744e61
--- /dev/null
+++ b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+import requests
+from cortexutils.analyzer import Analyzer
+
+BASEURL = 'https://mb-api.abuse.ch/api/v1/'
+
+class MalwareBazaarnalyzer(Analyzer):
+ def __init__(self):
+ Analyzer.__init__(self)
+ self.api_key = self.get_param("config.api_key", None)
+
+ def run(self):
+ data = self.get_data()
+ if not data:
+ self.error('No observable or file given.')
+
+ results = {}
+ if self.data_type == 'hash':
+ if len(data) in [32, 40, 64]:
+ headers = { 'API-KEY': self.api_key }
+ data = {
+ 'query': 'get_info',
+ 'hash': data,
+ }
+ results = requests.post(BASEURL, data=data, timeout=15, headers=headers)
+
+ if results.status_code == 200:
+ results = results.json()
+ if results['query_status'] in ['http_post_expected', 'illegal_hash', 'no_hash_provided']:
+ self.error('MalwareBazaar returned error: %s' % results['query_status'])
+ else:
+ results['data'] = results['data'][0]
+ else:
+ self.error('Only sha256, sha1 and md5 supported by MalwareBazaar.')
+ else:
+ self.error('Datatype not supported.')
+
+ self.report(results)
+
+ def summary(self, raw):
+ taxonomies = []
+ namespace = "MalwareBazaar"
+
+ if raw['query_status'] == 'hash_not_found':
+ taxonomies.append(self.build_taxonomy(
+ 'info',
+ namespace,
+ 'Search',
+ 'No results'
+ ))
+ else:
+ taxonomies.append(self.build_taxonomy(
+ 'malicious',
+ namespace,
+ 'Signature',
+ raw['data'].get('signature', 'Unknown')
+ ))
+ return {"taxonomies": taxonomies}
+
+
+if __name__ == '__main__':
+ MalwareBazaarnalyzer().run()
diff --git a/analyzers/MalwareBazaar/requirements.txt b/analyzers/MalwareBazaar/requirements.txt
new file mode 100644
index 0000000..6aabc3c
--- /dev/null
+++ b/analyzers/MalwareBazaar/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/thehive-templates/MalwareBazaar_1_0/long.html b/thehive-templates/MalwareBazaar_1_0/long.html
new file mode 100644
index 0000000..5f04575
--- /dev/null
+++ b/thehive-templates/MalwareBazaar_1_0/long.html
@@ -0,0 +1,64 @@
+
+
+ MalwareBazaar search results for
+ {{artifact.data | fang}}
+
+
+
+
+ - Hashes
+ -
+ md5: {{content.data.md5_hash}}
+ sha256: {{content.data.sha256_hash}}
+ sha1: {{content.data.sha1_hash}}
+ imphash: {{content.data.imphash}}
+ ssdeep: {{content.data.ssdeep}}
+
+ - First seen (UTC)
+ - {{content.data.first_seen}}
+ - Last seen (UTC)
+ - {{content.data.last_seen}}
+ - Filename
+ - {{content.data.file_name}}
+ - Filetype
+ - {{content.data.file_type}} {{content.data.file_type_mime}}
+ - Filetype
+ - {{content.data.file_type}}
+ - Signature
+ - {{content.data.signature}}
+ - Tags
+ - {{tag}}
+
+
+
+
+
+ {{artifact.data | fang}}
+
+
+
+ -
+ MalwareBazaar:
+
+ - No results
+
+
+
+
+ {{artifact.data | fang}}
+
+
+
+ -
+ MalwareBazaar:
+
+ - {{content.errorMessage}}
+
+
+