claudeers.

🔓 unclaimed — this page was auto-generated from GitHub. Are you the creator?

Claim this page →
// MCP Servers

Malware-Sandbox-mcp

Detonate files & URLs in cloud malware sandboxes (Hybrid Analysis, tria.ge, ANY.RUN) and enrich IOCs across MalwareBazaar, ThreatFox, URLhaus, Feodo, URLScan…

// MCP Servers[ api ][ desktop ][ web ][ claude ]#claude#anyrun#cybersecurity#dfir#fastmcp#hybrid-analysis#ioc#malware-analysis#mcp-serversMIT$open-sourceupdated 12 days ago
Actively maintained
97/100
last commit 27 days ago
last release none
releases 0
open issues 0
// install
{
  "mcpServers": {
    "Malware-Sandbox-mcp": {
      "command": "npx",
      "args": ["-y", "https://github.com/mukul975/Malware-Sandbox-mcp"]
    }
  }
}

malware-sandbox-mcp

Malware Sandbox MCP — detonate, normalize, enrich for Claude

Detonate suspicious files and URLs in cloud malware sandboxes — and pull back normalized verdicts, IOCs and MITRE ATT&CK techniques — directly from Claude.

[!WARNING] For authorized security research and defensive use only. This server submits files and URLs to third-party cloud sandboxes; on free/community tiers (tria.ge, abuse.ch, Hybrid Analysis) submissions and results may be public and non-deletable. Do not submit confidential, personal, or proprietary data. This repository contains no live malware samples. You are responsible for complying with each provider's Terms of Service and your local laws. See Safety, legal & responsible use.

The problem

Triaging one suspicious sample means juggling four browser tabs: submit to a sandbox, wait, copy the verdict, pivot the C2 into a threat-intel database, look the hash up on VirusTotal, then hand-map behaviours to ATT&CK. Every report has a different schema, and the raw JSON is hundreds of kilobytes — far too large to paste into an LLM.

The solution

One MCP server that wraps 9 backends behind 20 tools with a single normalized report schema. Claude submits a sample, polls asynchronously, and gets back a compact (~4K token) report: verdict, threat score, malware family, top signatures, extracted IOCs, and ATT&CK techniques enriched with tactic names and links — plus tools to retrieve artifacts (dropped files, PCAP, screenshots), enrich IOCs across six intel sources, pivot to related samples, compare verdicts across sandboxes, and export an ATT&CK Navigator layer.

Detonation takes 2–10 minutes, but Claude Desktop enforces a hardcoded ~60s MCP tool timeout. This server therefore uses an async submit → poll pattern: submit_sample returns a task_id in seconds, and each get_report(task_id) call performs exactly one status poll — no tool call ever blocks waiting for the sandbox.

Why this tool

  • 9 backends, 20 tools — detonation, artifacts, enrichment, pivoting, comparison, ATT&CK export.
  • Strictly BYOK — every backend uses your own API key from an environment variable; a missing key disables only that backend, and the server still starts.
  • Async, timeout-safe — submit → poll (handleId) keeps every call under the MCP timeout ceiling.
  • Normalized + token-budgeted — one schema across vendors, summarized to fit an LLM context.
  • MITRE ATT&CK enrichment — techniques resolved to tactic names, links, and Navigator layers.
  • Safe by design — binary artifacts (live malware, PCAPs, dumps) are saved to disk, never inlined; downloads require explicit acknowledgement; all sandbox strings are treated as untrusted data.

Architecture

  Claude  ──submit_sample──▶  malware-sandbox-mcp  ──▶  Detonation sandboxes
    │                              │                     Hybrid Analysis · tria.ge · ANY.RUN
    │   ◀──── task_id ────────     │
    │                              │  normalize ──▶ MITRE ATT&CK enrich ──▶ summarize (<4K tok)
    │   ──get_report(task_id)──▶   │
    │                              ├──▶  Intel sources (enrich / pivot / C2)
    │   ◀── working | report ──    │     MalwareBazaar · ThreatFox · URLhaus · Feodo · URLScan · VirusTotal
    │                              │
    │   ◀── artifacts saved to disk (PCAP, dropped files, screenshots, memory strings)

Tools

All tools degrade gracefully: if the backend they need has no API key, they return a clear "not configured" message instead of failing.

Detonation & reports

ToolDescription
submit_sampleSubmit a file or URL to a detonation sandbox (Hybrid Analysis / tria.ge / ANY.RUN). Returns a task_id immediately.
get_reportOne async poll of a submission; returns working or the final normalized + ATT&CK-enriched report.
get_analysis_stateLightweight status poll (and raw lifecycle detail) for a submission.
get_quotaAPI quota / usage limits for one backend.

Hash & sample intelligence

ToolDescription
search_hashFast static lookup of an MD5/SHA1/SHA256 across MalwareBazaar, Hybrid Analysis, tria.ge.
bulk_hash_lookupLook up many hashes at once for IOC sweeps.
compare_verdictsLook up one hash across sandboxes + VirusTotal and diff verdicts, scores and families.
download_sampleFetch the raw sample (live malware — requires explicit acknowledgement; saved to disk).

Detonation artifacts

ToolDescription
get_dropped_filesRetrieve dropped/extracted binaries from a finished analysis.
get_pcapDownload the network capture (PCAP) for an analysis.
get_screenshotsPull execution screenshots for visual triage.
get_memory_stringsExtracted strings from process memory dumps (Hybrid Analysis).
export_iocsExport a report's IOCs as STIX / MISP / OpenIOC / CSV.
export_attack_layerProduce a MITRE ATT&CK Navigator layer JSON from the report's techniques.

IOC enrichment & pivoting

ToolDescription
enrich_iocEnrich an IP / domain / URL / hash across ThreatFox, URLhaus, VirusTotal, Feodo.
check_c2_blocklistCheck whether an IP/domain is a known botnet C2 (Feodo + ThreatFox + URLhaus).
search_samplesSearch by family / tag / signature / IOC across sandboxes + ThreatFox.
pivot_iocGiven an IOC, find all related samples across HA, tria.ge, MalwareBazaar, ThreatFox.

URL analysis

ToolDescription
scan_urlSubmit a URL to URLScan.io (unlisted by default; public requires acknowledgement).
get_url_scan_resultRetrieve a URLScan result (verdict, screenshot URL, contacted infrastructure).

Installation

Requires Python 3.11+ and uv.

git clone https://github.com/mukul975/Malware-Sandbox-mcp.git
cd Malware-Sandbox-mcp
uv sync            # create the venv and install dependencies
uv run python server.py    # run over stdio (Ctrl-C to stop)

Pip fallback:

python -m venv .venv && . .venv/Scripts/activate   # Windows; use .venv/bin/activate elsewhere
pip install -e .
python server.py

Configuration (BYOK — bring your own keys)

Every backend reads your own API key from an environment variable. Set only the ones you have — anything unset is disabled, and the server still starts. Copy .env.example and fill in what you have, or set the keys directly in your MCP client config below.

BackendEnv varFree tier?Where to get the key
Hybrid Analysis (Falcon Sandbox)HA_API_KEYYes — but a one-time vetting is required to upgrade a restricted (search-only) key to full submit/download.hybrid-analysis.com → profile → API key
tria.ge (Recorded Future Sandbox)TRIAGE_API_KEYYes — public tier; submissions are public and cannot be deleted.tria.ge → Account → API access
ANY.RUNANYRUN_API_KEYNo — API needs a paid Hunter/Enterprise plan (or trial).app.any.run → API and Limits
MalwareBazaar (abuse.ch)MALWAREBAZAAR_API_KEY or ABUSECH_API_KEYYes — fair use; downloads capped at 2,000/IP/day.auth.abuse.ch
ThreatFox (abuse.ch)THREATFOX_API_KEY or ABUSECH_API_KEYYes — fair use; IOCs older than 6 months are expired.auth.abuse.ch
URLhaus (abuse.ch)URLHAUS_API_KEY or ABUSECH_API_KEYYes — fair use.auth.abuse.ch
Feodo Tracker (abuse.ch)(none)Yes — public blocklist, no key.n/a
URLScan.ioURLSCAN_API_KEYYes — rate-limited per minute/hour/day.urlscan.io → Settings → API
VirusTotalVT_API_KEY or VIRUSTOTAL_API_KEYYes — public API: 4 req/min, 500/day, non-commercial only.virustotal.com → API key

abuse.ch now issues one Auth-Key for all its services — set ABUSECH_API_KEY once and MalwareBazaar, ThreatFox and URLhaus all use it (the per-service vars override it if needed).

Optional: SANDBOX_ARTIFACTS_DIR sets where downloaded samples, PCAPs and screenshots are written (default data/artifacts/). TRIAGE_BASE_URL points tria.ge at a private cloud.

Claude Desktop / Claude Code config

Copy .mcp.json.example to .mcp.json (Claude Code, project-local), or paste the block into claude_desktop_config.json (Claude Desktop — %APPDATA%\Claude\claude_desktop_config.json on Windows):

{
  "mcpServers": {
    "malware-sandbox": {
      "command": "uv",
      "args": ["run", "--directory", "D:\\Malware-Sandbox-mcp", "python", "server.py"],
      "timeout": 600000,
      "env": {
        "HA_API_KEY": "",
        "TRIAGE_API_KEY": "",
        "ABUSECH_API_KEY": "",
        "URLSCAN_API_KEY": "",
        "VT_API_KEY": ""
      }
    }
  }
}

On Windows, if your client can't find uv on the PATH, wrap it with cmd /c:

"command": "cmd",
"args": ["/c", "uv", "run", "--directory", "D:\\Malware-Sandbox-mcp", "python", "server.py"]

timeout (Claude Code only) keeps long polling sessions and the one-time MITRE ATT&CK dataset download from being cut off. If reports get truncated, raise MAX_MCP_OUTPUT_TOKENS=50000 in the environment Claude Code runs in.

Usage examples

Natural-language prompts once the server is connected:

  • "Submit http://example.com to tria.ge and give me the verdict when it's done."
  • "Look up hash ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa everywhere and compare the verdicts."
  • "Is 8.8.8.8 a known botnet C2?"
  • "Enrich the domain example.com across all threat-intel sources."
  • "Find related samples for the AgentTesla family."
  • "Export an ATT&CK Navigator layer for task triage:240611-abc123."

See TEST_QUERIES.md for ready-to-paste arguments covering every tool.

  • Authorized & defensive use only. This is a triage tool for security researchers and SOC/DFIR analysts.
  • Third-party submission. Files and URLs are sent to external cloud sandboxes. On free/community tiers (tria.ge public, abuse.ch community, Hybrid Analysis public) the submission and its results may be public and non-deletable. submit_sample and public scan_url require an explicit acknowledgement flag. Never submit confidential, personal, or proprietary data.
  • No live malware in this repository. All tests use mocked HTTP responses (respx); no sample ever leaves a test runner.
  • Live malware handling. download_sample retrieves real malware to disk (MalwareBazaar returns a zip with password infected). It requires acknowledge_malware_download=true, saves to a quarantine directory, and never executes anything. Handle downloaded artifacts only in an isolated environment.
  • Untrusted content. Every string in a sandbox report is attacker-controlled and may contain prompt-injection text; the server passes it through strictly as data.
  • Provider Terms of Service. You must comply with each backend's ToS (e.g. Hybrid Analysis vetting/terms, abuse.ch confirmed-malware-only policy, VirusTotal's non-commercial public-API clause). Results are licensed by their providers; keep usage strictly BYOK.
  • No warranty. Provided "as is" (see LICENSE); the authors are not liable for misuse.

To report a security issue, see SECURITY.md.

Development

uv sync --extra dev
uv run pytest            # 156 tests, fully offline (respx-mocked)
uv run ruff check .      # lint
uv run ruff format .     # format

Tests never make real network calls — all sandbox/intel HTTP is intercepted by respx. See CONTRIBUTING.md.

Contributing & policies

License

MIT © Mahipal

Threat-intelligence and sandbox data are provided by Hybrid Analysis, Recorded Future (tria.ge), ANY.RUN, abuse.ch (MalwareBazaar / ThreatFox / URLhaus / Feodo Tracker), URLScan.io and VirusTotal under their respective terms. MITRE ATT&CK® is a registered trademark of The MITRE Corporation.

// compatibility

Platformsapi, desktop, web
Operating systems
AI compatibilityclaude
LicenseMIT
Pricingopen-source
LanguagePython

// faq

What is Malware-Sandbox-mcp?

Detonate files & URLs in cloud malware sandboxes (Hybrid Analysis, tria.ge, ANY.RUN) and enrich IOCs across MalwareBazaar, ThreatFox, URLhaus, Feodo, URLScan & VirusTotal — straight from Claude. BYOK, async, MITRE ATT&CK.. It is open-source on GitHub.

Is Malware-Sandbox-mcp free to use?

Malware-Sandbox-mcp is open-source under the MIT license, so it is free to use.

What category does Malware-Sandbox-mcp belong to?

Malware-Sandbox-mcp is listed under mcp-servers in the Claudeers registry of Claude-compatible tools.

0 views
13 stars
unclaimed
updated 12 days ago

// embed badge

Malware-Sandbox-mcp on Claudeers
[![Claudeers](https://claudeers.com/api/badge/malware-sandbox-mcp.svg)](https://claudeers.com/malware-sandbox-mcp)

// retro hit counter

Malware-Sandbox-mcp hit counter
[![Hits](https://claudeers.com/api/counter/malware-sandbox-mcp.svg)](https://claudeers.com/malware-sandbox-mcp)

// reviews

// guestbook

0/500

// related in MCP Servers

🔓

f.k.a. Awesome ChatGPT Prompts. Share, discover, and collect prompts from the community. Free and open source — self-host for your organization with complete…

// mcp-serversf/HTML164,687NOASSERTION[ claude ]
🔓

A cross-platform desktop All-in-One assistant for Claude Code, Codex, OpenCode, OpenClaw, Gemini CLI & Hermes Agent. Only official website: ccswitch.io

// mcp-serversfarion1231/Rust112,854MIT[ claude ]
🔓

An open-source AI agent that brings the power of Gemini directly into your terminal.

// mcp-serversgoogle-gemini/TypeScript105,729Apache-2.0[ claude ]
🔓

A collection of MCP servers.

// mcp-serverspunkpeye/90,251MIT[ claude ]
→ see how Malware-Sandbox-mcp connects across the ecosystem