Overview#
Pull structured malware sample intelligence into your investigations in seconds, not minutes, by connecting Argus to a MWDB (Malware Database) instance.
A CERT analyst investigating a spearphishing campaign across three EU member states finds one of the attachment hashes referenced in a MISP event shared by a partner CSIRT. Submitting the SHA-256 to Argus takes under two seconds. The response arrives with extracted command-and-control configuration data, a malware family tag, relationship links to earlier variants from the same campaign, and automated analysis references showing the sample's processing history. The C2 addresses feed directly into Suricata rule generation. The family tag links back to previous sandbox analysis records. A thirty-minute manual enrichment task becomes a ninety-second automated pull.
Argus integrates with MWDB, the open-source malware repository maintained by CERT Polska, which serves as a community platform for storing, searching, and sharing malware samples and their analysis results. The integration ingests sample metadata by SHA-256 hash, links samples to ongoing investigations, and cross-references against indicator sets, bringing structured malware intelligence into the investigation workflow without requiring direct analyst access to the MWDB interface.
Key Features#
- Sample ingestion by hash. Submit a SHA-256 hash to retrieve associated metadata: file type, cryptographic hashes (MD5, SHA-256, SHA-512), analyst tags, file relationships, and automated analysis references. The resulting sample record is persisted and an interoperability ingest audit entry is written immediately.
- Extracted configuration intelligence. MWDB's primary value lies in its aggregation of malware configurations extracted by automated analysis pipelines. When available, sample records include extracted C2 addresses, encryption keys, mutex names, and version strings, precisely the indicators needed to drive C2 blocking rules and threat-hunting queries.
- Export audit trail. Whenever Argus shares a sample reference externally, for example attaching it to a STIX report or a MISP event, the action is logged to the platform audit trail. Every piece of classified intelligence carries a complete data-lineage record from ingest to export.
- Classification-level enforcement. Individual sample records carry classification tags enabling multi-tier malware repositories. Samples obtained from classified analysis pipelines are tagged accordingly and filtered from lower-clearance analyst views, enforcing need-to-know access at the record level.
- Sample inventory and statistics. Browse the sample inventory with filtering by malware family and status, and retrieve aggregate counts for tenant-wide reporting. Threat intelligence teams can quickly identify which malware families are most prevalent in their repository and prioritise rule development accordingly.
- MISP linkage tracking. The platform tracks whether each sample has been linked to a corresponding MISP event, giving analysts a clear view of which ingested samples have already been shared with partner organisations.
Use Cases#
CERT and CSIRT Teams#
When a MISP event references a SHA-256 hash, automatically pull the MWDB sample record to enrich the indicator with file metadata and extracted configuration, linking it to any matching open investigations. Share anonymised sample references back to the MWDB community while maintaining tenant-level isolation for sensitive metadata within Argus.
C2 Infrastructure Mapping#
Use extracted configuration data, including C2 addresses and ports, to seed network-level hunting rules in Suricata and populate MISP feeds with new indicators for community sharing. The automated path from hash submission to actionable rule candidate takes seconds.
Incident Attribution#
Cross-reference malware samples observed during an incident against the MWDB family tree to identify shared code, common packers, or shared C2 infrastructure pointing to a specific threat actor. Combine this with sandbox analysis records and MITRE ATT&CK technique tagging for a complete attribution picture.
Multi-Classification Environments#
Operate malware repositories that span multiple classification levels within a single tenant. Analysts receive only the sample records their clearance permits, while the full audit trail remains intact for compliance and oversight purposes.
Integration#
The MWDB capability is accessible via the platform's GraphQL API. Available queries allow analysts to list sample records with optional filters for malware family and status, retrieve a specific sample record by identifier, and fetch aggregate inventory statistics. A mutation allows programmatic ingestion of a new sample by SHA-256 hash, optionally specifying a classification level at ingest time. All operations require authentication and are scoped to the requesting organisation.
The integration connects to MWDB's REST API (v2 and above) using an API key supplied at query time, giving each tenant full control over which MWDB instance and credentials are used. Authentication to the platform API uses OAuth 2.0 bearer tokens (JWT). Normalised sample records follow a consistent internal model, making MWDB-sourced intelligence directly composable with indicators from MISP, CAPE sandbox results, Suricata rule pipelines, and STIX/TAXII sharing channels, all without format translation in the analyst workflow.
Open Standards#
- MWDB REST API (CERT Polska), the upstream data source; Argus consumes the v2+ JSON REST interface for sample metadata and analysis results.
- SHA-256 / SHA-512 / MD5 (FIPS 180-4), cryptographic hash algorithms used as primary and secondary sample identifiers throughout the platform.
- STIX 2.1 (OASIS), structured representation used when exporting sample intelligence to partner organisations or attaching samples to threat reports.
- TAXII 2.1 (OASIS), transport protocol for sharing STIX bundles containing MWDB-sourced sample intelligence with external CSIRT and ISAC feeds.
- MISP core format, native format for indicator cross-referencing and community sharing; sample records track MISP linkage status directly.
- Suricata rules / EVE JSON, C2 addresses and network indicators extracted from MWDB configurations are output in Suricata-compatible rule format.
- YARA, pattern-based malware classification rules complement MWDB family tags for static analysis correlation.
- MITRE ATT&CK, technique and tactic tagging applied to malware family records to contextualise sample intelligence within the broader threat landscape.
- OAuth 2.0 / JWT (RFC 6749 / RFC 7519), authentication and authorisation for all API access to the platform.
- GraphQL (June 2018 specification), query and mutation interface through which all MWDB operations are exposed to API consumers.
Security & Compliance#
All ingest and export events are written to an immutable interoperability audit log, recording the acting user, organisation, classification level, source standard, and timestamp. This satisfies intelligence data-lineage requirements for classified sample handling and supports audit obligations under frameworks such as the EU NIS2 Directive.
Classification-level enforcement is applied at the record level: a user's clearance is evaluated against the sample's classification tag before any data is returned, and any attempt to access a record above the user's clearance is refused and logged. Export of sample references to external systems (STIX reports, MISP events) is likewise audit-logged, providing a complete chain of custody from the moment a hash is submitted.
Tenant isolation ensures that no organisation can access sample records belonging to another tenant, regardless of whether the underlying hash matches a sample held by another organisation on the same platform instance.
Last Reviewed: 2026-03-18 / Last Updated: 2026-04-14