PolySwarm STIX / TAXII
Structured Information Exchange (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) are community-supported specifications analysts use to automate sharing of threat intelligence.
PolySwarm supports these emerging standards in our TAXII v2.1-compliant services serving STIX v2.1-formatted threat intelligence feeds. Users can augment their threat intelligence with the array of software tools supporting the most recent STIX & TAXII standards while still receiving PolySwarm-exclusive intelligence like canonicalized malware family and PolyScore.
PolySwarm supports two methods of setting up STIX/TAXII, using integrations (e.g. ThreatQuotient, Cyware, Sentinel) and the Python API.
Getting Started
There are several initial steps that need to be taken before proceeding with the STIX/TAXII integration.
Pre-Requirements
- If you haven't already you need to create a PolySwarm account.
- You will need a client that supports TAXII 2.1 (
taxii2clientif using the Python API)
API Roots & Collections
TAXII servers host a hierarchy of API Roots: distinct TAXII instances accessed via different URLs, each providing its collections of threat intelligence.
PolySwarm's TAXII services are organized around Collections: logical threat intelligence repositories organized by type and purpose.
What is a collection?
PolySwarm's TAXII services are organized around collections: logical repositories of threat intelligence organized by type and purpose.
Objects in a collection may also appear in others, enabling pivots between faster feeds of compact objects and detailed representations in specialized collections.
PolySwarm's currently available collections are designed to allow new collections to be added without disrupting existing consumers. Collections are assigned a unique identifier (UUID) which identifies that collection when performing queries against PolySwarm's TAXII server.
You can work with your PolySwarm sales representative to enable access to each API Root and collection you want to access, to view these navigate to here.
Create a Team API Key
A Team API Key will be needed for the integration setup and the Python API configuration for authentication.
- Log into the PolySwarm UI https://polyswarm.network/
- Click on the account user name in the top right corner
- Click on
Switch Accountsand switch to your Team Account - Navigate to
Settingsin the top right corner - Navigate to the
API KeysPage - Add a new
Team Account API Key
Locate Team ID (for Username)
A Team ID (Username) will be needed going forward for the integrations setup and the Python API configuration for authentication.
- Log into the PolySwarm UI https://polyswarm.network/
- Click on the account user name in the top right corner
- Click on
Switch Accountsand switch to your Team Account - Navigate to
Settingsin the top right corner - Locate your Team ID below your Team Name. i.e.
#123454212
Connecting via Integrations
Integrations that support STIX/TAXII 2.1 will offer the ability to add a TAXII feed; you will require the following details:
- Username PolySwarm Team ID.
- Password PolySwarm Team API Key.
- API Root URL
- and Collection ID.
This section will review how to find the API Root URL, and Collection ID and configure the Integration.
Configuration of TAXII Client
The API Root URL and Collection ID can be obtained from the table below.
Note: Access to the collections will be based upon the Team account subscription plan, contact [email protected] to find out further details. To find a up to date list of collections, navigate to the “Listing available collections” section in the Python API section. For integrations that require a discovery URL use: https://api.polyswarm.network/v3/stix/taxii2/
| Title | Description | API Root URL | Collection | Collection ID | Details |
|---|---|---|---|---|---|
| Ransomware | Emerging Ransomware | https://api.polyswarm.network/v3/stix/ransomware/ | Identified ransomware-family feed | 7b6bbecc-95cf-5317-a900-5bb7008eae93 | PolyScore > 0.50, Artifacts in the last 14 days that match a list of malware families. |
| PolySwarm Trust Group | Guest researcher feeds | https://api.polyswarm.network/v3/stix/trustgroup/ | 14-Day Feed | 3f153afb-5bf5-5cca-bfe9-ee854d92658d | Any PolyScore, All Artifacts in the last 14 days |
You can obtain the latest list of collections with the Python API.
Add the details above to your integration configuration page, and once configured and saved, the collection will poll and ingest the intelligence into the integration.
Connecting via Python API
PolySwarm's TAXII services are accessed via standard HTTP API endpoints defined in the TAXII v2.1 standard, often using a TAXII client library such as taxii2client. This section will explain the Python Library that can be used to access the STIX/TAXII collections.
Authentication
PolySwarm performs HTTP authentication using your PolySwarm account's Account Number as your user and API KEY as password:
import taxii2client.v21
TAXII_SERVER = taxii2client.v21.Server(
'https://api.polyswarm.network/v3/stix/taxii2/',
user='${YOUR ACCOUNT NUMBER}',
password='${YOUR API KEY}'
)Default API Root
Users of taxii2client can access their default API root through the server's default attribute:
DEFAULT_API_ROOT = TAXII_SERVER.defaultListing available collections
Customers with a PolySwarm account can programmatically obtain a up to date list of the titles, short descriptions, UUIDs and an indication of whether the current user is allowed to read and write from an API root & collection via the Python API:
def print_all_collections(server):
from textwrap import indent
from functools import partial
def build_printer(prefix='', sep=''):
nsep = sep
def driver(*args, **kwargs):
nonlocal nsep
print(indent(' '.join(args), prefix=prefix + nsep), **kwargs)
nsep = ' ' * len(nsep)
return driver
p = build_printer()
p(f'Title: "{server.title}"')
p(f'Contact: "{server.contact}"')
p(f'Description: "{server.description}"')
p('Roots:')
for root in server.api_roots:
p = build_printer(' ', sep='- ')
p(f'Title: "{root.title}"')
p(f'Description: "{root.description}"')
p(f'URL: "{root.url}"')
p('Collections:')
for collection in root.collections:
p = build_printer(' ', sep='- ')
p(f'Title: "{collection.title}"')
p(f'Objects URL: "{collection.objects_url}"')
if collection.description:
p(f'Description: "{collection.description}"')
p(f'Can Read: {collection.can_read}')
p(f'Can Write: {collection.can_write}')
print_all_collections(TAXII_SERVER)Title: "Polyswarm TAXII Service" Contact: "[email protected]" Description: "This TAXII Server contains a listing of Polyswarm's feed data" Roots: - Title: "PolySwarm Trust Group" Description: "Guest researcher feeds" URL: "https://api.polyswarm.network/v2/stix/trustgroup/" Collections: - Title: "14-Day Feed" Objects URL: "https://api.polyswarm.network/v2/stix/trustgroup/collections/3f153afb-5bf5-5cca-bfe9-ee854d92658d/objects/" Can Read: True Can Write: False - Title: "Ransomware" Description: "Emerging Ransomware" URL: "https://api.polyswarm.network/v2/stix/ransomware/" Collections: - Title: "Identified ransomware-family feed" Objects URL: "https://api.polyswarm.network/v2/stix/ransomware/collections/7b6bbecc-95cf-5317-a900-5bb7008eae93/objects/" Can Read: True Can Write: False - Title: "Freemium" Description: "Polyswarm Basic TAXII" URL: "https://api.polyswarm.network/v2/stix/freemium/" Collections: - Title: "Freemium collection" Objects URL: "https://api.polyswarm.network/v2/stix/freemium/collections/019630e9-0cdb-5d7d-b8c1-120c793093ad/objects/" Can Read: True Can Write: False
Pagination
TAXII supports pagination of very large result sets in collections. Collections return a "feed" of STIX-formatted data sorted in ascending order by the date they were added to the collection:
def read_taxii_feed(collection, **kwargs):
while True:
page = collection.get_objects(**kwargs)
if page:
yield page['objects']
if page['more'] is True:
kwargs['next'] = page['next']
continue
break
iterator = read_taxii_feed(DEFAULT_API_ROOT.collections[0])
print(next(iterator))
[{'id': 'bundle--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'objects': [{'aliases': ['Trojan.DownLoad3.28161',
'Trojan.Generic.dayyf',
'win/malicious',
'TrojanDownloader:Win32/Waski.aaca15b4',
'Trojan.Win32.Crypt',
'Trojan.ADC939420BE48D7E'],
'created': '2021-09-01T19:22:45.157824Z',
'external_references': [{'source_name': 'polyswarm-report',
'url': 'https://polyswarm.network/scan/results/file/2b898acee79ef91d036ceaf043953f234a36be79cfc92ec9f98f0c54a547144d'}],
'first_seen': '2021-09-01T19:22:45.157824Z',
'id': 'malware--de44e0eb-0e97-4fa4-80ab-e689fd18a656',
'is_family': True,
'last_seen': '2021-09-01T19:22:45.157824Z',
'malware_types': ['trojan', 'downloader'],
'modified': '2021-09-15T19:22:44.625891Z',
'name': 'Trojan.Win32.Crypt',
'spec_version': '2.1',
'type': 'malware'},
{'atime': '2021-09-01T19:22:50.000000Z',
'ctime': '2021-09-01T19:22:50.000000Z',
'hashes': {'MD5': 'fef489eed1314bcd5d545e7f65889ed8',
'SHA-1': 'ddab1051e713b9ce191382cc34820a6a6117ae7f',
'SHA-256': '2b898acee79ef91d036ceaf043953f234a36be79cfc92ec9f98f0c54a547144d',
'SHA-512': '760e9924f8b1c8f20420f2bde9abc09881b7e38062bb3275d4c50cd8856eb0a3b108746c1289d79c8cb751e0a6b01e979e43d2dc7c527e8f288b1d6864aa265b',
'SSDEEP': '768:/whRkKCCR3IAm9MOlq8bdA/bmerdkDwRGXn/+mmCfyrr7/YMy:s5Hm9dl4/tuDz/+mjfum',
'TLSH': '4413ae3c6ee95672d3bbdab6c6f655c6f931b42379029c0d40da03850c13f16eda1a2e'},
'id': 'file--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'mtime': '2021-09-01T19:22:50.000000Z',
'name': '2b898acee79ef91d036ceaf043953f234a36be79cfc92ec9f98f0c54a547144d',
'spec_version': '2.1',
'type': 'file'},
{'aliases': ['Trojan.DownLoad3.28161',
'win/malicious',
'TrojanDownloader:Win32/Waski.aaca15b4',
'Trojan.ADC939420BE48D7E',
'Trojan.Generic.dayyf',
'Trojan.Win32.Crypt'],
'confidence': 99,
'created': '2021-09-01T19:22:45.157824Z',
'first_seen': '2021-09-01T19:22:45.157824Z',
'id': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'is_family': False,
'last_seen': '2021-09-01T19:22:45.157824Z',
'modified': '2021-09-15T19:22:44.627754Z',
'name': 'Trojan.Win32.Crypt',
'sample_refs': ['file--dd45c61c-ddbf-4fbb-80db-cb89fd18a656'],
'spec_version': '2.1',
'type': 'malware'},
{'created': '2021-09-15T19:22:44.627966Z',
'id': 'relationship--5870ee12-8276-4110-bf58-42df4297025c',
'modified': '2021-09-15T19:22:44.627966Z',
'relationship_type': 'variant-of',
'source_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--de44e0eb-0e97-4fa4-80ab-e689fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc45ca9a-beff-4fd6-8087-5689fd18a656',
'modified': '2021-09-15T19:22:44.628133Z',
'product': 'jiangmin',
'result': 'malicious',
'result_name': 'Trojan.Generic.dayyf',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.628265Z',
'id': 'relationship--376a66a3-9be9-4e55-be0f-d981e06bf156',
'modified': '2021-09-15T19:22:44.628265Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc45ca9a-beff-4fd6-8087-5689fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '69971A0908A7EC9BE1CDAA21B8EFE918, '
'2020-Nov-23 22:42:22',
'analysis_engine_version': '7.00.49.09080',
'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc44f2e4-46e1-4fb2-80e5-7889fd18a656',
'modified': '2021-09-15T19:22:44.628403Z',
'product': 'drweb',
'result': 'malicious',
'result_name': 'Trojan.DownLoad3.28161',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.628524Z',
'id': 'relationship--4ae93d16-fa30-41db-8e17-37713f6771d7',
'modified': '2021-09-15T19:22:44.628524Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44f2e4-46e1-4fb2-80e5-7889fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'analysis_engine_version': '2',
'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc45bf19-ce09-4fa7-801e-3f89fd18a656',
'modified': '2021-09-15T19:22:44.628658Z',
'product': 'crowdstrike-falcon-ml',
'result': 'malicious',
'result_name': 'win/malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.628776Z',
'id': 'relationship--db9ee711-2a3a-451a-9fe3-70b6ae5322b9',
'modified': '2021-09-15T19:22:44.628776Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc45bf19-ce09-4fa7-801e-3f89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc447f63-6ab3-4fc3-807f-7889fd18a656',
'modified': '2021-09-15T19:22:44.628910Z',
'product': 'filseclab',
'result': 'malicious',
'result_name': 'Trojan.ADC939420BE48D7E',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.629048Z',
'id': 'relationship--aa86d817-54a7-479b-977e-85cdc653f0be',
'modified': '2021-09-15T19:22:44.629048Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc447f63-6ab3-4fc3-807f-7889fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '48872546c2e9031cb99dc29783b079288f18c6f8-Release.x64',
'analysis_engine_version': '4.7.0.10',
'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc45ee09-d9c1-4f3f-80c0-5e89fd18a656',
'modified': '2021-09-15T19:22:44.629191Z',
'product': 'sentinelone-static-ml',
'result': 'malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.629314Z',
'id': 'relationship--827b5c4d-e12d-454d-8ced-e361041d2695',
'modified': '2021-09-15T19:22:44.629314Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc45ee09-d9c1-4f3f-80c0-5e89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '6.100',
'analysis_engine_version': '5.5.1',
'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc44db30-d404-4fcb-80ce-6289fd18a656',
'modified': '2021-09-15T19:22:44.629455Z',
'product': 'secureage',
'result': 'malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.629575Z',
'id': 'relationship--fc2e7e5f-8e92-427f-a792-2bbc60cd5cfb',
'modified': '2021-09-15T19:22:44.629575Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44db30-d404-4fcb-80ce-6289fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc44172e-d6a0-4f38-80ba-0189fd18a656',
'modified': '2021-09-15T19:22:44.629717Z',
'product': 'lionic',
'result': 'malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.629835Z',
'id': 'relationship--b64b2696-f536-4dc6-afeb-2461ec4749cd',
'modified': '2021-09-15T19:22:44.629835Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44172e-d6a0-4f38-80ba-0189fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '01.09.2021 18:16:19 (104093)',
'analysis_engine_version': '5.6.2.0',
'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc44609a-145c-4f5d-80a1-e189fd18a656',
'modified': '2021-09-15T19:22:44.629969Z',
'product': 'ikarus',
'result': 'malicious',
'result_name': 'Trojan.Win32.Crypt',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.630087Z',
'id': 'relationship--9e559a2e-d185-49fb-ab26-eb747e99de3c',
'modified': '2021-09-15T19:22:44.630087Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44609a-145c-4f5d-80a1-e189fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '2019-10-02 10:25',
'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc45b73b-fc99-4f74-8075-8789fd18a656',
'modified': '2021-09-15T19:22:44.630221Z',
'product': 'qihoo-360',
'result': 'benign',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.630336Z',
'id': 'relationship--95f18068-1342-4021-b3fd-49e3a021b9d0',
'modified': '2021-09-15T19:22:44.630336Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc45b73b-fc99-4f74-8075-8789fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.157824Z',
'id': 'malware-analysis--dc458035-822d-4f07-80d4-0a89fd18a656',
'modified': '2021-09-15T19:22:44.630466Z',
'product': 'alibaba',
'result': 'malicious',
'result_name': 'TrojanDownloader:Win32/Waski.aaca15b4',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.630582Z',
'id': 'relationship--3a7abb12-86fe-4940-8800-e63b2e483c98',
'modified': '2021-09-15T19:22:44.630582Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc458035-822d-4f07-80d4-0a89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45c61c-ddbf-4fbb-80db-cb89fd18a656',
'type': 'relationship'}],
'type': 'bundle'},
{'id': 'bundle--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'objects': [{'aliases': ['Trojan.Win64.CoinMiner',
'Trojan.BtcMine.3367',
'Trojan.MSIL.qzrf',
'Dropper.Agent!8.2F',
'Win.Coinminer.Generic-7151250-0',
'Trojan.Win32.Trick.fmmuks'],
'created': '2021-09-01T19:22:45.178976Z',
'external_references': [{'source_name': 'polyswarm-report',
'url': 'https://polyswarm.network/scan/results/file/84631ab11016280ca401d9775f0938ab31e451d228581944ee4eee3c2d538dc3'}],
'first_seen': '2021-09-01T19:22:45.178976Z',
'id': 'malware--de44e0eb-0e97-4fa4-80ab-f189fd18a656',
'is_family': True,
'last_seen': '2021-09-01T19:22:45.178976Z',
'malware_types': ['trojan', 'resource-exploitation', 'dropper'],
'modified': '2021-09-15T19:22:44.633865Z',
'name': 'Trojan.Win64.CoinMiner',
'spec_version': '2.1',
'type': 'malware'},
{'atime': '2021-09-01T19:22:47.000000Z',
'ctime': '2021-09-01T19:22:48.000000Z',
'hashes': {'MD5': '6e2757fa246b5bbdac38722930ec2794',
'SHA-1': '608604a72d867383a20c1f2f08ba1be61dc31b8b',
'SHA-256': '84631ab11016280ca401d9775f0938ab31e451d228581944ee4eee3c2d538dc3',
'SHA-512': '3e70dc8d82c4cba93fe79e3ab10931a5dbb4a67243a9e9b1843135223c3680ef462aa3232b4fe855b85bc8f2cb65fbc0e4d75084abde914a70cf71a10496aca2',
'SSDEEP': '49152:FGUzr9GOWh50kC1/dVFdNaeUE3LqW1T/f5iBA9R86DHVVzP7ffQmSumSDr4k:FG6r9GOWPClFdNaeUE3LqW1T/f5iBA9H',
'TLSH': 'abb57cbd728502b1d1eec476ca178d0ff7b17a524334a1eb156443ae2e236d98639f32'},
'id': 'file--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'mtime': '2021-09-01T19:22:48.000000Z',
'name': '84631ab11016280ca401d9775f0938ab31e451d228581944ee4eee3c2d538dc3',
'spec_version': '2.1',
'type': 'file'},
{'aliases': ['Trojan.Win64.CoinMiner',
'Dropper.Agent!8.2F',
'Trojan.Win32.Trick.fmmuks',
'Trojan.MSIL.qzrf',
'Trojan.BtcMine.3367',
'Win.Coinminer.Generic-7151250-0'],
'confidence': 99,
'created': '2021-09-01T19:22:45.178976Z',
'first_seen': '2021-09-01T19:22:45.178976Z',
'id': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'is_family': False,
'last_seen': '2021-09-01T19:22:45.178976Z',
'modified': '2021-09-15T19:22:44.635847Z',
'name': 'Trojan.Win64.CoinMiner',
'sample_refs': ['file--dd45aeee-3a07-4f09-80dd-de89fd18a656'],
'spec_version': '2.1',
'type': 'malware'},
{'created': '2021-09-15T19:22:44.636028Z',
'id': 'relationship--2ddd2731-d977-4d21-9f42-456a390a9641',
'modified': '2021-09-15T19:22:44.636028Z',
'relationship_type': 'variant-of',
'source_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--de44e0eb-0e97-4fa4-80ab-f189fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc45ff41-2a95-4f62-8069-d189fd18a656',
'modified': '2021-09-15T19:22:44.636182Z',
'product': 'alibaba',
'result': 'benign',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.636307Z',
'id': 'relationship--dfc0f440-5c7f-4a29-92ff-1a6545dd6d48',
'modified': '2021-09-15T19:22:44.636307Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc45ff41-2a95-4f62-8069-d189fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '69971A0908A7EC9BE1CDAA21B8EFE918, '
'2020-Nov-23 22:42:22',
'analysis_engine_version': '7.00.49.09080',
'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc445ec3-809e-4f9a-8052-1089fd18a656',
'modified': '2021-09-15T19:22:44.636443Z',
'product': 'drweb',
'result': 'malicious',
'result_name': 'Trojan.BtcMine.3367',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.636561Z',
'id': 'relationship--e32c8ee3-1d9b-4eba-87f4-6bbb61741469',
'modified': '2021-09-15T19:22:44.636561Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc445ec3-809e-4f9a-8052-1089fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '48872546c2e9031cb99dc29783b079288f18c6f8-Release.x64',
'analysis_engine_version': '4.7.0.10',
'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc44186b-960c-4f21-8012-5589fd18a656',
'modified': '2021-09-15T19:22:44.636694Z',
'product': 'sentinelone-static-ml',
'result': 'malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.636812Z',
'id': 'relationship--308f92fb-ecdc-40a8-9245-b40c601ff795',
'modified': '2021-09-15T19:22:44.636812Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44186b-960c-4f21-8012-5589fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'analysis_engine_version': '2',
'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc44dd7a-4c15-4f86-8034-1b89fd18a656',
'modified': '2021-09-15T19:22:44.636948Z',
'product': 'crowdstrike-falcon-ml',
'result': 'benign',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.637101Z',
'id': 'relationship--9148f1a1-b66c-4bde-b0f6-819ad558607a',
'modified': '2021-09-15T19:22:44.637101Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44dd7a-4c15-4f86-8034-1b89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'analysis_engine_version': 'ClamAV 0.102.4/26281/Wed Sep 1 '
'08:21:58 2021',
'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc44f633-e3e2-4f0c-802b-9989fd18a656',
'modified': '2021-09-15T19:22:44.637241Z',
'product': 'clamav',
'result': 'malicious',
'result_name': 'Win.Coinminer.Generic-7151250-0',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.637359Z',
'id': 'relationship--f48af396-db6d-44b8-9e71-57a713d6f47f',
'modified': '2021-09-15T19:22:44.637359Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44f633-e3e2-4f0c-802b-9989fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '6.100',
'analysis_engine_version': '5.5.1',
'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc445857-1da9-4f82-80f3-1989fd18a656',
'modified': '2021-09-15T19:22:44.637492Z',
'product': 'secureage',
'result': 'malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.637610Z',
'id': 'relationship--23dd6ac8-5b49-4353-b54e-392bc524126e',
'modified': '2021-09-15T19:22:44.637610Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc445857-1da9-4f82-80f3-1989fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '0.14.35.19132',
'analysis_engine_version': '1.0.134.90676',
'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc45a504-0f2e-4ff6-80d4-1989fd18a656',
'modified': '2021-09-15T19:22:44.637743Z',
'product': 'nanoav',
'result': 'malicious',
'result_name': 'Trojan.Win32.Trick.fmmuks',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.637861Z',
'id': 'relationship--d12b3cab-fdf5-4bbe-b48b-9ce9ffa00e11',
'modified': '2021-09-15T19:22:44.637861Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc45a504-0f2e-4ff6-80d4-1989fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc440050-76f9-4f3c-8038-9e89fd18a656',
'modified': '2021-09-15T19:22:44.637995Z',
'product': 'rising',
'result': 'malicious',
'result_name': 'Dropper.Agent!8.2F',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.638121Z',
'id': 'relationship--0a1c9971-36b9-482e-b117-39ecc03c5ed5',
'modified': '2021-09-15T19:22:44.638121Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc440050-76f9-4f3c-8038-9e89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc45f7a9-3354-4f02-80ad-bc89fd18a656',
'modified': '2021-09-15T19:22:44.638263Z',
'product': 'filseclab',
'result': 'benign',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.638383Z',
'id': 'relationship--5f2cb4a5-94d2-49f0-abc5-dd2ea9795a07',
'modified': '2021-09-15T19:22:44.638383Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc45f7a9-3354-4f02-80ad-bc89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '01.09.2021 18:16:19 (104093)',
'analysis_engine_version': '5.6.2.0',
'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc446861-42b0-4f55-804a-0389fd18a656',
'modified': '2021-09-15T19:22:44.638518Z',
'product': 'ikarus',
'result': 'malicious',
'result_name': 'Trojan.Win64.CoinMiner',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.638636Z',
'id': 'relationship--c4056dc0-23e5-4b36-8d50-4cc1dafd9958',
'modified': '2021-09-15T19:22:44.638636Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc446861-42b0-4f55-804a-0389fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc44bf82-a407-4fd6-800d-ab89fd18a656',
'modified': '2021-09-15T19:22:44.638769Z',
'product': 'lionic',
'result': 'benign',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.639014Z',
'id': 'relationship--0c2bccc2-ff2c-4b56-9088-e2b93e8abf91',
'modified': '2021-09-15T19:22:44.639014Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44bf82-a407-4fd6-800d-ab89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.178976Z',
'id': 'malware-analysis--dc44455e-f135-4f64-809d-8d89fd18a656',
'modified': '2021-09-15T19:22:44.639160Z',
'product': 'jiangmin',
'result': 'malicious',
'result_name': 'Trojan.MSIL.qzrf',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.639281Z',
'id': 'relationship--855479ed-53f2-4368-95d3-92340d4a68fb',
'modified': '2021-09-15T19:22:44.639281Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44455e-f135-4f64-809d-8d89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd45aeee-3a07-4f09-80dd-de89fd18a656',
'type': 'relationship'}],
'type': 'bundle'},
{'id': 'bundle--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'objects': [{'aliases': ['Backdoor.6536F84D7F60AA9C',
'win/malicious',
'Malware:Win32/Dorpal.ali1000029',
'BackDoor.Golf.260',
'Backdoor.Generic.ztr',
'Trojan.Win32.Urelas',
'Backdoor.Plite!8.2D6',
'Win.Malware.Urelas-6840420-0'],
'created': '2021-09-01T19:22:45.194687Z',
'external_references': [{'source_name': 'polyswarm-report',
'url': 'https://polyswarm.network/scan/results/file/ce50012446934e7ad42c209a12e377a9594930f788c659b32b5344bbc7ef5fb3'}],
'first_seen': '2021-09-01T19:22:45.194687Z',
'id': 'malware--de44e0eb-0e97-4fa4-80ab-e089fd18a656',
'is_family': True,
'last_seen': '2021-09-01T19:22:45.194687Z',
'malware_types': ['backdoor', 'virus', 'trojan'],
'modified': '2021-09-15T19:22:44.642432Z',
'name': 'Urelas',
'spec_version': '2.1',
'type': 'malware'},
{'atime': '2021-09-01T19:22:50.000000Z',
'ctime': '2021-09-01T19:22:50.000000Z',
'hashes': {'MD5': 'f5b78e02928c276f22be13313d37bcb4',
'SHA-1': 'e024f5d831e101d4d7748fe3d0792e72f4762ff0',
'SHA-256': 'ce50012446934e7ad42c209a12e377a9594930f788c659b32b5344bbc7ef5fb3',
'SHA-512': '66727aa1e7c24987b515ff42704b35a89d4ea5d3c62d32649f158218628344b30adfaa8a61967124592969f7301930588e472a618b5eed0b629c509d114e3b28',
'SSDEEP': '1536:s1baYkjUIKECOmxUNKwhB+GT/4I2fm3w9Rri+pXmf8t1dn4vcj0:sjIKn1xUswhsGTgI23RGUXmUDg',
'TLSH': '22d3cf4566010894f71c0b721a02fad0889dae7c65d6fa5ff1bc7d7ab932183a97309f'},
'id': 'file--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'mtime': '2021-09-01T19:22:50.000000Z',
'name': 'ce50012446934e7ad42c209a12e377a9594930f788c659b32b5344bbc7ef5fb3',
'spec_version': '2.1',
'type': 'file'},
{'aliases': ['Backdoor.6536F84D7F60AA9C',
'win/malicious',
'Malware:Win32/Dorpal.ali1000029',
'BackDoor.Golf.260',
'Backdoor.Generic.ztr',
'Trojan.Win32.Urelas',
'Backdoor.Plite!8.2D6',
'Win.Malware.Urelas-6840420-0'],
'confidence': 99,
'created': '2021-09-01T19:22:45.194687Z',
'first_seen': '2021-09-01T19:22:45.194687Z',
'id': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'is_family': False,
'last_seen': '2021-09-01T19:22:45.194687Z',
'modified': '2021-09-15T19:22:44.644475Z',
'name': 'Urelas',
'sample_refs': ['file--dd44bb23-4668-4f3b-80c3-d589fd18a656'],
'spec_version': '2.1',
'type': 'malware'},
{'created': '2021-09-15T19:22:44.644702Z',
'id': 'relationship--d1f3b112-02c4-4ea8-b36d-56c871f3da91',
'modified': '2021-09-15T19:22:44.644702Z',
'relationship_type': 'variant-of',
'source_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--de44e0eb-0e97-4fa4-80ab-e089fd18a656',
'type': 'relationship'},
{'analysis_engine_version': '2',
'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44ef20-ce6a-4f5a-8060-d389fd18a656',
'modified': '2021-09-15T19:22:44.644858Z',
'product': 'crowdstrike-falcon-ml',
'result': 'malicious',
'result_name': 'win/malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.644982Z',
'id': 'relationship--d5a07ca3-fcbe-4722-92e8-16a6ac82da9e',
'modified': '2021-09-15T19:22:44.644982Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44ef20-ce6a-4f5a-8060-d389fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44ff03-52a3-4f74-8059-1289fd18a656',
'modified': '2021-09-15T19:22:44.645144Z',
'product': 'jiangmin',
'result': 'malicious',
'result_name': 'Backdoor.Generic.ztr',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.645264Z',
'id': 'relationship--4b08404d-64e3-44ae-99ab-8017944749ad',
'modified': '2021-09-15T19:22:44.645264Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44ff03-52a3-4f74-8059-1289fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '6.100',
'analysis_engine_version': '5.5.1',
'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44f830-1712-4fcc-80e6-1089fd18a656',
'modified': '2021-09-15T19:22:44.645396Z',
'product': 'secureage',
'result': 'malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.645514Z',
'id': 'relationship--937a07aa-bc4f-4039-94b7-34c586f42703',
'modified': '2021-09-15T19:22:44.645514Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44f830-1712-4fcc-80e6-1089fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '69971A0908A7EC9BE1CDAA21B8EFE918, '
'2020-Nov-23 22:42:22',
'analysis_engine_version': '7.00.49.09080',
'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc443af4-a14c-4f37-8028-7b89fd18a656',
'modified': '2021-09-15T19:22:44.645648Z',
'product': 'drweb',
'result': 'malicious',
'result_name': 'BackDoor.Golf.260',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.645765Z',
'id': 'relationship--09473b27-7c9e-4c41-bacb-b507e2a59900',
'modified': '2021-09-15T19:22:44.645765Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc443af4-a14c-4f37-8028-7b89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44bea2-b17e-4fb6-80e1-2c89fd18a656',
'modified': '2021-09-15T19:22:44.645898Z',
'product': 'filseclab',
'result': 'malicious',
'result_name': 'Backdoor.6536F84D7F60AA9C',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.646016Z',
'id': 'relationship--c9070ece-6c17-4af8-843b-8c9506acd11a',
'modified': '2021-09-15T19:22:44.646016Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44bea2-b17e-4fb6-80e1-2c89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44cd9a-0c37-4f5e-808c-4189fd18a656',
'modified': '2021-09-15T19:22:44.646147Z',
'product': 'alibaba',
'result': 'malicious',
'result_name': 'Malware:Win32/Dorpal.ali1000029',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.646281Z',
'id': 'relationship--fdf11db2-f58b-4b3e-b5ac-eafd5aae5fff',
'modified': '2021-09-15T19:22:44.646281Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44cd9a-0c37-4f5e-808c-4189fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44ef5d-f3cf-4ff5-8048-6089fd18a656',
'modified': '2021-09-15T19:22:44.646417Z',
'product': 'lionic',
'result': 'malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.646531Z',
'id': 'relationship--4c9040a8-e18c-4e18-9719-bd1d0aea4b84',
'modified': '2021-09-15T19:22:44.646531Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44ef5d-f3cf-4ff5-8048-6089fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '01.09.2021 18:16:19 (104093)',
'analysis_engine_version': '5.6.2.0',
'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44f324-c769-4fb0-805e-4089fd18a656',
'modified': '2021-09-15T19:22:44.646661Z',
'product': 'ikarus',
'result': 'malicious',
'result_name': 'Trojan.Win32.Urelas',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.646777Z',
'id': 'relationship--6c4ae8f4-6834-463f-bd8a-7f48897802c6',
'modified': '2021-09-15T19:22:44.646777Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44f324-c769-4fb0-805e-4089fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '2019-10-02 10:25',
'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc4461c1-5f2a-4f35-80dd-e589fd18a656',
'modified': '2021-09-15T19:22:44.646906Z',
'product': 'qihoo-360',
'result': 'benign',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.647020Z',
'id': 'relationship--af73da52-3871-4627-89d9-dec1a1da70bb',
'modified': '2021-09-15T19:22:44.647020Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc4461c1-5f2a-4f35-80dd-e589fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44b4fb-d3f9-4f32-80ef-6489fd18a656',
'modified': '2021-09-15T19:22:44.647162Z',
'product': 'rising',
'result': 'malicious',
'result_name': 'Backdoor.Plite!8.2D6',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.647277Z',
'id': 'relationship--7d6c1a5b-b470-44cc-9518-deaedfe23236',
'modified': '2021-09-15T19:22:44.647277Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44b4fb-d3f9-4f32-80ef-6489fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'analysis_definition_version': '48872546c2e9031cb99dc29783b079288f18c6f8-Release.x64',
'analysis_engine_version': '4.7.0.10',
'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc44beb6-1678-4f7b-801f-2b89fd18a656',
'modified': '2021-09-15T19:22:44.647410Z',
'product': 'sentinelone-static-ml',
'result': 'malicious',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.647525Z',
'id': 'relationship--ee17c47a-9768-4f6f-8cf8-446a4a34d524',
'modified': '2021-09-15T19:22:44.647525Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc44beb6-1678-4f7b-801f-2b89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'},
{'analysis_engine_version': 'ClamAV 0.102.4/26090/Wed Feb 24 '
'12:09:42 2021',
'created': '2021-09-01T19:22:45.194687Z',
'id': 'malware-analysis--dc446b6b-1a0d-4f7c-806c-4c89fd18a656',
'modified': '2021-09-15T19:22:44.647653Z',
'product': 'clamav',
'result': 'malicious',
'result_name': 'Win.Malware.Urelas-6840420-0',
'spec_version': '2.1',
'type': 'malware-analysis'},
{'created': '2021-09-15T19:22:44.647769Z',
'id': 'relationship--56e75fba-6af7-4cec-9482-dabcb866ea6d',
'modified': '2021-09-15T19:22:44.647769Z',
'relationship_type': 'av-analysis-of',
'source_ref': 'malware-analysis--dc446b6b-1a0d-4f7c-806c-4c89fd18a656',
'spec_version': '2.1',
'target_ref': 'malware--dd44bb23-4668-4f3b-80c3-d589fd18a656',
'type': 'relationship'}],
'type': 'bundle'}]
Filter Parameters
A TAXII Client can request specific content from a TAXII Server by specifying a set of filters included in the URL query parameters of the request to the server.
Universal filter parameters
All of PolySwarm's collections support the following filter parameters:
| URL Query Parameters | Description | Example |
|---|---|---|
added_after |
A single "T-Syntax" RFC3339 time stamp that filters objects to only include those objects added after the specified time stamp. If no added_after URL query parameter is provided, the server will return the oldest objects matching the request first. For example, if a server has 100 objects (0-99), the server would start at record 0 looking for a match and work its way up from oldest to newest finding 50 (the default & maximum limit) of objects that matched the request. |
2021-09-08T00:00:00Z |
limit |
A single integer value that indicates the maximum number of objects that to receive in a single response. This must be a positive integer greater than 0 and less than 51. | 25 |
next |
A single opaque string value that indicates the next record or set of records in the data set that the client is requesting. This value never expires and may be used to resume pagination at a later date (if you attempt to resume pagination of objects older than that collection's defined maximum object age, you will resume pagination from that collection's initial page. | gAAAAAOSmbvF...oRY06o== |
You can use supply any these parameters as keyword arguments to read_taxii_feed:
read_taxii_feed(collection, added_after='2021-09-08T00:00:00Z'):Using the match[<field>] for Filtering
Non-freemium collections also provide a match[<field>] parameter to apply filtering on a specific <field>. The match parameter can be specified any number of times, where each match instance specifies an additional filter combined as logical "AND" predicates. Individual match query parameters may contain multiple values separated by a comma (,) which are treated as a logical "OR". For instance, ?match[type]=bundle,sighting specifies a filter for objects that are of type bundle OR sighting.
| Field | Description | Example |
|---|---|---|
id |
The identifier of the object(s) that are being requested | bundle--dd45feca-cf0c-4f86-8026-f889 |
type |
The type of the object(s) that are being requested. Only the types listed in this parameter are permitted in the response. | bundle,sighting |
You can use supply any these parameters as keyword arguments to read_taxii_feed:
read_taxii_feed(collection, id='bundle--dd45feca-cf0c-4f86-8026-f889,bundle--dd445a57-7358-4ff4-8056-5d89'):STIX Field Mapping
This sections will provide you with the field mapping of the STIX PolySwarm file.
| Field Name | Description | Sample Data |
|---|---|---|
| aliases | Family names from engine results | ["Backdoor.Padodor.c","Backdoor.Win32.Padodor","Backdoor.Berbew!8.115", "Trojan:Win32/Starter.ali1001008", "BackDoor.HangUp.5","Win.Trojan.Crypted-29","Proxy-Program ( 00557ea51 )","win/malicious"] |
| created/first_seen | When hash was first seen in the PolySwarm Marketplace | 2021-01-20T23:30:10.665092Z |
| external_references | Link to PolySwarm portal with full details | "url": "https://polyswarm.network/scan/results/file/017bcfbe29b805c010cf7c1790c17fb10a1069c7806ff65ae15fe12dd27e6645" |
| malware_types | Malware functionality tags | [ "backdoor", "greyware", "Trojan" ] |
| imphash | Valid only for Windows PE files | 26babd76bbb7f9c516a338b0601b4c9f |
| optional_header | PE header information | "address_of_entry_point": 204800, "major_linker_version": 2, "major_os_version": 1, "major_subsystem_version": 4, "minor_linker_version": 5, "minor_os_version": 0, "minor_subsystem_version": 0, "size_of_code": 47104, "size_of_initialized_data": 18432 |
| pe_type | File type | exe |
| timedatestamp | Binary compile date timestamp | 2020-07-11T03:39:59Z |
| hashes | MD5, SHA-1, SHA-256, SHA-512, SSDEEP, TLSH hashes of the malware | { "MD5": "ab49bfba6e83c2211bcb5e25dfd428ae", "SHA-1": "0c09e4ecdedf46f5c801a1c2267d5166afd48a48", "SHA-256": "017bcfbe29b805c010cf7c1790c17fb10a1069c7806ff65ae15fe12dd27e6645", "SHA-512": "386f20b87848fc138b14931bdec5c348e26c7c270d952ba3487a020819ac07b1449b0715082e01aea898e69a1edb1aa77c5857c87ab1c8daa0d787f75c422def", "SSDEEP": "768:/abmyOy0JJk0Zvj12BhSPbefkcjnJuv+I1CV+zClaEZIGXOjWW3RuSyRZPAv8Q5:iDCJJko4hSPbelju91ZCla7IUW5SyRQ", "TLSH": "54637cc901172d79e8d9a5f25c238aa9a407cf390752f7dc0eda4db978fa4075f28c61" } |
| mime_type | Mime type of the file | application/x-dosexec |
| size | File size of the sample submitted | 69632 |
| confidence | PolyScore * 100 | 99 |
| last_seen | When it was last scanned by the malware engines | 2021-01-20T23:30:10.584455Z |
| product | Engine name providing response (repeated for every engine asserting) | clamav |
| result | Benign or malicious (repeated for every engine asserting) | malicious |
| result_name | Family name provided by engine (not provided by every engine) (repeated for every engine asserting) | Win.Trojan.Crypted-29 |