Skip to content

Instantly share code, notes, and snippets.

@n3l5
Created May 3, 2021 20:14
Show Gist options
  • Save n3l5/e441404e8666d65df7074204af3493c3 to your computer and use it in GitHub Desktop.
Save n3l5/e441404e8666d65df7074204af3493c3 to your computer and use it in GitHub Desktop.
PowerShell script to query AbuseCH Malware Bazaar for a give hash or file(path).
[CmdletBinding()]
param (
[Parameter(Mandatory=$False)]
[string]$FileHash,
[Parameter(Mandatory=$False)]
[String]$FilePath
)
#Set up proxy auth
$pxyauth = new-object System.Net.WebClient
$pxyauth.Headers.Add("user-agent", "PowerShell Script")
$pxyauth.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
#Check for existence of HASH or PATH
if (!($FileHash -or $FilePath)) {
Write-Host ""
Write-Host -ForegroundColor Yellow 'Missing the HASH or the PATH, you must supply one.'
Write-Host ""
exit
}
#Check for existence of only one
if ($FileHash -and $FilePath) {
Write-Host ""
Write-Host -ForegroundColor Yellow 'You have both a HASH and PATH, you must supply only one.'
Write-Host ""
exit
}
#Check if Path then hash the file; SHA256 by default
if ($FilePath){
if (Test-Path $FilePath -PathType Leaf){
$fhash = Get-FileHash $FilePath | foreach {$_.hash}
}
}
#If Hash then make hash $fhash and pass
else {
$fhash = $FileHash
}
#Set up the query
$body = @{'query'='get_info'; 'hash'=$fhash}
$uri = "https://mb-api.abuse.ch/api/v1/"
#Make the query
$response = invoke-restmethod -URI $uri -Method POST -Body $body
#Check if the query found the hash.
if ($response.query_status -eq 'hash_not_found'){
Write-Host '>>>>>>>>>> The sample hash was not found on Malbazaar <<<<<<<<<<'
exit
}
#If the response was 200 (OK), continue with the data extraction
else{
Write-Host '###############<<< File Info >>>###############'
Write-Host '#################################################'
$file_name = $response.data.file_name
Write-Host ''
Write-Host "Filename:"$file_name
Write-Host ''
$file_type_mime = $response.data.file_type_mime
$file_type = $response.data.file_type
Write-Host "MIME File Type:"$file_type_mime
Write-Host " File Type:"$file_type
Write-Host ''
$first_seen = $response.data.first_seen
$last_seen = $response.data.last_seen
Write-Host "First Seen: "$first_seen
Write-Host " Last Seen: "$last_seen
Write-Host ''
$malbazaar_signature = $response.data.signature
Write-Host 'Signature: '$malbazaar_signature
Write-Host ''
$tags = $response.data.tags
Write-Host "Tags:"$tags
Write-Host ''
Write-Host ''
#yararules
$yara_rules = $response.data.yara_rules
if ($yara_rules){
Write-Host '###############<<< YARA rule information >>>###############'
Write-Host '#############################################################'
Write-Host ''
foreach ($yar in $yara_rules){
$yar_name = $yar.rule_name
$yar_desc = $yar.description
Write-Host "YARA Rule name:"$yar_name
Write-Host "YARA Rule desc:"$yar_desc
Write-Host ''
Write-Host ''
}
}
Write-Host '###############<<< File HASH information >>>###############'
Write-Host '#############################################################'
Write-Host ''
$sha256_hash = $response.data.sha256_hash
$sha1_hash = $response.data.sha1_hash
$md5_hash = $response.data.md5_hash
Write-Host " MD5 hash: "$md5_hash
Write-Host " SHA1 hash: "$sha1_hash
Write-Host "SHA256 hash: "$sha256_hash
Write-Host ''
$imphash_hash = $response.data.imphash
$ssdeep_hash = $response.data.ssdeep
Write-Host " IMPHASH: "$imphash_hash
Write-Host ''
Write-Host " SSDEEP: "$ssdeep_hash
Write-Host ''
Write-Host ''
Write-Host '###############<<< File Intelligence information >>>###############'
Write-Host '#####################################################################'
Write-Host ''
$delivery_method = $response.data.delivery_method
Write-Host "Delivery method:"$delivery_method
Write-Host ''
$intelligence = $response.data.intelligence.clamav
Write-Host 'Intelligence: ClamAV'$intelligence
Write-Host ''
Write-Host ''
#ReversingLabs = $response.data.vendor_intel.ReversingLabs
$ReversingLabs_verdict = $response.data.vendor_intel.ReversingLabs.status
$ReversingLabs_threatname = $response.data.vendor_intel.ReversingLabs.threat_name
$ReversingLabs_firstseen = $response.data.vendor_intel.ReversingLabs.first_seen
Write-Host '###############<<< REVERSINGLABS info >>>###############'
Write-Host '##########################################################'
Write-Host 'ReversingLabs verdict:'$ReversingLabs_verdict
Write-Host 'ReversingLabs threatname:'$ReversingLabs_threatname
Write-Host 'ReversingLabs firstseen:'$ReversingLabs_firstseen
Write-Host ''
Write-Host ''
#ANYRUN = $response.data.vendor_intel.ANY.RUN
$anyrun ='ANY.RUN'
$ANYRUN_verdict = $response.data.vendor_intel.$anyrun.verdict
$ANYRUN_firstseen = $response.data.vendor_intel.$anyrun.date
$ANYRUN_URL = $response.data.vendor_intel.$anyrun.analysis_url
Write-Host '###############<<< ANY.RUN info >>>###############'
Write-Host '####################################################'
Write-Host $anyrun 'verdict:'$ANYRUN_verdict
Write-Host $anyrun 'firstseen:'$ANYRUN_firstseen
Write-Host $anyrun 'Analysis URL:'$ANYRUN_URL
Write-Host ''
Write-Host ''
#HatchingTriage = $response.data.vendor_intel.Triage
Write-Host '###############<<< HatchingTriage info >>>###############'
Write-Host '###########################################################'
$HatchingTriage_verdict = $response.data.vendor_intel.Triage.score
$HatchingTriage_malwarefamily = $response.data.vendor_intel.Triage.malware_family
$HatchingTriage_tags = $response.data.vendor_intel.Triage.tags
$HatchingTriage_URL = $response.data.vendor_intel.Triage.link
Write-Host 'Hatching Triage verdict:'$HatchingTriage_verdict
Write-Host 'Hatching Triage Malware family:'$HatchingTriage_malwarefamily
Write-Host 'Hatching Triage tags:'$HatchingTriage_tags
Write-Host 'Hatching Triage Analysis URL:'$HatchingTriage_URL
Write-Host ''
Write-Host ''
#UnpacME
$unpac_me = $response.data.vendor_intel.UnpacMe
if ($unpac_me){
Write-Host '##################<<< Unpac Me info >>>##################'
Write-Host '###########################################################'
Write-Host ''
foreach ($unp in $unpac_me){
$md5 = $unp.md5_hash
$sha256 = $unp.sha256_hash
$link = $unp.Link
$det = $unp.detections
Write-Host " MD5 hash:"$md5
Write-Host "SHA256 hash:"$sha256
Write-Host "Link:"$link
Write-Host "Detections:"$det
Write-Host ''
}
}
#Malware Bazaar Page info
$url = 'https://bazaar.abuse.ch/sample/'
Write-Host '###############<<< AbuseCH Malware Bazaar info >>>###############'
Write-Host '###################################################################'
Write-Host ''
Write-Host 'AbuseCH Malware Bazaar page:'
Write-Host $url$sha256_hash
Write-Host ''
}
@Menesay
Copy link

Menesay commented Jun 4, 2024

❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment