msticpy.context.tiproviders.mblookup module
MalwareBazaar TI Provider.
- class msticpy.context.tiproviders.mblookup.MBEntityType(*values)
Bases:
EnumMBEntityType: Enum class for MalwareBazaar entity types.
- CLAMAV = 'clamav'
- CODESIGNISSUER = 'issuerinfo'
- CODESIGNSN = 'certificate'
- CODESIGNSUBJECT = 'subjectinfo'
- DHASH = 'dhash'
- FILETYPE = 'filetype'
- GIMPHASH = 'gimphash'
- HASH = 'hash'
- IMPHASH = 'imphash'
- SIGNATURE = 'signature'
- TAG = 'tag'
- TELFHASH = 'telfhash'
- TLSH = 'tlsh'
- YARA = 'yara'
- class msticpy.context.tiproviders.mblookup.MBlookup(mb_key=None)
Bases:
objectMBlookup Python Class wrapper for MalwareBazaar API.
Init function to get the API key if necessary.
- Parameters:
mb_key (str | None)
- download_sample(sha2)
Download specified sample from MB.
- Parameters:
self (Self)
sha2 (str)
- Return type:
DataFrame
- get_cscb()
Query Code Signing Certificate Blocklist (CSCB).
- Parameters:
self (Self)
- Return type:
DataFrame
- get_recent(selector)
Get the recent MB additions.
- Parameters:
selector (str) – Get the latest sample from the last 60 min.
self (Self)
- Returns:
The results of the latest addition.
- Return type:
pd.DataFrame
- lookup_ioc(observable, mb_type, limit=10)
Lookup for IOC in MalwareBazaar.
- Parameters:
observable (str) – The observable to lookup. It can be a hash, a signature
mb_type (str) – The type of the observable. It can be a hash, a signature (refer to MBEntityType).
limit (int, optional) – The number of results to return, default is 100 or 50 in some cases, by default 10
self (Self)
- Returns:
The results of the lookup.
- Return type:
pd.DataFrame
- Raises:
KeyError – If invalid IoC type is provided.
- mb_key: str | None