What is MalwareBazaar?

MalwareBazaar is a free service by abuse.ch that collects, processes, and shares malware samples to assist security researchers, threat intelligence analysts, and incident responders in their work.

How can I access MalwareBazaar's data?

You can access MalwareBazaar's data through its public web interface for manual searches or via its API for automated queries and submissions.

Is an API key required to use MalwareBazaar?

An API key is required for certain advanced operations and to benefit from higher query limits. Basic public queries may not always require one.

Can I submit new malware samples to MalwareBazaar?

Yes, MalwareBazaar provides an API endpoint for submitting new malware samples, allowing users to contribute to the collective threat intelligence database.

What types of search criteria does the API support?

The API supports searching by file hashes (MD5, SHA1, SHA256), file names, YARA rules, and specific tags or malware family names.

Is MalwareBazaar free for commercial use?

Public use via the web interface and API is free. Commercial use or enterprise licensing requires explicit permission or an enterprise license through abuse.ch partners.

How does MalwareBazaar help with incident response?

It helps incident response teams quickly identify suspicious files by checking hashes against its database, providing immediate context on known malware families and behaviors.

MalwareBazaar API for Threat Intelligence & Research

Overview

MalwareBazaar, a project by abuse.ch, serves as a repository for collecting and sharing malware samples with the public. Launched in 2020, its primary goal is to support the cybersecurity community by providing access to a vast dataset of malicious software. This platform is particularly valuable for organizations and individuals engaged in malware sample research, threat intelligence analysis, security incident response, and reverse engineering efforts. By aggregating samples from various sources, MalwareBazaar enables researchers to track malware trends, identify new threats, and develop effective countermeasures.

The service offers both a web interface for manual exploration and a programmatic API for automated interactions. Users can search for malware samples based on various criteria, including file hashes (MD5, SHA1, SHA256), file names, YARA rules, and even specific tags or families. This granular search capability allows security professionals to quickly ascertain if a suspicious file has been previously identified and analyzed, providing critical context during an incident. The platform also provides details such as the file type, detection names from various antivirus engines, and often links to further analysis reports, such as those from VirusTotal's community analysis. The utility extends to submitting new samples, contributing to the collective intelligence of the cybersecurity domain.

MalwareBazaar excels in scenarios requiring rapid access to a comprehensive dataset of known malware. For instance, an incident response team investigating a breach might use the API to check the hash of a suspicious executable found on a compromised system against the MalwareBazaar database. If a match is found, the team immediately gains insights into the malware's family, common behaviors, and existing antivirus detections, accelerating the containment and eradication process. Similarly, threat intelligence analysts can monitor daily feeds for new submissions related to specific threat actors or malware strains, enhancing their situational awareness and predictive capabilities. The API's design supports integration into automated security workflows, allowing enterprises to enrich their SIEM or SOAR platforms with timely malware intelligence.

Key features

Extensive Malware Repository: Access to a continually updated database of malware samples, categorized by family and type.
Hash-Based Searching: Query samples using MD5, SHA1, and SHA256 hashes to identify known threats quickly.
File Name and YARA Rule Search: Capabilities to search for samples by file name patterns and custom YARA rules for advanced threat hunting.
Tagging and Classification: Malware samples are often tagged with relevant information, including malware family names and associated campaigns, aiding in contextual analysis.
Submission API: Programmatically submit new malware samples to the repository, contributing to the community's collective intelligence.
Daily Dumps: Access daily dumps of newly added malware for proactive threat monitoring and analysis.
API for Automated Access: A RESTful API that allows developers to integrate MalwareBazaar's data and functionalities into their security tools and workflows.
Detailed Sample Information: Retrieve metadata about each sample, including file type, size, first seen date, and links to external analysis reports.

Pricing

MalwareBazaar aims to provide accessible threat intelligence to the cybersecurity community. The pricing model, as of May 2026, reflects this commitment:

Service Tier	Availability	Description
Public Web Interface	Free	Access to the MalwareBazaar website for manual searches and browsing malware samples. Requires no registration.
Public API Access	Free	Programmatic access to the MalwareBazaar API for querying and basic operations. An API key is required for certain operations and is available upon registration.
Commercial / Enterprise Use	Contact for Pricing	For commercial applications or large-scale enterprise deployments, explicit permission or an enterprise license through abuse.ch partners is required. Pricing is determined on a case-by-case basis.

For more detailed information on usage policies and commercial licensing, refer to the MalwareBazaar API terms of service.

Common integrations

MalwareBazaar's API facilitates integration into various security tools and platforms to enhance threat intelligence capabilities:

Security Information and Event Management (SIEM) Systems: Enrich SIEM alerts with malware context by automatically querying MalwareBazaar for hashes found in logs.
Security Orchestration, Automation, and Response (SOAR) Platforms: Automate incident response playbooks to include steps for querying and submitting samples to MalwareBazaar during forensic investigations.
Threat Intelligence Platforms (TIPs): Integrate daily malware feeds into TIPs to maintain an up-to-date repository of indicators of compromise (IOCs).
Malware Analysis Sandboxes: Tools like Any.Run or Hybrid Analysis can be used in conjunction with MalwareBazaar, often providing dynamic analysis reports for samples identified through the repository.
Custom Security Scripts: Developers can build custom Python or PowerShell scripts to perform automated malware lookups, sample downloads, or submission of new threats.

Alternatives

VirusTotal: A service that analyzes suspicious files and URLs to detect types of malware and automatically shares them with the security community.
Any.Run: An interactive sandbox for malware analysis that allows security experts to research threats in a safe environment.
Hybrid Analysis: A free deep file analysis service that uses a unique harnessing technology to detect and analyze unknown threats.

Getting started

To get started with the MalwareBazaar API, you typically need to make HTTP POST requests to the API endpoint. You can query for malware information using various parameters, such as file hashes. The following Python example demonstrates how to query for a specific SHA256 hash using the requests library.


import requests
import json

# Replace with your actual API key if required for specific operations
# For basic queries, an API key might not be strictly necessary, but it's good practice.
# Check the MalwareBazaar API documentation for specifics on API key usage.
api_key = "YOUR_MALWAREBAZAAR_API_KEY" 

# The API endpoint for queries
api_url = "https://mb-api.abuse.ch/api/v1/"

# Example SHA256 hash to query
sha256_hash = "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"

# Prepare the request payload
payload = {
    "query": "get_info",
    "hash": sha256_hash
}

# Set headers, including the API key if available
headers = {}
if api_key:
    headers["API-Key"] = api_key

try:
    response = requests.post(api_url, data=payload, headers=headers)
    response.raise_for_status() # Raise an HTTPError for bad responses (4xx or 5xx)

    data = response.json()

    if data and data.get("query_status") == "ok":
        print(f"Successfully retrieved info for hash: {sha256_hash}")
        for result in data.get("data", []):
            print(json.dumps(result, indent=2))
    else:
        print(f"Failed to retrieve info. Status: {data.get('query_status')}")
        print(data.get("message", "No additional message provided."))

except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}") 
except requests.exceptions.ConnectionError as conn_err:
    print(f"Connection error occurred: {conn_err}")
except requests.exceptions.Timeout as timeout_err:
    print(f"Timeout error occurred: {timeout_err}")
except requests.exceptions.RequestException as req_err:
    print(f"An unexpected error occurred: {req_err}")
except json.JSONDecodeError:
    print("Failed to decode JSON response.")
    print(f"Raw response: {response.text}")

This Python script sends a POST request to the MalwareBazaar API to retrieve information about a specific malware sample identified by its SHA256 hash. It includes error handling for common network and API response issues. Remember to replace "YOUR_MALWAREBAZAAR_API_KEY" with your actual API key if your operations require it, as outlined in the official MalwareBazaar API documentation. An API key is not always mandatory for simple queries but provides higher rate limits and access to more advanced features.

MalwareBazaar API for Threat Intelligence & Research

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

## reviews

## comments

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

# see also

## reviews

## comments