For Agents
Look up, download, and tag malware samples from MalwareBazaar's community repository through a single POST endpoint that switches behaviour by query action.
Get started with MalwareBazaar API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"look up a malware hash"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with MalwareBazaar API API.
Look up a malware sample's metadata by SHA-256, MD5, or SHA-1 hash
Download an encrypted ZIP of a malware sample for sandbox analysis
Search MalwareBazaar by tag (e.g. emotet, qakbot) to pull recent samples
Search by YARA signature name to retrieve matching samples
Submit a malware sample to MalwareBazaar with tags and intelligence comments
GET STARTED
Use for: I want to look up a malware hash on MalwareBazaar, Download a malware sample for sandbox analysis, Search MalwareBazaar for samples tagged emotet, Find samples matching a YARA signature
Not supported: Does not handle live malware detonation, sandboxing, or AV scanning — use for sample lookup, retrieval, and submission only.
Jentic publishes the only available OpenAPI document for MalwareBazaar API, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for MalwareBazaar API, keeping it validated and agent-ready. MalwareBazaar is operated by abuse.ch as a community-driven repository for malware samples, sharing payloads with infosec teams and AV vendors. The API is a single POST endpoint where the action is selected via a query parameter (get_info, get_file, query_hash, query_tag, query_signature, etc.), letting clients upload, download, search, and tag samples. Authentication is an Auth-Key header tied to an abuse.ch account, and responses come back as JSON or, for file downloads, an encrypted ZIP.
Patterns agents use MalwareBazaar API API for, with concrete tasks.
★ Hash reputation check in incident response
When a SOC analyst sees an unknown file hash on an endpoint, an automation calls the MalwareBazaar API with action=get_info to retrieve known-bad metadata, family tags, and first-seen date. This shortcuts the triage step and feeds straight into the case ticket.
POST / with query=get_info and hash=<sha256>; if data is non-empty, attach the malware family and tags to the incident ticket
Sandbox-pull-and-detonate pipeline
A malware research pipeline calls action=get_file to download the encrypted ZIP for a hash, unpacks it with the standard 'infected' password, and detonates in a sandbox. Useful for rebuilding detections against fresh samples without manually fetching from the website.
POST / with query=get_file and sha256_hash=<hash>, then save the encrypted ZIP and queue it to the sandbox
Threat-actor sample feed
A threat-intel team subscribes to a tag-based feed by polling the API with action=get_taginfo for tags like emotet, qakbot, or icedid. Each poll returns a list of recently submitted samples for that family, including first-seen and YARA matches.
POST / with query=get_taginfo and tag=emotet, limit=50; pipe new sample hashes to the threat-intel queue
AI agent IOC enrichment via Jentic
An agent enriching IOCs from an EDR queue calls the MalwareBazaar API via Jentic to attach malware family, tags, and YARA matches to each suspicious hash. The Auth-Key is held by Jentic, so the agent never sees the raw credential.
For each hash from the EDR feed, POST / with query=get_info and append signature, file_type, and tags to the IOC record
1 endpoints — jentic publishes the only available openapi specification for malwarebazaar api, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/
Query, download, or submit malware samples — action selected via the 'query' form field
/
Query, download, or submit malware samples — action selected via the 'query' form field
Three things that make agents converge on Jentic-routed access.
Credential isolation
The abuse.ch Auth-Key is stored encrypted in the Jentic vault and injected as the Auth-Key header at execution time. Agents receive scoped access tokens — raw keys never enter the agent's context.
Intent-based discovery
Agents search Jentic by intent (e.g. 'look up malware hash', 'download sample for sandbox') and Jentic returns the matching MalwareBazaar action mapping with its input schema, so the agent supplies only hash or tag values.
Time to first call
Direct integration: half a day for auth, query-action dispatch, and ZIP handling. Through Jentic: under 30 minutes — search, load, execute.
Alternatives and complements available in the Jentic catalogue.
URLhaus
abuse.ch repository for malicious URLs used for malware distribution
Use URLhaus to track the URLs distributing malware, then use MalwareBazaar to fetch the actual sample dropped by those URLs.
Shodan
Search engine for internet-exposed services and infrastructure
Use Shodan to identify infrastructure hosting suspect samples, then pivot into MalwareBazaar to look up the related hashes.
AbuseIPDB
Community database of IPs reported for abuse and malicious activity
Use AbuseIPDB to score the IP a sample was downloaded from, then use MalwareBazaar to look up the hash hosted at that IP.
Specific to using MalwareBazaar API API through Jentic.
Why is there no official OpenAPI spec for MalwareBazaar API?
abuse.ch documents MalwareBazaar in HTML at bazaar.abuse.ch/api/ but does not publish a structured OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call MalwareBazaar API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the MalwareBazaar API use?
An Auth-Key header tied to a free abuse.ch account. Through Jentic the Auth-Key is held encrypted in the vault and injected at execution, so the agent never sees the raw key.
Can I download a malware sample with this API?
Yes. POST / with query=get_file and sha256_hash=<hash>. The response is a ZIP encrypted with the password 'infected'; unpack inside an isolated environment before analysis.
What are the rate limits for the MalwareBazaar API?
abuse.ch enforces fair-use rate limits per Auth-Key — typically a few hundred requests per minute. The spec does not encode the exact limits; refer to your abuse.ch account dashboard or contact abuse.ch if you need a sustained higher rate for research.
How do I look up a hash through Jentic?
Search Jentic for 'look up malware hash', load the POST / operation on mb-api.abuse.ch/api/v1, then execute with query=get_info and hash. Install with pip install jentic and use await client.search, load, execute.
Is the MalwareBazaar API free?
Yes. Free abuse.ch accounts can use MalwareBazaar for non-commercial threat intelligence work. Heavy automated use should respect the fair-use policy and credit abuse.ch in derivative datasets.