Client library for the mwdb service by CERT Polska. Python 2/3.
Branch: public
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore 2.2.0: mwdblib Dec 14, 2018

mwdblib API bindings for Python 2.x/3.x. Use it if you want to automate data uploading/fetching from or have some ipython-based CLI :)


Print names and tags of 25 recent files

from mwdblib import Malwarecage
from itertools import islice

mwdb = Malwarecage()
mwdb.login("admin", "password123")

# recent_files is generator, do not execute list(recent_files) without islice!
files = list(islice(mwdb.recent_files(), 25))
print [(f.file_name, f.tags) for f in files]

Find all Netwire configs

configs ="")

print [c.cfg for c in configs]

Download file with hash

h = "3629344675705286607dd0f680c66c19f7e310a1"
file = mwdb.query_file(h)

with open(h, "wb") as f:

Download first file with size less than 1000 bytes and VBS extension

dropper ='file.size:[0 TO 1000] AND"*.vbs"')[0]

with open(dropper.file_name, "wb") as f:
print "Downloaded {}".format(dropper.file_name)

Get list of all files dropped by 3629344675705286607dd0f680c66c19f7e310a1

from mwdblib.file import MalwarecageFile

file = mwdb.query_file("3629344675705286607dd0f680c66c19f7e310a1")
print [(child.file_name, child.sha256, child.tags) for child in file.children if isinstance(child, MalwarecageFile)]

Print all comments which contains "malware"

files ='file.comment:"*malware*"')
for f in files:
    for cm in f.comments:
        if "malware" in cm.comment:
            print "{}: {}".format(, cm.comment)

Get upload time of last sample commented "malware"


Get metakey cuckoo_id for file e46e4aadc462cd9b70e44610afd6b549 (if used with Malwarecage)

file = mwdb.query_file("e46e4aadc462cd9b70e44610afd6b549")
print "Cuckoo IDs is {}".format(file.metakeys.get("cuckoo_id"))

Use local Malwarecage 2 instance with pregenerated token

from mwdblib.api import MalwarecageAPI
from mwdblib import Malwarecage

api = MalwarecageAPI("http://localhost:8080", "tokentokentoken")
mwdb = Malwarecage(api)

Use local Malwarecage 2 instance in testing enviroment

import mwdblib

api = mwdblib.MalwarecageAPI("http://localhost:5000")
m = mwdblib.Malwarecage(api)
m.login("admin", "admin")