Created
June 15, 2021 19:04
-
-
Save peasead/5a9f846384ac2421e61f32b3bef1d80a to your computer and use it in GitHub Desktop.
Download samples from Malware Bazaar based on tag.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Bash script to download Malware Bazaar based on tag | |
# Define tag and number of samples to download | |
TAG=insert-malware-bazaar-tag | |
DOWNLOAD_LIMIT=100 | |
# Determin OS | |
OS=$(uname -s) | |
# Download hash values from tag, save the SHA256 hashes | |
curl -XPOST -d "query=get_taginfo&tag=${TAG}&limit=${DOWNLOAD_LIMIT}" https://mb-api.abuse.ch/api/v1/ | grep sha256_hash | awk '{print $2}' > ${TAG}.raw | |
# OS Loop | |
# If macOS, clean up the download to remove "'s and ,'s | |
if [ ${OS} == Darwin ] | |
then | |
sed -i.bak 's/\"//g' ${TAG}.raw | |
rm ${TAG}.raw.bak | |
sed -i.bak 's/\,//' ${TAG}.raw | |
rm ${TAG}.raw.bak | |
# If Linux, clean up the download to remove "'s and ,'s | |
else | |
if [ ${OS} == Linux ] | |
then | |
sed 's/\"//g' ${TAG}.raw | |
sed 's/\,//' ${TAG}.raw | |
# Exiting OS loop | |
fi | |
fi | |
# Create the hash file from the raw file | |
mv ${TAG}.raw ${TAG}.hash | |
# Download the samples using their hash vaules | |
while read h; do curl -XPOST -d "query=get_file&sha256_hash=${h}" -o ${h} https://mb-api.abuse.ch/api/v1/; done < ${TAG}.hash | |
# Unarchive the malware samples | |
while read h; do 7z e ${h} -p"infected"; done < ${TAG}.hash | |
# Clean up by removing the hash lists and compressed archives files | |
while read h; do rm ${h}; done < ${TAG}.hash | |
rm ${TAG}.raw.bak | |
rm ${TAG}.hash |
I got problems getting this script to work, but I just modified the two "sed" lines, and now it works perfectly 👍
sed -i 's/,//g' ${TAG}.raw
sed -i 's/"//g' ${TAG}.raw
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you wanted to ONLY get
.bat
files, you could use thefile_type
API endpoint instead of thetag
API endpoint.