Welcome back, aspiring cyberwarriors!
In the complex realm of cybersecurity, professionals face a continuously evolving landscape of digital threats. To address this challenge, MalwareBazaar was introduced as a collaborative defense platform, revolutionizing the way cybersecurity experts analyze and combat malicious software.
Conceived by abuse.ch, a distinguished Swiss cybersecurity research organization, MalwareBazaar collects known malicious malware sample, enriches them with additional intelligence and provides them back to the community – for free. The platform was born from a critical observation: traditional methods of malware detection and analysis were fragmented, slow, and woefully inadequate against the cyber threats of the modern era.
At its core, MalwareBazaar is more than a database – it is a living ecosystem of threat intelligence. The platform creates a unified environment where security researchers, organizations, and experts can rapidly exchange crucial information about emerging cyber threats.
The Collaborative Defense Mechanism
What truly sets MalwareBazaar apart is its commitment to collaborative defense. The platform transcends traditional boundaries of organizational and geographical limitations. A malware sample discovered in one corner of the world can be rapidly analyzed, classified, and shared with security professionals globally, creating a dynamic, real-time threat intelligence network.
This approach democratizes cybersecurity intelligence. Smaller organizations, which might lack extensive resources, gain access to the same high-quality threat information as large enterprises.
Getting Started With MalwareBazzar
To begin using MalwareBazaar, simply visit https://bazaar.abuse.ch/. You can search for and download samples without the need for registration.
By navigating to the “MalwareBazaar database” page, you can search for malware samples using various criteria, including hash values (MD5, SHA256, SHA1), imphash, TLSH hash, ClamAV signature, tags, or malware family.
The search syntax for Malware Bazaar follows this format: keyword:search_term. Below is a list of accepted keywords with example search terms:
md5: md5:1b109efade90ace7d953507adb1f1563
sha256: sha256:11b16ba733f2f4f10ac58021eecaf5668551a73e2a1acfae99745c50bfccbb44
signature: signature:CobaltStrike
tag: tag:TA505
file_type: file_type:rtf
user: user:malware_traffic
clamav: clamav:SecuriteInfo.com.Artemis1FBB04F6EAF7.17086.UNOFFICIAL
yara: yara:win_asyncrat_j1
serial_number: serial_number:51CD5393514F7ACE2B407C3DBFB09D8D
issuer_cn: issuer_cn:Sectigo RSA Code Signing CA
imphash: imphash:756fdea446bc618b4804509775306c0d
tlsh: tlsh:8DD484F440EF10A2F25F852936ADBE9401B2B1C7DBDA5E08137DE5311BBDA633A0564D
telfhash: telfhash:52d0a7c198b4972c99e60578ed5c5bb29106216620070b20cf10a5d4d83b440f40db59
gimphash: gimphash:b43f35a8610180bcb184238555a0858a6c160a2d872566e7e9633221308b34fd
dhash_icon: dhash_icon:f8dcbeffbffecee8
For instance, let’s try to find samples of Conti ransomware. Conti is a malware developed by the Russia-based hacking group “Wizard Spider” in December 2019. Since its creation, it has evolved into a full-fledged ransomware-as-a-service (RaaS) operation, used by various threat actor groups to carry out ransomware attacks.
To find these samples, you can search using keywords related to Conti, such as:
signature: signature:Conti
tag: tag:Conti
file_type: file_type:exe (or other file types)
By clicking on the hash, we can access additional information such as the first time the sample was observed, vendor detection details, and more. From there, you can also download the sample for further analysis. I think it goes without saying that attackers can download these samples and use them as well.
Why MalwareBazaar?
Many IT-security researchers heavily rely on publicly available information (OSINT) to hunt down new cyber threats, and OSINT is an invaluable resource for gathering threat intelligence. However, researchers often face a simple yet significant problem: malware samples referenced in blog posts, whitepapers, or mentioned on social media platforms like Twitter are typically not easily accessible. To obtain the malware samples needed for analysis, researchers are required to register on multiple online anti-virus scanning engines, sandboxes, or malware databases. The situation is even more challenging as some of these platforms impose download restrictions (limiting the number of samples that can be downloaded per day), while others are only accessible to paying users. This becomes a major obstacle in daily work.
This was the driving force behind the creation of MalwareBazaar – a platform that enables IT-security researchers to easily share malware samples with the community, without encountering download restrictions or having to pay expensive subscription fees.
What’s The Difference Between MalwareBazaar And VirusTotal?
VirusTotal is a fantastic resource for threat intelligence and malware hunting. Unlike MalwareBazaar, VirusTotal operates as a multi-anti-virus scanner, allowing you to assess whether a specific file is malicious or benign.
However, there are a few limitations with VirusTotal:
While you can upload as many files as you’d like to VirusTotal, downloading malware samples is restricted to paying users only.
As of March 2020, only about one-third of all uploaded files are detected by at least one AV engine (according to VirusTotal statistics). This means that two-thirds of the uploaded samples are considered benign.
On the other hand, MalwareBazaar takes a different approach:
MalwareBazaar focuses solely on tracking malware samples – no adware (PUA/PUP) or benign files.
Unlike VirusTotal, MalwareBazaar is not a multi-anti-virus scanning engine.
You can upload and download as many malware samples as you want, without any restrictions.
It’s completely free!
Summary:
In an era of increasingly complex digital risks, MalwareBazaar stands as a powerful example of collective intelligence. It transforms the fragmented cybersecurity landscape into a cohesive, dynamic ecosystem where knowledge is shared and threats are rapidly identified.
