US Cyber Command · Schema
MalwareSample
A malware sample shared by USCYBERCOM's Cyber National Mission Force (CNMF) via VirusTotal, attributed to a state-sponsored threat actor.
CybersecurityFederal GovernmentMilitaryThreat IntelligenceDefense
Properties
| Name | Type | Description |
|---|---|---|
| sha256 | string | SHA-256 hash of the malware sample file. |
| md5 | string | MD5 hash of the malware sample file. |
| sha1 | string | SHA-1 hash of the malware sample file. |
| file_name | string | Original filename of the malware sample, if known. |
| file_type | string | File type or format of the malware sample. |
| date_shared | string | Date CNMF shared the sample on VirusTotal. |
| threat_actor | string | Threat actor or group to which this sample is attributed. |
| nation_state | string | Nation-state sponsor attributed to the threat actor. |
| malware_family | string | Name of the malware family or variant. |
| malware_type | string | Classification of malware functionality. |
| virustotal_url | string | VirusTotal URL for this malware sample. |
| advisory_url | string | URL to the USCYBERCOM news release or advisory accompanying this sample. |
| iocs | array | Indicators of Compromise associated with this malware sample. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/api-evangelist/us-cyber-command/refs/heads/main/json-schema/uscybercom-malware-sample-schema.json",
"title": "MalwareSample",
"description": "A malware sample shared by USCYBERCOM's Cyber National Mission Force (CNMF) via VirusTotal, attributed to a state-sponsored threat actor.",
"type": "object",
"properties": {
"sha256": {
"type": "string",
"description": "SHA-256 hash of the malware sample file.",
"pattern": "^[0-9a-fA-F]{64}$",
"example": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
},
"md5": {
"type": "string",
"description": "MD5 hash of the malware sample file.",
"pattern": "^[0-9a-fA-F]{32}$"
},
"sha1": {
"type": "string",
"description": "SHA-1 hash of the malware sample file.",
"pattern": "^[0-9a-fA-F]{40}$"
},
"file_name": {
"type": "string",
"description": "Original filename of the malware sample, if known.",
"example": "update.exe"
},
"file_type": {
"type": "string",
"description": "File type or format of the malware sample.",
"example": "PE32 executable"
},
"date_shared": {
"type": "string",
"format": "date",
"description": "Date CNMF shared the sample on VirusTotal."
},
"threat_actor": {
"type": "string",
"description": "Threat actor or group to which this sample is attributed.",
"example": "Lazarus Group"
},
"nation_state": {
"type": "string",
"description": "Nation-state sponsor attributed to the threat actor.",
"enum": [
"Russia",
"Iran",
"North Korea",
"China",
"Other",
"Unknown"
]
},
"malware_family": {
"type": "string",
"description": "Name of the malware family or variant.",
"example": "MuddyWater"
},
"malware_type": {
"type": "string",
"description": "Classification of malware functionality.",
"enum": [
"Remote Access Trojan",
"Backdoor",
"Ransomware",
"Wiper",
"Dropper",
"Loader",
"Keylogger",
"Credential Stealer",
"Destructive Malware",
"Spyware",
"Rootkit"
]
},
"virustotal_url": {
"type": "string",
"format": "uri",
"description": "VirusTotal URL for this malware sample.",
"example": "https://www.virustotal.com/gui/file/a1b2c3d4e5f6/detection"
},
"advisory_url": {
"type": "string",
"format": "uri",
"description": "URL to the USCYBERCOM news release or advisory accompanying this sample."
},
"iocs": {
"type": "array",
"description": "Indicators of Compromise associated with this malware sample.",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": ["IP", "Domain", "URL", "File Hash", "Email", "Registry Key"],
"description": "Type of indicator."
},
"value": {
"type": "string",
"description": "Value of the indicator."
}
},
"required": ["type", "value"]
}
}
},
"required": ["sha256", "date_shared", "nation_state"]
}