From afca13bfd0f387099e5c2e479f61843f7e2d4076 Mon Sep 17 00:00:00 2001
From: Samuel Hassine <samuel.hassine@filigran.io>
Date: Sat, 3 Aug 2024 12:27:39 -0700
Subject: [PATCH] [reversinglabs] Fix MD5 STIX patterns

---
 .../reversinglabs-malware-presence/src/main.py        | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/internal-enrichment/reversinglabs-malware-presence/src/main.py b/internal-enrichment/reversinglabs-malware-presence/src/main.py
index ae7326c3a5..fa9cc2cc9b 100644
--- a/internal-enrichment/reversinglabs-malware-presence/src/main.py
+++ b/internal-enrichment/reversinglabs-malware-presence/src/main.py
@@ -701,9 +701,14 @@ def _check_file_reputation(
 
                 if results["score"] > 50:
                     # Generate indicator from observable with relationships
-                    indicator_pattern = (
-                        f"[file:hashes. '{self.hash_type}' = '{self.hash}']"
-                    )
+                    if self.hash_type == "MD5":
+                        indicator_pattern = (
+                            f"[file:hashes.{self.hash_type} = '{self.hash}']"
+                        )
+                    else:
+                        indicator_pattern = (
+                            f"[file:hashes.'{self.hash_type}' = '{self.hash}']"
+                        )
                     main_observable_type = "File"
                     indicator_name = self.hash
                     self._generate_stix_indicator(