msticpy.context.tiproviders.mblookup module

MalwareBazaar TI Provider.

class msticpy.context.tiproviders.mblookup.MBEntityType(value)

Bases: Enum

MBEntityType: Enum class for MalwareBazaar entity types.

CLAMAV = 'clamav'
CODESIGNISSUER = 'issuerinfo'
CODESIGNSN = 'certificate'
CODESIGNSUBJECT = 'subjectinfo'
DHASH = 'dhash'
FILETYPE = 'filetype'
GIMPHASH = 'gimphash'
HASH = 'hash'
IMPHASH = 'imphash'
SIGNATURE = 'signature'
TAG = 'tag'
TELFHASH = 'telfhash'
TLSH = 'tlsh'
YARA = 'yara'
class msticpy.context.tiproviders.mblookup.MBlookup(mb_key: str | None = None)

Bases: object

MBlookup Python Class wrapper for MalwareBazaar API.

Init function to get the API key if necessary.

download_sample(sha2: str) DataFrame

Download specified sample from MB.

get_cscb() DataFrame

Query Code Signing Certificate Blocklist (CSCB).

get_recent(selector: str) DataFrame

Get the recent MB additions.

Parameters:

selector (str) – Get the latest sample from the last 60 min.

Returns:

The results of the latest addition.

Return type:

pd.DataFrame

lookup_ioc(observable: str, mb_type: str, limit: int = 10) DataFrame

Lookup for IOC in MalwareBazaar.

Parameters:
  • observable (str) – The observable to lookup. It can be a hash, a signature

  • mb_type (str) – The type of the observable. It can be a hash, a signature (refer to MBEntityType).

  • limit (int, optional) – The number of results to return, default is 100 or 50 in some cases, by default 10

Returns:

The results of the lookup.

Return type:

pd.DataFrame

Raises:

KeyError – If invalid IoC type is provided.