𝙈𝘼𝙇𝙒𝙊𝙫𝙚𝙧𝙫𝙞𝙚𝙬 𝙏𝙤𝙤𝙡

Malwoverview.py is a first response tool for threat hunting, which performs an initial and quick triage of malware samples, URLs, IP addresses, domains, malware families, IOCs and hashes.

This tool aims to :

•Determine similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!

•Show hash information on Virus Total, Hybrid Analysis, Malshare, Polyswarm, URLhaus, Alien Vault, Malpedia and ThreatCrowd engines.

•Determining whether the malware samples contain overlay and, if you want, extract it.

•Check suspect files on Virus Total, Hybrid Analysis and Polyswarm.

•Check URLs on Virus Total, Malshare, Polyswarm, URLhaus engines and Alien Vault.

•Download malware samples from Hybrid Analysis, Malshare, URLHaus, Polyswarm and Malpedia engines.

•Submit malware samples to VirusTotal, Hybrid Analysis and Polyswarm.

•List last suspected URLs from URLHaus.

•List last payloads from URLHaus.

•Search for specific payloads on the Malshare.

•Search for similar payloads (PE32/PE32+) on Polyswarm engine.

•Classify all files in a directory searching information on Virus Total and Hybrid Analysis.

•Make reports about a suspect domain using different engines such as VirusTotal, Malpedia and ThreatCrowd.

•Check APK packages directly from Android devices against Hybrid Analysis and Virus Total.

•Submit APK packages directly from Android devices to Hybrid Analysis and Virus Total.

•Show URLs related to an user provided tag from URLHaus.

•Show payloads related to a tag (signature) from URLHaus.

•Show information about an IP address from Virus Total, Alien Vault, Malpedia and ThreatCrowd.

•Show IP address, domain and URL information from Polyswarm.

•Perform meta-search on Polyswarm Network using several criteria: imphash, IPv4, domain, URL and malware family.

•Gather threat hunting information from AlienVault using different criteria.

•Gather threat hunting information from Malpedia using different criteria.

•Gather threat hunting information from ThreatCrowd using different criteria.

•Provide Yara rules and associated information from Valhalla.

•Gather threat hunting information from Malware Bazaar using different criteria.

•Gather IOC information from ThreatFox using different criteria.

•Gather threat hunting information from Triage using different criteria.

𝙄𝙉𝙎𝙏𝘼𝙇𝙇𝘼𝙏𝙄𝙊𝙉

𝚃𝚑𝚒𝚜 𝚝𝚘𝚘𝚕 𝚑𝚊𝚜 𝚋𝚎𝚎𝚗 𝚝𝚎𝚜𝚝𝚎𝚍 𝚘𝚗 𝚄𝚋𝚞𝚗𝚝𝚞, 𝙺𝚊𝚕𝚒 𝙻𝚒𝚗𝚞𝚡 2021, 𝚁𝙴𝙼𝚗𝚞𝚡, 𝚆𝚒𝚗𝚍𝚘𝚠𝚜 8.1 𝚊𝚗𝚍 10. 𝙼𝚊𝚕𝚠𝚘𝚟𝚎𝚛𝚟𝚒𝚎𝚠 𝚌𝚊𝚗 𝚋𝚎 𝚒𝚗𝚜𝚝𝚊𝚕𝚕𝚎𝚍 𝚋𝚢 𝚎𝚡𝚎𝚌𝚞𝚝𝚒𝚗𝚐 𝚝𝚑𝚎 𝚏𝚘𝚕𝚕𝚘𝚠𝚒𝚗𝚐 𝚌𝚘𝚖𝚖𝚊𝚗𝚍:

  𝚙𝚒𝚙3.9 𝚒𝚗𝚜𝚝𝚊𝚕𝚕 𝚐𝚒𝚝+𝚑𝚝𝚝𝚙𝚜://𝚐𝚒𝚝𝚑𝚞𝚋.𝚌𝚘𝚖/𝚊𝚕𝚎𝚡𝚊𝚗𝚍𝚛𝚎𝚋𝚘𝚛𝚐𝚎𝚜/𝚖𝚊𝚕𝚠𝚘𝚟𝚎𝚛𝚟𝚒𝚎𝚠 (𝚙𝚛𝚎𝚏𝚎𝚛𝚛𝚎𝚍 𝚖𝚎𝚝𝚑𝚘𝚍) 

  𝚘𝚛...

  𝚙𝚢𝚝𝚑𝚘𝚗 -𝚖 𝚙𝚒𝚙 𝚒𝚗𝚜𝚝𝚊𝚕𝚕 -𝚄 𝚖𝚊𝚕𝚠𝚘𝚟𝚎𝚛𝚟𝚒𝚎𝚠

  𝚘𝚛...

  𝚐𝚒𝚝 𝚌𝚕𝚘𝚗𝚎 𝚑𝚝𝚝𝚙𝚜://𝚐𝚒𝚝𝚑𝚞𝚋.𝚌𝚘𝚖/𝚊𝚕𝚎𝚡𝚊𝚗𝚍𝚛𝚎𝚋𝚘𝚛𝚐𝚎𝚜/𝚖𝚊𝚕𝚠𝚘𝚟𝚎𝚛𝚟𝚒𝚎𝚠

𝚃𝚘 𝚞𝚜𝚎 𝙼𝚊𝚕𝚠𝚘𝚟𝚎𝚛𝚟𝚒𝚎𝚠 𝚢𝚘𝚞 𝚜𝚑𝚘𝚞𝚕𝚍 𝚒𝚗𝚜𝚎𝚛𝚝 𝚅𝚒𝚛𝚞𝚜𝚃𝚘𝚝𝚊𝚕, 𝙷𝚢𝚋𝚛𝚒𝚍 𝙰𝚗𝚊𝚕𝚢𝚜𝚒𝚜, 𝚄𝚁𝙻𝙷𝚊𝚞𝚜, 𝙼𝚊𝚕𝚜𝚑𝚊𝚛𝚎, 𝙿𝚘𝚕𝚢𝚜𝚠𝚊𝚛𝚖, 𝙰𝚕𝚒𝚎𝚗 𝚅𝚊𝚞𝚕𝚝 𝚊𝚗𝚍 𝙼𝚊𝚕𝚙𝚎𝚍𝚒𝚊 𝙰𝙿𝙸𝚜 𝚒𝚗𝚝𝚘 𝚝𝚑𝚎 .𝚖𝚊𝚕𝚠𝚊𝚙𝚒.𝚌𝚘𝚗𝚏 𝚌𝚘𝚗𝚏𝚒𝚐𝚞𝚛𝚊𝚝𝚒𝚘𝚗 𝚏𝚒𝚕𝚎 (𝚝𝚑𝚎 𝚍𝚎𝚏𝚊𝚞𝚕𝚝 𝚘𝚗𝚎 𝚊𝚝 𝚝𝚑𝚎 𝚑𝚘𝚖𝚎 𝚍𝚒𝚛𝚎𝚌𝚝𝚘𝚛𝚢 (/𝚑𝚘𝚖𝚎/[𝚞𝚜𝚎𝚛𝚗𝚊𝚖𝚎] 𝚘𝚛 /𝚛𝚘𝚘𝚝) -- 𝚒𝚏 𝚝𝚑𝚎 𝚏𝚒𝚕𝚎 𝚍𝚘𝚎𝚜𝚗'𝚝 𝚎𝚡𝚒𝚜𝚝, 𝚜𝚘 𝚢𝚘𝚞 𝚜𝚑𝚘𝚞𝚕𝚍 𝚌𝚛𝚎𝚊𝚝𝚎 𝚒𝚝) 𝚘𝚛 𝚢𝚘𝚞 𝚌𝚘𝚞𝚕𝚍 𝚌𝚛𝚎𝚊𝚝𝚎 𝚊 𝚌𝚞𝚜𝚝𝚘𝚖 𝚌𝚘𝚗𝚏𝚒𝚐𝚞𝚛𝚊𝚝𝚒𝚘𝚗 𝚏𝚒𝚕𝚎 𝚊𝚗𝚍 𝚒𝚗𝚍𝚒𝚌𝚊𝚝𝚎 𝚒𝚝 𝚋𝚢 𝚞𝚜𝚒𝚗𝚐 𝚝𝚑𝚎 -𝚌 𝚘𝚙𝚝𝚒𝚘𝚗.

𝙰 𝚜𝚙𝚎𝚌𝚒𝚊𝚕 𝚗𝚘𝚝𝚎 𝚊𝚋𝚘𝚞𝚝 𝚝𝚑𝚎 𝙰𝚕𝚒𝚎𝚗 𝚅𝚊𝚞𝚕𝚝: 𝚒𝚝 𝚒𝚜 𝚗𝚎𝚌𝚎𝚜𝚜𝚊𝚛𝚢 𝚝𝚘 𝚜𝚞𝚋𝚜𝚌𝚛𝚒𝚋𝚎 𝚝𝚘 𝚙𝚞𝚕𝚜𝚎𝚜 𝚘𝚗 𝙰𝚕𝚒𝚎𝚗 𝚅𝚊𝚞𝚕𝚝 𝚠𝚎𝚋𝚜𝚒𝚝𝚎 𝚋𝚎𝚏𝚘𝚛𝚎 𝚞𝚜𝚒𝚗𝚐 -𝚗 1 𝚘𝚙𝚝𝚒𝚘𝚗.

𝚃𝚑𝚎 .𝚖𝚊𝚕𝚠𝚊𝚙𝚒.𝚌𝚘𝚗𝚏 𝚌𝚘𝚗𝚏𝚒𝚐𝚞𝚛𝚊𝚝𝚒𝚘𝚗 𝚏𝚒𝚕𝚎 (𝚏𝚛𝚘𝚖 𝚝𝚑𝚎 𝚝𝚑𝚎 𝚑𝚘𝚖𝚎 𝚍𝚒𝚛𝚎𝚌𝚝𝚘𝚛𝚢 -- /𝚑𝚘𝚖𝚎/[𝚞𝚜𝚎𝚛𝚗𝚊𝚖𝚎] 𝚘𝚛 /𝚛𝚘𝚘𝚝) 𝚑𝚊𝚜 𝚝𝚑𝚎 𝚏𝚘𝚕𝚕𝚘𝚠𝚒𝚗𝚐 𝚏𝚘𝚛𝚖𝚊𝚝:

  [VIRUSTOTAL]

  VTAPI = 

  [HYBRID-ANALYSIS]

  HAAPI = 

  [MALSHARE]

  MALSHAREAPI = 

  [HAUSSUBMIT]

  HAUSSUBMITAPI =

  [POLYSWARM]

  POLYAPI = 

  [ALIENVAULT]

  ALIENAPI = 

  [MALPEDIA]

  MALPEDIAAPI =

  [VALHALLA]

  VALHALLAAPI =

  [TRIAGE]

  TRIAGEAPI =

The APIs can be requested on the respective service websites:

Virus Total (community and paid API): https://www.virustotal.com/gui/join-us

Hybrid Analysis: https://www.hybrid-analysis.com/signup

Malshare: https://malshare.com/doc.php

URLHaus: https://urlhaus.abuse.ch/api/#account

Polyswarm: https://docs.polyswarm.io/consumers

Alien Vault: https://otx.alienvault.com/api

Malpedia: It doesn't offer open registration, but you can request an user account directly through Twitter (DM) or feedback e-email. The Malpedia Twitter handle is @malpedia.

Valhalla: You can use a demo API key or contract the Valhalla service for a private key. Valhalla demo-API key is: 1111111111111111111111111111111111111111111111111111111111111111.

ThreatCrowd: It isn't necessary an API.

Malware Bazaar: It isn't necessary an API.

ThreatFox: It isn't necessary an API.

Triage: https://tria.ge/signup.

A special note about API requests to the MALPEDIA:

The service and acceptance is based on the community vetting. Thus, it's recommended you send a request for an API from your business e-mail address and NOT public/free one (Gmail, Outlook and so on). Additionally, it'd be great whether you provided further information about you (LinkedIn account, Twitter and so on) because it would make simpler to proof your identity, professional profile and legitimacy, so making quicker the approval of your request.

Additional explanation about Triage:

Every Triage operation is based on the Triage ID of each artifact, so you need to use the "-x 1 -X <attribute>:<value>" to look for the correct ID of the artifact, so use this ID information with the remaining Triage options (-x [2-7]) for getting further threat hunting information from Triage endpoint.

In Windows systems, create the .malwapi.conf file in the C:\Users\[username] directory (Windows home user directory). In Linux systems, create the .malwapi.conf file in /home/[username] directory (Linux home user directory -- /home/[username] or /root).

Additionally, you don't need to specify "-w 1" option while using malwoverview.py on Windows anymore.

To check the installation, execute:

   malwoverview.py --help

Further information is available on:

   (PYPI.org repository) https://pypi.org/project/malwoverview/

   (Github) https://github.com/alexandreborges/malwoverview

If you want to perform the manual steps (usually, it is not necessary), so few steps will be necessary:

Kali Linux (manual steps)

Python version 3.8 or later (Only Python 3.x !!! It does NOT work using Python 2.7)

$ apt-get install python3.9 (for example)

Python-magic.

To install python-magic package you can execute the following command:

$ pip3.9 install python-magic

Or compiling it from the github repository:

$ git clone https://github.com/ahupp/python-magic

$ cd python-magic/

$ python3.9 setup.py build

$ python3.9 setup.py install

As there are serious problems about existing two versions of python-magic package, my recommendation is to install it from github (second procedure above) and copy the magic.py file to the SAME directory of malwoverview tool.

Install several Python packages:

$ pip3.9 install -r requirements.txt

OR

$ pip3.9 install -U pefile

$ pip3.9 install -U colorama

$ pip3.9 install -U simplejson

$ pip3.9 install -U python-magic

$ pip3.9 install -U requests

$ pip3.9 install -U validators

$ pip3.9 install -U geocoder

$ pip3.9 install -U polyswarm-api

$ pip3.9 install -U pathlib

$ pip3.9 install -U configparser

$ pip3.9 install -U valhallaAPI

To check an Android mobile you need to install the "adb" program by executing the following command:

# apt get install adb

PS: before trying Android's options, check:

* If the adb program is listed in the PATH environment variable.

* If the system has authorized access to the device by using "adb devices -l"

Finally, you can install Malwoverview using one of the following methods:

  pip3.9 install git+https://github.com/alexandreborges/malwoverview (preferred method) 

  or...

  python -m pip install -U malwoverview

  or...

  git clone https://github.com/alexandreborges/malwoverview

Windows (manual steps)

Install the Python version 3.8.x or later from https://www.python.org/downloads/windows/

Python-magic.

To install python-magic package you can execute the following command:

C:\> python.exe -m pip install python-magic

Or compiling it from the github repository:

C:\> git clone https://github.com/ahupp/python-magic

C:\> cd python-magic/

C:\> python.exe setup.py build

C:\> python.exe setup.py install

Install several Python packages:

C:\> python.exe -m pip install -r requirements.txt

OR: 

C:\> python.exe -m pip install -U pefile

C:\> python.exe -m pip install -U colorama

C:\> python.exe -m pip install -U simplejson

C:\> python.exe -m pip install -U python-magic

C:\> python.exe -m pip install -U requests

C:\> python.exe -m pip install -U validators

C:\> python.exe -m pip install -U geocoder

C:\> python.exe -m pip install -U polyswarm-api

C:\> python.exe -m pip install -U pathlib

C:\> python.exe -m pip install -U configparser

C:\> python.exe -m pip install -U python-magic-bin

C:\> python.exe -m pip install -U valhallaAPI

To check an Android mobile you need to install the "adb" program by:

* Downloading and installing the Android Studio from: https://developer.android.com/

  studio#downloads (Recommended)

* Downloading it from:

  https://dl.google.com/android/repository/platform-tools-latest-windows.zip

PS: before trying Android's options, check:

* If the adb program is listed in the PATH environment variable.

* If the system has authorized access to the device by using "adb devices -l"

Finally, you can install Malwoverview using one of the following methods:

  pip3.9 install git+https://github.com/alexandreborges/malwoverview (preferred method)

  or...

  python -m pip install -U malwoverview

  or...

  git clone https://github.com/alexa

𝘿𝙊𝙒𝙉𝙇𝙊𝘼𝘿 𝙏𝙃𝙀 𝙏𝙊𝙊𝙇