Welcome to the MalwareConfig API

The following examples are created using python requests. I hope to write a more descriptive intro soon.

API Authentication

The API requires authentication in order to make queries. There are currently no limitations with the Public Key, other than it can only query 10 hashes in a single query. This may change in the future.

There is a public API Key provided to allow you access.

You can use 0020a316219e895e86dd66a233ec13ec in your code.

In order to query the API you need to set an HTTP POST field that contains a valid apikey. an example using python requests can be seen below.

import requests
values = {'apikey':'0020a316219e895e86dd66a233ec13ec'}
r = requests.post("https://malwareconfig.com/api/test/", data=values)

        
Your resulting output should look like:
{
  "message": "Public Key",
  "response": "200"
}
        

Advertising

View Config - POST https://malwareconfig.com/api/file/config/

You can request the details for up to 10 files in a single API request. You can submit a combination of MD5 or SHA256.

Hashes should be passed as a POST variable named 'hashes', not forgetting to include the API key.
import requests
values = {'hashes': '8e3f8b2c06edb8654bcae72ad9ec8289bafcdb9b65574d1ee8cf95c430ad1550,
                        e3d80f11724d52e68edba43e51cf0229'
             'apikey':'0020a316219e895e86dd66a233ec13ec'
            }

r = requests.post("https://malwareconfig.com/api/file/config/", data=values)
The Resulting output should look like this:
{
  "count": 2,
  "items": {
    "8e3f8b2c06edb8654bcae72ad9ec8289bafcdb9b65574d1ee8cf95c430ad1550": {
      "Config": {
        "RequestElevation": "00",
        "BypassUAC": "00",
        "RestartDelay": "5000",
        "Group": "Default",
        "RunOnStartup": "01",
        "PreventSystemSleep": "01",
        "UseCustomDNS": "01",
        "PrimaryDNSServer": "8.8.8.8",
        "ConnectDelay": "4000",
        "EnableDebugMode": "00",
        "Version": "\u000f666.666",
        "Mutex": "30240b8d6c2c0244a895319db2176665",
        "SetCriticalProcess": "00",
        "Domain2": "remyhartiel12.no-ip.biz",
        "Domain1": "remyhartiel12.no-ip.biz",
        "Port": "53896",
        "ClearAccessControl": "00",
        "ClearZoneIdentifier": "01"
      },
      "Details": {
        "SHA256": "8e3f8b2c06edb8654bcae72ad9ec8289bafcdb9b65574d1ee8cf95c430ad1550",
        "SubmitDate": "2015-09-24T21:38:37Z",
        "Family": "NanoCore",
        "MD5": "2ae571431cb4baa458a467100d071f25"
      },
      "VirusTotal": {
        "Detected": 27,
        "Total": 57,
        "PermaLink": "https://www.virustotal.com/file/8e3f8b2c06edb8654bcae72ad9ec8289bafcdb9b65574d1ee8cf95c430ad1550/analysis/1442824207/"
      }
    },
    "e3d80f11724d52e68edba43e51cf0229": {
      "Config": {
        "BIND": "1",
        "MSGICON": "16",
        "FTPUSER": "",
        "FTPHOST": "",
        "MSGCORE": "783130302E646C206973206D697373696E6721",
        "FTPUPLOADK": "",
        "SID": "Guest16",
        "FTPPORT": "",
        "FAKEMSG": "1",
        "FWB": "0",
        "FTPSIZE": "",
        "FTPROOT": "",
        "PWD": "Robbie01!",
        "MUTEX": "DC_MUTEX-0LT08Q4",
        "NETDATA": "floam123.no-ip.biz:1604",
        "MSGTITLE": "Error!",
        "OFFLINEK": "1",
        "FTPPASS": "",
        "GENCODE": "3byfmz3Zuywj"
      },
      "Details": {
        "SHA256": "ffc0197d4a425547a42d125bfa2811d9ef3a410da37d014e7815c57835d9706e",
        "SubmitDate": "2015-09-24T21:54:38Z",
        "Family": "DarkComet",
        "MD5": "e3d80f11724d52e68edba43e51cf0229"
      },
      "VirusTotal": {
        "Detected": 48,
        "Total": 56,
        "PermaLink": "https://www.virustotal.com/file/ffc0197d4a425547a42d125bfa2811d9ef3a410da37d014e7815c57835d9706e/analysis/1443038510/"
      }
    }
  },
  "response": "200"
}

Search Config - POST http://malwareconfig.com/api/search/<type>/

You can search the database for keywords All domain and config searches support partial terms, No wildcards yet.

Set the type to any of the following in order to select your search type.

  • md5
  • sha256
  • domain
  • ip
  • config

the search term should be passed as a POST variable named 'search_word', not forgetting to include the API key.

import requests
values = {'apikey':'0020a316219e895e86dd66a233ec13ec',
             'search_word':'ichieakokwa.ddns.net'
            }

r = requests.post("https://malwareconfig.com/api/file/domain/", data=values)
The Resulting output should look like this:

{
  "count": 2,
  "items": {
    "eb2b9cf7e090b894a3a63de94093b23c": {
      "SHA256": "0c1ec1fa43fafbe11d45459af7ee5fef862e7fd249c6f7e4940f25c2f17b801a",
      "SubmitDate": "2015-08-24T14:39:37Z",
      "Family": "LuminosityLink",
      "MD5": "eb2b9cf7e090b894a3a63de94093b23c"
    },
    "b1f6334c5163b67ca8cff21f193f59ad": {
      "SHA256": "07938b75fbb2e4bc586abeae2fdc27cab81b59b8b47693631ddf61e64b2bd3c0",
      "SubmitDate": "2015-08-24T13:33:00Z",
      "Family": "LuminosityLink",
      "MD5": "b1f6334c5163b67ca8cff21f193f59ad"
    }
  },
  "response": "200"
}

      
Upload File

You can upload single files via the API. The response, if successful, contains the config for the uploaded file.

import requests
values = {'apikey':'0020a316219e895e86dd66a233ec13ec'}
files = {'file_submit': open('file.exe','rb')}
r = requests.post("https://malwareconfig.com/api/upload/", data=values, files=files)
The Resulting output should look like this:
{
  "count": 2,
  "items": {
    "8e3f8b2c06edb8654bcae72ad9ec8289bafcdb9b65574d1ee8cf95c430ad1550": {
      "Config": {
        "RequestElevation": "00",
        "BypassUAC": "00",
        "RestartDelay": "5000",
        "Group": "Default",
        "RunOnStartup": "01",
        "PreventSystemSleep": "01",
        "UseCustomDNS": "01",
        "PrimaryDNSServer": "8.8.8.8",
        "ConnectDelay": "4000",
        "EnableDebugMode": "00",
        "Version": "\u000f666.666",
        "Mutex": "30240b8d6c2c0244a895319db2176665",
        "SetCriticalProcess": "00",
        "Domain2": "remyhartiel12.no-ip.biz",
        "Domain1": "remyhartiel12.no-ip.biz",
        "Port": "53896",
        "ClearAccessControl": "00",
        "ClearZoneIdentifier": "01"
      },
      "Details": {
        "SHA256": "8e3f8b2c06edb8654bcae72ad9ec8289bafcdb9b65574d1ee8cf95c430ad1550",
        "SubmitDate": "2015-09-24T21:38:37Z",
        "Family": "NanoCore",
        "MD5": "2ae571431cb4baa458a467100d071f25"
      },
      "VirusTotal": {
        "Detected": 27,
        "Total": 57,
        "PermaLink": "https://www.virustotal.com/file/8e3f8b2c06edb8654bcae72ad9ec8289bafcdb9b65574d1ee8cf95c430ad1550/analysis/1442824207/"
      }
    }
  }
  "response": "200"
}

All Domains

A csv file containing all domains and ip's stored within the database can be retrieved without the need for an API key.

The Domain and IP Query is not live. The dataset is generated at 00:01 UTC every day.

All C2 domains / IP's in the database GET https://malwareconfig.com/static/C2_All.csv

All C2 domains / IP's observed in the last 24 hours (00:00 UTC to 00:00 UTC) GET https://malwareconfig.com/static/C2_24.csv