Malware Intelligence: MWDB Integration

Overview#

Argus integrates with MWDB (Malware Database), the open-source malware repository maintained by CERT Polska, which serves as a community platform for storing, searching, and sharing malware samples and their analysis results. The integration allows Argus to ingest malware sample metadata by SHA256 hash, link samples to ongoing investigations, and cross-reference against indicator sets -- bringing structured malware intelligence into the investigation workflow without requiring direct analyst access to the MWDB interface.

Key Features#

Sample Ingestion by SHA256#

Submit a SHA256 hash to the

ingestMwdbSample

mutation, and Argus queries the connected MWDB instance via

MwdbClient

to retrieve associated metadata: file type, first seen date, last seen date, tags, file relationships (child/parent blobs), and associated config objects extracted by malware analysis pipelines. The sample record is persisted to PostgreSQL as the source of truth and an interop ingest audit record is written.

Config and Tag Intelligence#

MWDB's unique value is its aggregation of malware configurations extracted by automated analysis. When available, sample records include extracted C2 addresses, encryption keys, mutex names, and version strings -- precisely the indicators that direct C2 blocking and hunting rules. These are surfaced directly in the Argus sample record.

Sample Export Audit#

When Argus shares MWDB sample references externally (e.g., attaching them to STIX reports or MISP events), the export is logged via

log_interop_export

, satisfying EDF Golden Rule 15 requirements for classified intelligence data lineage.

SecrecyLevel Enforcement#

Individual sample records carry

secrecy_level

tags enabling multi-classification malware repositories. Samples obtained from classified analysis pipelines can be tagged accordingly and filtered from lower-clearance analyst views.

Statistics and Inventory#

Query the sample inventory with filtering by tag, file type, or ingestion date range. The stats query returns counts by tag and file type, giving threat intelligence teams visibility into which malware families are most represented in their tenant repository.

Use Cases#

Malware-Linked Investigation: When a MISP event references a SHA256 hash, automatically pull the MWDB sample record to enrich the indicator with file metadata and extracted config, linking it to any matching investigations.
C2 Infrastructure Mapping: Use extracted MWDB config data (C2 addresses, ports) to seed network-level hunting rules in Suricata and populate MISP feeds with new indicators.
Incident Attribution: Cross-reference malware samples observed in an incident against the MWDB family tree to identify shared code, common packers, or shared C2 infrastructure pointing to a specific threat actor.
CERT Collaboration: Contribute anonymised sample references to the MWDB community while maintaining tenant-level isolation for sensitive sample metadata within Argus.

Integration#

Available via GraphQL with queries for sample listing and statistics, and mutations for SHA256 ingestion, tag filtering, and sample export. All operations require authentication and organisation scoping.

Compatible with MWDB REST API v2+. Works alongside MISP (for feed enrichment), CAPE Sandbox (for dynamic analysis correlation), YARA Engine (for pattern-based malware classification), and STIX/TAXII (for sharing sample intelligence).

Last Reviewed: 2026-03-18

Metadados do modulo

Documentacao renderizada