đź›’ go-malwarebazaar
A Golang wrapper around MalwareBazaar's public API. The library supports several API endpoints, including querying and downloading. You can grab an API key for this great service here.
Getting Started
Make sure that your GOPATH is setup correctly, then pull the MalwareBazaar library from this GitHub repository.
$ go get github.com/LloydLabs/go-malwarebazaar
Exported Methods
An outline of the exposed methods within this API wrapper are below.
| Method | Description |
|---|---|
| QueryTag | Query a tag on MalwareBazaar, with tag (string, e.g. Trickbot) as the parameter to query, and limit (int) as the limit of results to return |
| QueryRecent | Query the most recent samples that have been submit to MalwareBazaar, with amount (int) as the limit of results to return |
| QueryHash | Query an MD5, SHA-1 or SHA-256 hash, returns information such as YARA hits, further IOCs, sandbox information & more |
| QueryYara | Query a MalwareBazaar defined YARA rule, e.g. ach_Heodo_doc_20210105, with a limit under limit (int) |
| QuerySigature | Query a signature, e.g. Heodo, with amount (int) as the limit of results to return |
| AddComment | Add a comment to a MalwareBazaar entry, with hash (string, SHA-256) as the entry, and comment (string) as the comment. |
| DownloadFile | Download a file to disk from MalwareBazaar, with hash (string, SHA-256) as the entry, and location (string) as the destination. This wrapper will automatically decrypt and extract the sample from the archive. |
Examples
// settings
const Key := "<YOUR KEY HERE>"
// initialise our client
b, err := client.NewBazaar(Key)
if err != nil {
t.Errorf("failed to create bazaar")
}
// query trickbot tag, max 50
x, err := b.QueryTag("TrickBot", 50)
if err != nil {
t.Errorf("failed to query tag %s\n", err.Error())
}
// print all 50 most recent trickbot hashes
for _, hash := range x.Data {
fmt.Printf("Recent Trickbot binary SHA-256: %s\nFirst seen: %s\n", hash.Sha1Hash, hash.FirstSeen)
}
// download a Qakbot sample, file to write to same as hash
hash := "c5481c003005773954741e3fdd9cf0cc77d31fe59851321ddde80b41fe7ef0a3"
err = b.DownloadFile(hash, hash)
if err != nil {
t.Errorf("failed to download sample %s\n", err.Error())
}