From b96b59c8ed162e92715d1aea73816e25e6f18457 Mon Sep 17 00:00:00 2001 From: Macmod Date: Wed, 10 Jul 2024 01:52:23 -0300 Subject: [PATCH] Fixing dev branch. --- README.md | 20 --------- malwoverview/malwoverview.py | 79 ------------------------------------ setup.py | 4 -- 3 files changed, 103 deletions(-) diff --git a/README.md b/README.md index b1d5668..6689c22 100755 --- a/README.md +++ b/README.md @@ -1,10 +1,6 @@ # Malwoverview -<<<<<<< HEAD [GitHub release (latest by date)](https://github.com/alexandreborges/malwoverview/releases/tag/6.0.0) [GitHub last commit](https://github.com/alexandreborges/malwoverview/releases) [GitHub Release Date](https://github.com/alexandreborges/malwoverview/releases) [GitHub](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) -======= -[GitHub release (latest by date)](https://github.com/alexandreborges/malwoverview/releases/tag/5.4.5) [GitHub last commit](https://github.com/alexandreborges/malwoverview/releases) [GitHub Release Date](https://github.com/alexandreborges/malwoverview/releases) [GitHub](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) ->>>>>>> master [GitHub stars](https://github.com/alexandreborges/malwoverview/stargazers) [Twitter Follow](https://twitter.com/ale_sp_brazil) [Downloads/Last Month](https://pypistats.org/packages/malwoverview) @@ -75,11 +71,7 @@ See GNU Public License on . -<<<<<<< HEAD ## Current Version: 6.0.0 -======= -# Current Version: 5.4.5 ->>>>>>> master Important note: Malwoverview does NOT submit samples to any endpoint by default, so it respects possible Non-Disclosure Agreements (NDAs). There're specific options @@ -471,18 +463,6 @@ Version 5.4.4: * Includes only small changes and updates in the README.md. -Version 5.4.5: - - This version: - - * Includes a fix related to the installation path. - -Version 5.4.4: - - This version: - - * Includes only small changes and updates in the README.md. - Version 5.4.3: This version: diff --git a/malwoverview/malwoverview.py b/malwoverview/malwoverview.py index 5ae3d72..814a7a5 100755 --- a/malwoverview/malwoverview.py +++ b/malwoverview/malwoverview.py @@ -21,11 +21,7 @@ # Christian Clauss (https://github.com/cclauss) # Artur Marzano (https://github.com/Macmod) -<<<<<<< HEAD # Malwoverview.py: version 6.0.0 -======= -# Malwoverview.py: version 5.4.5 ->>>>>>> master import os import argparse @@ -56,11 +52,7 @@ __author__ = "Alexandre Borges" __copyright__ = "Copyright 2018-2024, Alexandre Borges" __license__ = "GNU General Public License v3.0" -<<<<<<< HEAD __version__ = "6.0.0" -======= -__version__ = "5.4.5" ->>>>>>> master __email__ = "reverseexploit at proton.me" def finish_hook(signum, frame): @@ -81,7 +73,6 @@ def main(): USER_HOME_DIR = str(Path.home()) + '/' cv.windows = 0 -<<<<<<< HEAD parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is 6.0.0", usage="python malwoverview.py -c -d -o <0|1> -v <1-13> -V -a <1-15> -w <0|1> -A -l <1-7> -L -j <1-7> -J -p <1-8> -P -y <1-5> -Y -n <1-5> -N -m <1-8> -M -b <1-10> -B -x <1-7> -X -i <1-13> -I ") parser.add_argument('-c', '--config', dest='config', type=str, metavar="CONFIG FILE", default=(USER_HOME_DIR + '.malwapi.conf'), help='Use a custom config file to specify API\'s.') parser.add_argument('-d', '--directory', dest='direct', type=str, default='', metavar="DIRECTORY", help='Specifies the directory containing malware samples to be checked against VIRUS TOTAL. Use the option -D to decide whether you are being using a public VT API or a Premium VT API.') @@ -104,76 +95,6 @@ def main(): parser.add_argument('-m', '--malpedia', dest='malpedia', type=int, default=0, metavar="MALPEDIA", help='This option is related to MALPEDIA and presents different meanings depending on the chosen value. Thus, 1: List meta information for all families ; 2: List all actors ID ; 3: List all available payloads organized by family from Malpedia; 4: Get meta information from an specific actor, so it is necessary to use the -M option. Additionally, try to confirm the correct actor ID by executing malwoverview with option -m 3; 5: List all families IDs; 6: Get meta information from an specific family, so it is necessary to use the -M option. Additionally, try to confirm the correct family ID by executing malwoverview with option -m 5; 7: Get a malware sample from malpedia (zip format -- password: infected). It is necessary to specify the requested hash by using -M option; 8: Get a zip file containing Yara rules for a specific family (get the possible families using -m 5), which must be specified by using -M option.') parser.add_argument('-M', '--malpediarg', dest='malpediaarg', type=str, default='', metavar="MALPEDIAARG", help='This option provides an argument to the -m option, which is related to MALPEDIA.') parser.add_argument('-b', '--bazaar', dest='bazaar', type=int, default=0, metavar="BAZAAR", help='Checks multiple information from MALWARE BAZAAR and THREATFOX. The possible values are: 1: (Bazaar) Query information about a malware hash sample ; 2: (Bazaar) Get information and a list of malware samples associated and according to a specific tag; 3: (Bazaar) Get a list of malware samples according to a given imphash; 4: (Bazaar) Query latest malware samples; 5: (Bazaar) Download a malware sample from Malware Bazaar by providing a SHA256 hash. The downloaded sample is zipped using the following password: infected; 6: (ThreatFox) Get current IOC dataset from last x days given by option -B (maximum of 7 days); 7: (ThreatFox) Search for the specified IOC on ThreatFox given by option -B; 8: (ThreatFox) Search IOCs according to the specified tag given by option -B; 9: (ThreatFox) Search IOCs according to the specified malware family provided by option -B; 10. (ThreatFox) List all available malware families.') -======= - backg = 1 - virustotal = 0 - fprovided = 0 - fpname = '' - repo = '' - ovrly = 0 - showreport = 0 - gt = 0 - ie = 0 - ha = 0 - urltemp = '' - domaintemp = '' - urlcheck = 0 - domaincheck = 0 - hashcheck = 0 - filecheck = 0 - filecheckha = 0 - hashtemp = '' - filetemp = '' - download = 0 - sysenviron = 0 - vtpubpremiumx = 0 - malsharelist = 0 - malsharehash = '' - hausoptionx = 0 - filecheckpoly = 0 - polycheck = 0 - androidoption = 0 - androidargx = '' - metatype = 0 - alienvault = 0 - alienvaultargs = '' - Q = 0 - T = 0 - malpedia = 0 - malpediax = 0 - malpediaarg = '' - malpediaargx = '' - bazaar = 0 - bazaararg = '' - triage = 0 - triagearg = '' - virustotalarg = '' - ipaddrvtx = '' - ffpname = '' - - parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is 5.4.5", usage= "python malwoverview.py -c -d -o <0|1> -v <1-13> -V -a <1-15> -w <0|1> -A -l <1-7> -L -j <1-7> -J -p <1-8> -P -y <1-5> -Y -n <1-5> -N -m <1-8> -M -b <1-10> -B -x <1-7> -X -i <1-13> -I ") - parser.add_argument('-c', '--config', dest='config', type=str, metavar = "CONFIG FILE", default = (USER_HOME_DIR + '.malwapi.conf'), help='Use a custom config file to specify API\'s.') - parser.add_argument('-d', '--directory', dest='direct',type=str, metavar = "DIRECTORY", help='Specifies the directory containing malware samples to be checked against VIRUS TOTAL. Use the option -D to decide whether you are being using a public VT API or a Premium VT API.') - parser.add_argument('-o', '--background', dest='backg', type=int,default = 1, metavar = "BACKGROUND", help='Adapts the output colors to a light background color terminal. The default is dark background color terminal.') - parser.add_argument('-v', '--virustotal_option', dest='virustotaloption', type=int,default = 0, metavar = "VIRUSTOTAL", help='-v 1: given a file using -V option, it queries the VIRUS TOTAL database (API v.3) to get the report for the given file through -V option.; -v 2: it shows an antivirus report for a given file using -V option (API v.3); -v 3: equal to -v2, but the binary\'s IAT and EAT are also shown (API v.3); -v 4: it extracts the overlay; -v 5: submits an URL to VT scanning; -v 6: submits an IP address to Virus Total; -v 7: this options gets a report on the provided domain from Virus Total; -v 8: verifies a given hash against Virus Total; -v 9: submits a sample to VT (up to 32 MB). Use forward slash to specify the target file on Windows systems. Demands passing sample file with -V option; -v 10: verifies hashes from a provided file through option -V. This option uses public VT API v.3; -v 11: verifies hashes from a provided file through option -V. This option uses Premium API v.3; -v 12: it shows behaviour information of a sample given a hash through option -V. This option uses VT API v.3; -v 13: it submits LARGE files (above 32 MB) to VT using API v.3;') - parser.add_argument('-V', '--virustotal_arg', dest='virustotalarg', type=str, metavar = "VIRUSTOTAL_ARG", help='Provides arguments for -v option.') - parser.add_argument('-a', '--hybrid_option', dest='haoption', type=int,default = 0, metavar = "HYBRID_ANALYSIS", help='This parameter fetches reports from HYBRID ANALYSIS, download samples and submits samples to be analyzed. The possible values are: 1: gets a report for a given hash or sample from a Windows 7 32-bit environment; 2: gets a report for a given hash or sample from a Windows 7 32-bit environment (HWP Support); 3: gets a report for given hash or sample from a Windows 64-bit environment; 4: gets a report for a given hash or sample from an Android environment; 5: gets a report for a given hash or sample from a Linux 64-bit environment; 6: submits a sample to Windows 7 32-bit environment; 7. submits a sample to Windows 7 32-bit environment with HWP support environment; 8. submits a sample to Windows 7 64-bit environment ; 9. submits a sample to an Android environment ; 10. submits a sample to a Linux 64-bit environment; 11. downloads a sample from a Windows 7 32-bit environment; 12. downloads a sample from a Windows 7 32-bit HWP environment; 13. downloads a sample from a Windows 7 64-bit environment; 14. downloads a sample from an Android environment; 15. downloads a sample from a Linux 64-bit environment.') - parser.add_argument('-A', '--ha_arg', dest='haarg', type=str, metavar = "SUBMIT_HA", help='Provides an argument for -a option from HYBRID ANALYSIS.') - parser.add_argument('-D', '--vtpubpremium', dest='vtpubpremium', type=int,default = 0, metavar = "VT_PUBLIC_PREMIUM", help='This option must be used with -d option. Possible values: <0> it uses the Premium VT API v3 (default); <1> it uses the Public VT API v3.') - parser.add_argument('-l', '--malsharelist', dest='malsharelist', type=int,default = 0, metavar = "MALSHARE_HASHES", help='This option performs download a sample and shows hashes of a specific type from the last 24 hours from MALSHARE repository. Possible values are: 1: Download a sample; 2: PE32 (default) ; 3: ELF ; 4: Java; 5: PDF ; 6: Composite(OLE); 7: List of hashes from past 24 hours.') - parser.add_argument('-L', '--malshare_hash', dest='malsharehash', type=str, metavar = "MALSHARE_HASH_SEARCH", help='Provides a hash as argument for downloading a sample from MALSHARE repository.') - parser.add_argument('-j', '--haus_option', dest='hausoption', type=int, default = 0, metavar = "HAUS_OPTION", help='This option fetches information from URLHaus depending of the value passed as argument: 1: performs download of the given sample; 2: queries information about a provided hash ; 3: searches information about a given URL; 4: searches a malicious URL by a given tag (case sensitive); 5: searches for payloads given a tag; 6: retrives a list of downloadable links to recent payloads; 7: retrives a list of recent malicious URLs.') - parser.add_argument('-J', '--haus_arg', dest='hausarg', type=str, metavar = "HAUS_ARG", help='Provides argument to -j option from URLHaus.') - parser.add_argument('-p', '--poly_option', dest='polyoption', type=int,default = 0, metavar = "POLY_OPTION", help='(Only for Linux) This option is related to POLYSWARM operations: 1. searches information related to a given hash provided using -P option; 2. submits a sample provided by -P option to be analyzed by Polyswarm engine ; 3. Downloads a sample from Polyswarm by providing the hash throught option -P .Attention: Polyswarm enforces a maximum of 20 samples per month; 4. searches for similar samples given a sample file thought option -P; 5. searches for samples related to a provided IP address through option -P; 6. searches for samples related to a given domain provided by option -P; 7. searches for samples related to a provided URL throught option -P; 8. searches for samples related to a provided malware family given by option -P.') - parser.add_argument('-P', '--poly_arg', dest='polyarg', type=str, metavar = "POLYSWARM_ARG", help='(Only for Linux) Provides an argument for -p option from POLYSWARM.') - parser.add_argument('-y', '--android_option', dest='androidoption', type=int, default = 0, metavar = "ANDROID_OPTION", help='This ANDROID option has multiple possible values: <1>: Check all third-party APK packages from the USB-connected Android device against Hybrid Analysis using multithreads. Notes: the Android device does not need to be rooted and the system does need to have the adb tool in the PATH environment variable; <2>: Check all third-party APK packages from the USB-connected Android device against VirusTotal using Public API (slower because of 60 seconds delay for each 4 hashes). Notes: the Android device does not need to be rooted and the system does need to have adb tool in the PATH environment variable; <3>: Check all third-party APK packages from the USB-connected Android device against VirusTotal using multithreads (only for Private Virus API). Notes: the Android device does not need to be rooted and the system needs to have adb tool in the PATH environment variable; <4> Sends an third-party APK from your USB-connected Android device to Hybrid Analysis; 5. Sends an third-party APK from your USB-connected Android device to Virus-Total.') - parser.add_argument('-Y', '--android_arg', dest='androidarg', type=str, metavar = "ANDROID_ARG", help='This option provides the argument for -y from ANDROID.') - parser.add_argument('-n', '--alienvault', dest='alienvault', type=int, default = 0, metavar = "ALIENVAULT", help='Checks multiple information from ALIENVAULT. The possible values are: 1: Get the subscribed pulses ; 2: Get information about an IP address; 3: Get information about a domain; 4: Get information about a hash; 5: Get information about a URL.') - parser.add_argument('-N', '--alienvaultargs', dest='alienvaultargs', type=str, metavar = "ALIENVAULT_ARGS", help='Provides argument to ALIENVAULT -n option.') - parser.add_argument('-m', '--malpedia', dest='malpedia', type=int, default = 0, metavar = "MALPEDIA", help='This option is related to MALPEDIA and presents different meanings depending on the chosen value. Thus, 1: List meta information for all families ; 2: List all actors ID ; 3: List all available payloads organized by family from Malpedia; 4: Get meta information from an specific actor, so it is necessary to use the -M option. Additionally, try to confirm the correct actor ID by executing malwoverview with option -m 3; 5: List all families IDs; 6: Get meta information from an specific family, so it is necessary to use the -M option. Additionally, try to confirm the correct family ID by executing malwoverview with option -m 5; 7: Get a malware sample from malpedia (zip format -- password: infected). It is necessary to specify the requested hash by using -M option; 8: Get a zip file containing Yara rules for a specific family (get the possible families using -m 5), which must be specified by using -M option.') - parser.add_argument('-M', '--malpediarg', dest='malpediaarg', type=str, metavar = "MALPEDIAARG", help='This option provides an argument to the -m option, which is related to MALPEDIA.') - parser.add_argument('-b', '--bazaar', dest='bazaar', type=int, default = 0, metavar = "BAZAAR", help='Checks multiple information from MALWARE BAZAAR and THREATFOX. The possible values are: 1: (Bazaar) Query information about a malware hash sample ; 2: (Bazaar) Get information and a list of malware samples associated and according to a specific tag; 3: (Bazaar) Get a list of malware samples according to a given imphash; 4: (Bazaar) Query latest malware samples; 5: (Bazaar) Download a malware sample from Malware Bazaar by providing a SHA256 hash. The downloaded sample is zipped using the following password: infected; 6: (ThreatFox) Get current IOC dataset from last x days given by option -B (maximum of 7 days); 7: (ThreatFox) Search for the specified IOC on ThreatFox given by option -B; 8: (ThreatFox) Search IOCs according to the specified tag given by option -B; 9: (ThreatFox) Search IOCs according to the specified malware family provided by option -B; 10. (ThreatFox) List all available malware families.') ->>>>>>> master parser.add_argument('-B', '--bazaararg', dest='bazaararg', type=str, metavar = "BAZAAR_ARG", help='Provides argument to -b MALWARE BAZAAR and THREAT FOX option. If you specified "-b 1" then the -B\'s argument must be a hash and a report about the sample will be retrieved; If you specified "-b 2" then -B\'s argument must be a malware tag and last samples matching this tag will be shown; If you specified "-b 3" then the argument must be a imphash and last samples matching this impshash will be shown; If you specified "-b 4", so the argument must be "100 or time", where "100" lists last "100 samples" and "time" lists last samples added to Malware Bazaar in the last 60 minutes; If you specified "-b 5", so the sample will be downloaded and -B\'s argument must be a SHA256 hash of the sample that you want to download from Malware Bazaar; If you specified "-b 6" then a list of IOCs will be retrieved and the -B\'s value is the number of DAYS to filter such IOCs. The maximum time is 7 (days); If you used "-b 7" so the -B\'s argument is the IOC you want to search for; If you used "-b 8", so the -B\'s argument is the IOC\'s TAG that you want search for; If you used "-b 9", so the -B argument is the malware family that you want to search for IOCs;') parser.add_argument('-x', '--triage', dest='triage', type=int, default=0, metavar="TRIAGE", help='Provides information from TRIAGE according to the specified value: <1> this option gets sample\'s general information by providing an argument with -X option in the following possible formats: sha256:, sha1:, md5:, family:, score:, tag:, url:, wallet:, ip:; <2> Get a sumary report for a given Triage ID (got from option -x 1) ; <3> Submit a sample for analysis ; <4> Submit a sample through a URL for analysis ; <5> Download sample specified by the Triage ID; <6> Download pcapng file from sample associated to given Triage ID; <7> Get a dynamic report for the given Triage ID (got from option -x 1);') parser.add_argument('-X', '--triagearg', dest='triagearg', type=str, default='', metavar="TRIAGE_ARG", help='Provides argument for options especified by -x option. Pay attention: the format of this argument depends on provided -x value.') diff --git a/setup.py b/setup.py index 87dd066..cb4e239 100644 --- a/setup.py +++ b/setup.py @@ -11,11 +11,7 @@ setup( name="malwoverview", -<<<<<<< HEAD version="6.0.0", -======= - version="5.4.5", ->>>>>>> master author="Alexandre Borges", author_email="reverseexploit@proton.me", license="GNU GPL v3.0",