msticpy.context.tiproviders.mblookup module

MalwareBazaar TI Provider.

class msticpy.context.tiproviders.mblookup.MBEntityType(value)

Bases: Enum

MBEntityType: Enum class for MalwareBazaar entity types.

CLAMAV = 'clamav'
CODESIGNISSUER = 'issuerinfo'
CODESIGNSN = 'certificate'
CODESIGNSUBJECT = 'subjectinfo'
DHASH = 'dhash'
FILETYPE = 'filetype'
GIMPHASH = 'gimphash'
HASH = 'hash'
IMPHASH = 'imphash'
SIGNATURE = 'signature'
TAG = 'tag'
TELFHASH = 'telfhash'
TLSH = 'tlsh'
YARA = 'yara'
class msticpy.context.tiproviders.mblookup.MBlookup(mb_key=None)

Bases: object

MBlookup Python Class wrapper for MalwareBazaar API.

Init function to get the API key if necessary.

download_sample(sha2: str)

Download specified sample from MB.


Query Code Signing Certificate Blocklist (CSCB).

get_recent(selector: str)

Get the recent MB additions.


selector (str) – Get the latest sample from the last 60 min.


The results of the latest addition.

Return type:


lookup_ioc(observable: str, mb_type: str, limit=10) DataFrame

Lookup for IOC in MalwareBazaar.

  • observable (str) – The observable to lookup. It can be a hash, a signature

  • mb_type (str) – The type of the observable. It can be a hash, a signature (refer to MBEntityType).

  • limit (int, optional) – The number of results to return, default is 100 or 50 in some cases, by default 10


The results of the lookup.

Return type:



KeyError – If invalid IoC type is provided.