Script to chain search parameters for MalwareBazaar
This tool can be used to quickly find samples in MalwareBazar (MB) by extending the functionality of the default search syntax with -s, --search. It does this by allowing the user to supply multiple filters in one, then pulls the results of each filter and cross-references them to each other. It can also be used to download samples returned by a search with --download-all, or individual samples with the --get-file switch.
The goal of this tool is for it to be fairly intuitive if the operator is familiar with MB search syntax.
No API key is required.
Download LNK files tagged with "CobaltStrike"
python.exe .\search.py -s "file_type:lnk signature:CobaltStrike" --download-all
Download Specific Hash
python.exe .\search.py --get-file HASH
yarasearch query does not work as expected so it is not supportedissuer_cnsearch query is not supported do to common names often having spaces, breaking the logic- Using extremely common parameters mixed with extremly specific ones can cause missed results. To validate, just use the specific parameter.
- i.e. it is very common for a sample to have "exe" as a tag, and since the script can only return the latest 1000 results, if this tag is combined with a very specific parameter, like serial number, it will like return no results incorrectly
It is recommended to understand the MB API limits before use.
https://bazaar.abuse.ch/faq/#api-limit
My Medium post about the tool
https://montysecurity.medium.com/hunting-cobalt-strike-lnk-loaders-f3c407a991c0