Download samples from Malware Bazaar based on tag.

malware-bazaar-tag-download.sh

# Bash script to download Malware Bazaar based on tag

# Define tag and number of samples to download
TAG=insert-malware-bazaar-tag
DOWNLOAD_LIMIT=100

# Determin OS
OS=$(uname -s)

# Download hash values from tag, save the SHA256 hashes
curl -XPOST -d "query=get_taginfo&tag=${TAG}&limit=${DOWNLOAD_LIMIT}" https://mb-api.abuse.ch/api/v1/ | grep sha256_hash | awk '{print $2}' > ${TAG}.raw

# OS Loop
# If macOS, clean up the download to remove "'s and ,'s
if [ ${OS} == Darwin ]
then
sed -i.bak 's/\"//g' ${TAG}.raw
rm ${TAG}.raw.bak
sed -i.bak 's/\,//' ${TAG}.raw
rm ${TAG}.raw.bak

# If Linux, clean up the download to remove "'s and ,'s
else
if [ ${OS} == Linux ]
then
sed -i 's/\"//g' ${TAG}.raw
sed -i 's/\,//' ${TAG}.raw

# Exiting OS loop
fi
fi

# Create the hash file from the raw file
mv ${TAG}.raw ${TAG}.hash

# Download the samples using their hash vaules
while read h; do curl -XPOST -d "query=get_file&sha256_hash=${h}" -o ${h} https://mb-api.abuse.ch/api/v1/; done < ${TAG}.hash

# Unarchive the malware samples
while read h; do 7z e ${h} -p"infected"; done < ${TAG}.hash

# Clean up by removing the hash lists and compressed archives files
while read h; do rm ${h}; done < ${TAG}.hash
rm ${TAG}.raw.bak
rm ${TAG}.hash

If you wanted to ONLY get .bat files, you could use the file_type API endpoint instead of the tag API endpoint.

# Bash script to download Malware Bazaar based on tag

# Define tag and number of samples to download
TYPE=Bat
DOWNLOAD_LIMIT=100

# Determin OS
OS=$(uname -s)

# Download hash values from tag, save the SHA256 hashes
curl -XPOST -d "query=get_file_type&file_type=${TYPE}&limit=${DOWNLOAD_LIMIT}" https://mb-api.abuse.ch/api/v1/ | grep sha256_hash | awk '{print $2}' > ${TYPE}.raw

# OS Loop
# If macOS, clean up the download to remove "'s and ,'s
if [ ${OS} == Darwin ]
then
sed -i.bak 's/\"//g' ${TYPE}.raw
rm ${TYPE}.raw.bak
sed -i.bak 's/\,//' ${TYPE}.raw
rm ${TYPE}.raw.bak

# If Linux, clean up the download to remove "'s and ,'s
else
if [ ${OS} == Linux ]
then
sed 's/\"//g' ${TYPE}.raw
sed 's/\,//' ${TYPE}.raw

# Exiting OS loop
fi
fi

# Create the hash file from the raw file
mv ${TYPE}.raw ${TYPE}.hash

# Download the samples using their hash vaules
while read h; do curl -XPOST -d "query=get_file&sha256_hash=${h}" -o ${h} https://mb-api.abuse.ch/api/v1/; done < ${TYPE}.hash

# Unarchive the malware samples
while read h; do 7zz e ${h} -p"infected"; done < ${TYPE}.hash

# Clean up by removing the hash lists and compressed archives files
while read h; do rm ${h}; done < ${TYPE}.hash
rm ${TYPE}.raw.bak
rm ${TYPE}.hash

I got problems getting this script to work, but I just modified the two "sed" lines, and now it works perfectly 👍

sed -i 's/,//g' ${TAG}.raw
sed -i 's/"//g' ${TAG}.raw

Ah, yes. Sorry. I didn't test on Linux...just tried to do from memory.

Yeah, -i is needed for inline replacement.

Thanks for the find, the comment, and the patience.

how to download .bat files?

I would assume you could use bat when defining the tag here:

[...]
TAG=bat
[...]

This is a valid tag, is it not working?