Server.Enrichment.MalwareBazaar

Query MalwareBazaar for a hash.

To learn more about MalwareBazaar, see: https://bazaar.abuse.ch/

This artifact can be called from within another artifact to enrich the data made available by that artifact.

Ex.

`SELECT * from Artifact.Server.Enrichment.MalwareBazaar(Hash=$YourMD5OrSHA1OrSHA256)`

If querying for an alternate hash, specify the hash type, like so:

`SELECT * from Artifact.Server.Enrichment.MalwareBazaar(Hash=$YOURHASH, HashType=$YourGimphashOrImphash)`


name: Server.Enrichment.MalwareBazaar
description: |
   Query MalwareBazaar for a hash.
   
   To learn more about MalwareBazaar, see: https://bazaar.abuse.ch/
   
   This artifact can be called from within another artifact to enrich the data made available by that artifact.

     Ex.

       `SELECT * from Artifact.Server.Enrichment.MalwareBazaar(Hash=$YourMD5OrSHA1OrSHA256)`

     If querying for an alternate hash, specify the hash type, like so:
  
       `SELECT * from Artifact.Server.Enrichment.MalwareBazaar(Hash=$YOURHASH, HashType=$YourGimphashOrImphash)`

# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: SERVER

parameters:
   - name: Hash
     default:
   - name: HashType
     default:
     type: choices
     choices:
      - 
      - MD5
      - SHA1
      - SHA256
      - Gimphash
      - Imphash

sources:
    - query: |
       LET QueryTable <= SELECT * FROM parse_csv(accessor="data", filename='''
        Type,Query,SearchValue
        Gimphash,get_gimphash,gimphash
        Imphash,get_imphash,imphash
        MD5,get_info,hash
        SHA1,get_info,hash
        SHA256,get_info,hash
        Telfhash,get_telfhash,telfhash
        TLSH,get_tlsh,tlsh
       '''
       )
     
       LET MBURL <= "https://mb-api.abuse.ch/api/v1/"
       LET QueryName = SELECT Query FROM QueryTable WHERE HashType=Type
       LET SearchName = SELECT SearchValue FROM QueryTable WHERE HashType=Type
       LET Boundary <= "-----------------------------9051914041544843365972754266"
       LET Data(Name, Value) = format(
        format='--%s\nContent-Disposition: form-data; name="%v"\n\n%s\n',
        args=[Boundary, Name, Value])
       LET END = format(format="--%s--\n", args=Boundary)
 
       LET MBSubmission = SELECT 
        parse_json(data=Content).data.file_name[0] as `Filename`,
        parse_json(data=Content).data.first_seen[0] as `First Seen`,
        parse_json(data=Content).data.last_seen[0] as `Last Seen`,
        parse_json(data=Content).data.reporter[0] as Reporter,
        parse_json(data=Content).data.tags[0] as Tags,
        parse_json(data=Content).data.intelligence[0] as Intelligence,
        parse_json(data=Content) AS _Content
       FROM http_client(
         method="POST",
         url=MBURL,
         headers=dict(`Content-Type`="multipart/form-data; boundary=" + Boundary),
         data=Data(Name="query", Value=if(condition=QueryName.Query[0], then=QueryName.Query[0], else="get_info")) + Data(Name=if(condition=SearchName.SearchValue[0], then=SearchName.SearchValue[0], else="hash"), Value=Hash) + END)
       SELECT * FROM MBSubmission