msticpy.context.tiproviders.mblookup module

MalwareBazaar TI Provider.

class msticpy.context.tiproviders.mblookup.MBEntityType(value)

Bases: Enum

MBEntityType: Enum class for MalwareBazaar entity types.

CLAMAV = 'clamav'

CODESIGNISSUER = 'issuerinfo'

CODESIGNSN = 'certificate'

CODESIGNSUBJECT = 'subjectinfo'

DHASH = 'dhash'

FILETYPE = 'filetype'

GIMPHASH = 'gimphash'

HASH = 'hash'

IMPHASH = 'imphash'

SIGNATURE = 'signature'

TAG = 'tag'

TELFHASH = 'telfhash'

TLSH = 'tlsh'

YARA = 'yara'

class msticpy.context.tiproviders.mblookup.MBlookup(mb_key=None)

Bases: object

MBlookup Python Class wrapper for MalwareBazaar API.

Init function to get the API key if necessary.

download_sample(sha2: str)

Download specified sample from MB.

get_cscb()

Query Code Signing Certificate Blocklist (CSCB).

get_recent(selector: str)

Get the recent MB additions.

Parameters:

selector (str) – Get the latest sample from the last 60 min.

Returns:

The results of the latest addition.

Return type:

pd.DataFrame

lookup_ioc(observable: str, mb_type: str, limit=10) → DataFrame

Lookup for IOC in MalwareBazaar.

Parameters:

• observable (str) – The observable to lookup. It can be a hash, a signature

• mb_type (str) – The type of the observable. It can be a hash, a signature (refer to MBEntityType).

• limit (int, optional) – The number of results to return, default is 100 or 50 in some cases, by default 10

Returns:

The results of the lookup.

Return type:

pd.DataFrame

Raises:

KeyError – If invalid IoC type is provided.