Searching
The primary method of searching for malware samples is to use the built-in Malware Analysis Center Query Language (MACQL). This query language provides a simple, powerful, and easy-to-use interface to find malware samples that meet specific criteria.
Example
name contains "emotet" and positives > 20
Definitions
- Field: a property of a sample (e.g. SHA1).
-
Operator: a function that acts on a left and right input and will always return a boolean value. There are two kinds of operators: Comparison and Logical.
- Comparison Operator: a method of comparing a field with a value (e.g. >).
- Logical Operator: a method of comparing two boolean values (e.g. and/or).
-
Value: something that can be compared to a field (e.g. 17, 7.2, and "xagent").
- String: a set of Unicode characters surrounded by quotes. Backslash is the escape character (e.g. "mydoom").
- Integer: a 32-bit whole number (e.g. 42).
- Float: a 32-bit decimal number (e.g. 3.14).
Fields
| Field | Description | Operators | Type | Example | |
|---|---|---|---|---|---|
| name | This field will match on any positive AV detection result where the comparison returns true. The comparison performed is case-insensitive. | contains | string | "dridex" | |
| total | The total number of AV engines that scanned this particular file. | >, >=, <, <=, and = | integer | 42 | |
| positives | The number of positive AV engine detections. | >, >=, <, <=, and = | integer | 25 | |
| md5 | The MD5 hash of the file. The search is case-insensitive. | = | string | 02cfa3e6fdb4301528e5152de76b2abf | |
| sha1 | The SHA1 hash of the file. The search is case-insensitive. | = | string | ed205f958fc9a60f3396384d9e1c75feb5b76a91 | |
| sha256 | The SHA256 hash of the file. The search is case-insensitive. | = | string | 7bcb0abcfbea20ecfe31d8dd65146b8b1ffd0d81479d11dc329b2f99e263bd78 | |
| list | Either Whitelist, Blacklist, Greylist, or Unknown. | = | string | Blacklist | |
| filetype | The extension of the file type. | = | string | exe | |
| submitted | The date the file was submitted to the Malware Analysis Center. | >, >=, <, <=, and = | string | "1 May 2019" | |
| rulename | The name of the a Yara rule contained within a Yara ruleset. This field will match on all files where the specified rulename fired. | contains | string | Win_Trojan_Dridex_24 | |
| rulesetname | The name of the a Yara rule set. This field will match on all files where any rule in the specified ruleset fired. | contains | string | ClamAV - Windows Trojans |