Merge pull request #63 from alexandreborges/dev

Version 6.1.0
alexandreborges · Dec 12, 2024 · 8740e45 · 8740e45
2 parents 4e4b54c + 4fc6fd5
commit 8740e45
Show file tree

Hide file tree

Showing 22 changed files with 598 additions and 94 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,27 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
diff --git a/.malwapi.conf b/.malwapi.conf
@@ -25,3 +25,8 @@ TRIAGEAPI =
 [INQUEST]
 INQUESTAPI = 
 
+[VIRUSEXCHANGE]
+VXAPI = 
+
+[IPINFO]
+IPINFOAPI =
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Malwoverview
 
-[<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases/tag/v6.0.1) [<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge">](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) 
+[<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases/tag/v6.1.0) [<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge">](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) 
 [<img alt="GitHub stars" src="https://img.shields.io/github/stars/alexandreborges/malwoverview?logoColor=Red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/stargazers)
 [<img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/ale_sp_brazil?style=for-the-badge&logo=X&color=blueviolet">](https://twitter.com/ale_sp_brazil)
 [<img alt="Downloads/Last Month" src="https://img.shields.io/pypi/dm/malwoverview?color=blue&style=for-the-badge&label=Last%20Month">](https://pypistats.org/packages/malwoverview)
@@ -56,7 +56,7 @@
 ![Alt text](pictures/picture_47.jpg?raw=true "Title")
 ![Alt text](pictures/picture_48.jpg?raw=true "Title")
 
-      Copyright (C)  2018-2024 Alexandre Borges (https://exploitreversing.com) 
+      Copyright (C)  2018-2025 Alexandre Borges (https://exploitreversing.com) 
 
       This program is free software: you can redistribute it and/or modify
       it under the terms of the GNU General Public License as published by
@@ -71,7 +71,7 @@
       See GNU Public License on <http://www.gnu.org/licenses/>.
 
 
-## Current Version: 6.0.1
+## Current Version: 6.1.0
 
      Important note:  Malwoverview does NOT submit samples to any endpoint by default, 
      so it respects possible Non-Disclosure Agreements (NDAs). There're specific options
@@ -120,14 +120,18 @@ This tool aims to :
 28. Submit large files (>= 32 MB) to Virus Total. 
 29. Malwoverview uses Virus Total API v.3, so there isn't longer any option using v.2.
 30. Retrieve different information from InQuest Labs and download samples from there. 
-
+31. Retrieve information and download malware samples from Virus Exchange (vxunderground). 
+32. Retrieve information about a given IP address from IPInfo service.
+33. Retrieve information about a given IP address from BGPView service.
+34. Retrieve combined information about a given IP address from multiple services.
+35. Offer extra option to save any downloaded file to a central location.
 
 ## CONTRIBUTORS
 
       Alexandre Borges (project owner)
+      Artur Marzano (https://github.com/Macmod)
       Corey Forman (https://github.com/digitalsleuth)
       Christian Clauss (https://github.com/cclauss)
-      Artur Marzano (https://github.com/Macmod)
 
 ## HOW TO CONTRIBUTE TO THIS PROJECT
 
@@ -214,6 +218,11 @@ has the following format:
       [INQUEST]
       INQUESTAPI =
 
+      [VIRUSEXCHANGE]
+      VXAPI =  
+
+      [IPINFO]
+      IPINFOAPI =  
 
 The APIs can be requested on the respective service websites:
 
@@ -230,7 +239,10 @@ The APIs can be requested on the respective service websites:
 09. ThreatFox: It isn't necessary an API.
 10. InQuest: https://labs.inquest.net/.
 11. Triage: https://tria.ge/signup.
-
+12. Virus Exchange: https://virus.exchange/ 
+13. IPInfo: https://ipinfo.io/ 
+14. BGPView: ihttps://bgpview.docs.apiary.io/
+
 ----------------------------------------------------
 A special note about API requests to the MALPEDIA:
 ----------------------------------------------------
@@ -334,10 +346,10 @@ should be executed:
 ## HELP
 
 usage: python malwoverview.py -c <API configuration file> -d <directory> -o <0|1> -v <1-13>
--V <virustotal arg> -a <1-15> -w <0|1> -A <filename> -l <1-7> -L <hash> -j <1-7> 
--J <URLhaus argument> -p <1-8> -P <polyswarm argument> -y <1-5> -Y <file name> -n <1-5> 
--N <argument> -m <1-8> -M <argument> -b <1-10> -B <arg> -x <1-7> -X <arg> -i <1-13> 
--I <INQUEST argument>
+-V <argument> -a <1-15> -w <0|1> -A <filename> -l <1-7> -L <hash> -j <1-7> 
+-J <argument> -p <1-8> -P <argument> -y <1-5> -Y <file name> -n <1-5> 
+-N <argument> -m <1-8> -M <argument> -b <1-10> -B <argument> -x <1-7> -X <argurment> -i <1-13> 
+-I <argument> -vx <1-2> -VX <argument> -ip <1-3> -IP <argument> -O <directory> 
 
 Malwoverview is a first response tool for threat hunting written by Alexandre Borges. 
 
@@ -574,7 +586,7 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
 	-x TRIAGE, --triage TRIAGE
 
 		+ Provides information from TRIAGE according to the specified value: 
-			+ <1> this option gets sample's general information by providing an 
+			+ 1: this option gets sample's general information by providing an 
 			argument with -X option in the following possible formats: 
 				- sha256:<value>
 				- sha1:<value>
@@ -586,12 +598,12 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
 				- wallet:<value>
 				- ip:<value>; 
 				
-			+ <2> Get a sumary report for a given Triage ID (got from option -x 1); 
-			+ <3> Submit a sample for analysis; 
-			+ <4> Submit a sample through a URL for analysis; 
-			+ <5> Download sample specified by the Triage ID; 
-			+ <6> Download pcapng file from sample associated to given Triage ID; 
-			+ <7> Get a dynamic report for the given Triage ID (got from option -x 1);
+			+ 2: Get a sumary report for a given Triage ID (got from option -x 1); 
+			+ 3: Submit a sample for analysis; 
+			+ 4: Submit a sample through a URL for analysis; 
+			+ 5: Download sample specified by the Triage ID; 
+			+ 6: Download pcapng file from sample associated to given Triage ID; 
+			+ 7: Get a dynamic report for the given Triage ID (got from option -x 1);
 
 	-X TRIAGE_ARG, --triagearg TRIAGE_ARG
 
@@ -607,20 +619,45 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
 			+ 4: Gets the most recent list of threats. To this option, the -I 
 			argument must be "list" (lowercase and without double quotes); 
 			+ 5: Retrives threats related to a provided domain; 
-			+ 6. Retrieves a list of samples related to the given IP address; 
-			+ 7. Retrives a list of sample related to the given e-mail address; 
-			+ 8. Retrieves a list of samples related to the given filename; 
-			+ 9. Retrieves a list of samples related to a given URL; 
-			+ 10. Retrieves information about a specified IOC; 
-			+ 11. List a list of IOCs. Note: you must pass "list" (without 
+			+ 6: Retrieves a list of samples related to the given IP address; 
+			+ 7: Retrives a list of sample related to the given e-mail address; 
+			+ 8: Retrieves a list of samples related to the given filename; 
+			+ 9: Retrieves a list of samples related to a given URL; 
+			+ 10: Retrieves information about a specified IOC; 
+			+ 11: List a list of IOCs. Note: you must pass "list" (without 
 			double quotes) as argument to -I;
-			+ 12. Check for a given keyword in the reputation database; 
-			+ 13. List artifacts in the reputation dabatabse. Note: you must 
+			+ 12: Check for a given keyword in the reputation database; 
+			+ 13: List artifacts in the reputation dabatabse. Note: you must 
 			pass "list" (without double quotes) as argument to -I.
 
 	-I INQUEST_ARG, --inquestarg INQUEST_ARG
 
-		+ Provides argument to INQUEST -i option.
+		  + Provides argument to INQUEST -i option.
+
+  -vx VXOPTION, --vx VXOPTION
+
+      + 1: Gets basic metadata for a given SHA256 hash; 
+      + 2: Downloads sample given a SHA256 provided in the -VX argument.
+
+  -VX VXARG, --VX VXARG
+
+      + Provides argument to the -vx option from VirusExchange.
+
+  -O OUTPUTDIR, --output-dir OUTPUTDIR
+
+      + Set output directory for all sample downloads.
+
+  -ip IP, --ip IP
+
+    + Get IP information from various sources. The possible values are: 
+      + 1: Get details for an IP address provided with -IP from IPInfo; 
+      + 2: Get details for an IP address provided with -IP from BGPView; 
+      + 3: Get details for an IP address provided with -IP from all 
+           available intel services (VirusTotal/Alienvault).
+
+  -IP IPARG, --iparg IPARG
+
+      + Provides argument for IP lookup operations specified by the -ip option.
 
 
 ## EXAMPLES
@@ -730,15 +767,32 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
     malwoverview -i 11 -I list
     malwoverview -i 12 -I rebrand.ly
     malwoverview -i 13 -I list | more
+    malwoverview -vx 1 -VX c3247ada71931ee267e975cb04160dc8ac611f3b4409f41b595177e124be7c2e
+    malwoverview -vx 2 -VX c3247ada71931ee267e975cb04160dc8ac611f3b4409f41b595177e124be7c2e
+    malwoverview -ip 1 -IP 8.8.8.8
+    malwoverview -ip 2 -IP 8.8.8.8
+    malwoverview -ip 3 -IP 8.8.8.8
+    malwoverview -vx 2 -VX <hash> -O <directory>
+    malwoverview -b 5 -B <hash> -O <directory> 
 
 
 ## HISTORY
 
+
+Version 6.1.0:
+
+      This version:
+
+            * Introduces -vx option for Virus Exchange.
+            * Introduces -ip option for IPView and BGPView.
+            * Introduces -O option to save samples in a central directory. 
+            * Fixes multiple other issues.
+
 Version 6.0.1:
 
       This version:
 
-            * Issue in Malshare's download option has been fixed..
+            * Issue in Malshare's download option has been fixed.
 
 Version 6.0.0:
 

diff --git a/malwoverview/malwoverview.py b/malwoverview/malwoverview.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-# Copyright (C)  2018-2024 Alexandre Borges <https://exploitreversing.com>
+# Copyright (C)  2018-2025 Alexandre Borges <https://exploitreversing.com>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,7 +21,7 @@
 # Christian Clauss (https://github.com/cclauss)
 # Artur Marzano (https://github.com/Macmod)
 
-# Malwoverview.py: version 6.0.1
+# Malwoverview.py: version 6.1.0
 
 import os
 import argparse
@@ -42,6 +42,10 @@
 from malwoverview.modules.triage import TriageExtractor
 from malwoverview.modules.urlhaus import URLHausExtractor
 from malwoverview.modules.virustotal import VirusTotalExtractor
+from malwoverview.modules.virusexchange import VirusExchangeExtractor 
+from malwoverview.modules.ipinfo import IPInfoExtractor
+from malwoverview.modules.bgpview import BGPViewExtractor
+from malwoverview.modules.multipleip import MultipleIPExtractor
 from malwoverview.utils.colors import printr
 from malwoverview.utils.hash import calchash
 import malwoverview.modules.configvars as cv
@@ -50,9 +54,9 @@
 # On Windows systems, it is necessary to install python-magic-bin: pip install python-magic-bin
 
 __author__ = "Alexandre Borges"
-__copyright__ = "Copyright 2018-2024, Alexandre Borges"
+__copyright__ = "Copyright 2018-2025, Alexandre Borges"
 __license__ = "GNU General Public License v3.0"
-__version__ = "6.0.1"
+__version__ = "6.1.0"
 __email__ = "reverseexploit at proton.me"
 
 def finish_hook(signum, frame):
@@ -73,7 +77,7 @@ def main():
         USER_HOME_DIR = str(Path.home()) + '/'
         cv.windows = 0
 
-    parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is 6.0.1", usage="python malwoverview.py -c <API configuration file> -d <directory> -o <0|1> -v <1-13> -V <virustotal arg> -a <1-15> -w <0|1> -A <filename> -l <1-7> -L <hash> -j <1-7> -J <URLhaus argument> -p <1-8> -P <polyswarm argument> -y <1-5> -Y <file name> -n <1-5> -N <argument> -m <1-8> -M <argument> -b <1-10> -B <arg> -x <1-7> -X <arg> -i <1-13> -I <INQUEST argument>")
+    parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is " + __version__, usage="usage: python malwoverview.py -c <API configuration file> -d <directory> -o <0|1> -v <1-13> -V <virustotal arg> -a <1-15> -w <0|1> -A <filename> -l <1-7> -L <hash> -j <1-7> -J <URLhaus argument> -p <1-8> -P <polyswarm argument> -y <1-5> -Y <file name> -n <1-5> -N <argument> -m <1-8> -M <argument> -b <1-10> -B <arg> -x <1-7> -X <arg> -i <1-13> -I <INQUEST argument> -vx <1-2> -VX <VirusExchange arg> -O <output directory> -ip <1-3> -IP <IP address>")
     parser.add_argument('-c', '--config', dest='config', type=str, metavar="CONFIG FILE", default=(USER_HOME_DIR + '.malwapi.conf'), help='Use a custom config file to specify API\'s.')
     parser.add_argument('-d', '--directory', dest='direct', type=str, default='', metavar="DIRECTORY", help='Specifies the directory containing malware samples to be checked against VIRUS TOTAL. Use the option -D to decide whether you are being using a public VT API or a Premium VT API.')
     parser.add_argument('-o', '--background', dest='backg', type=int, default=1, metavar="BACKGROUND", help='Adapts the output colors to a light background color terminal. The default is dark background color terminal.')
@@ -100,6 +104,11 @@ def main():
     parser.add_argument('-X', '--triagearg', dest='triagearg', type=str, default='', metavar="TRIAGE_ARG", help='Provides argument for options especified by -x option. Pay attention: the format of this argument depends on provided -x value.')
     parser.add_argument('-i', '--inquest', dest='inquest', type=int, default=0, metavar="INQUEST", help='Retrieves multiple information from INQUEST. The possible values are: 1: Downloads a sample; 2: Retrives information about a sample given a SHA256; 3: Retrieves information about a sample given a MD5 hash; 4: Gets the most recent list of threats. To this option, the -I argument must be "list" (lowercase and without double quotes) ; 5: Retrives threats related to a provided domain; 6. Retrieves a list of samples related to the given IP address; 7. Retrives a list of sample related to the given e-mail address; 8. Retrieves a list of samples related to the given filename; 9. Retrieves a list of samples related to a given URL; 10. Retrieves information about a specified IOC; 11. List a list of IOCs. Note: you must pass "list" (without double quotes) as argument to -I; 12. Check for a given keyword in the reputation database; 13. List artifacts in the reputation dabatabse. Note: you must pass "list" (without double quotes) as argument to -I.')
     parser.add_argument('-I', '--inquestarg', dest='inquestarg', type=str, metavar="INQUEST_ARG", help='Provides argument to INQUEST -i option.')
+    parser.add_argument('-vx', '--vx', dest='vxoption', type=int, default=0, help='VirusExchange operations. The possible values are: 1: Gets basic metadata for a given SHA256 hash; 2: Downloads sample given a SHA256 provided in the -VX argument.')
+    parser.add_argument('-VX', '--VX', dest='vxarg', type=str, help='Provides argument to the -vx option from VirusExchange.')
+    parser.add_argument('-O', '--output-dir', dest='output_dir', type=str, default='.', help='Set output directory for all sample downloads.')
+    parser.add_argument('-ip', '--ip', dest='ipoption', type=int, default=0, metavar="IP", help='Get IP information from various sources. The possible values are: 1: Get details for an IP address provided with -IP from IPInfo; 2: Get details for an IP address provided with -IP from BGPView; 3: Get details for an IP address provided with -IP from all available intel services (VirusTotal/Alienvault).')
+    parser.add_argument('-IP', '--iparg', dest='iparg', type=str, metavar="IP_ARG", help='Provides argument for IP lookup operations specified by the -ip option.')
 
     args = parser.parse_args()
 
@@ -115,6 +124,8 @@ def main():
     MALPEDIAAPI = config_dict.get('MALPEDIA', 'MALPEDIAAPI')
     TRIAGEAPI = config_dict.get('TRIAGE', 'TRIAGEAPI')
     INQUESTAPI = config_dict.get('INQUEST', 'INQUESTAPI')
+    VXAPI = config_dict.get('VIRUSEXCHANGE', 'VXAPI')
+    IPINFOAPI = config_dict.get('IPINFO', 'IPINFOAPI')
 
     optval = range(2)
     optval1 = range(3)
@@ -128,6 +139,7 @@ def main():
     optval9 = range(14)
     optval10 = range(16)
     repo = args.direct
+    cv.output_dir = args.output_dir
     cv.bkg = args.backg
     virustotaloptionx = args.virustotaloption
     haoptionx = args.haoption
@@ -153,6 +165,10 @@ def main():
     virustotalargx = args.virustotalarg
     inquestx = args.inquest
     inquestargx = args.inquestarg
+    vxoptionx = args.vxoption
+    vxargx = args.vxarg
+    ipoptionx = args.ipoption
+    ipargx = args.iparg
     config = args.config
 
     ffpname = ''
@@ -187,7 +203,7 @@ def main():
         haargx, mallist, args.malsharehash, args.hausoption, polyoptionx, polyargx,
         androidoptionx, androidargx, alienx, alienargsx, malpediaargx,
         malpediax, bazaarx, bazaarargx, triagex, triageargx,
-        inquestx, inquestargx
+        inquestx, inquestargx, vxoptionx, vxargx, ipoptionx, ipargx
     ]
 
     # Show the help message if:
@@ -211,6 +227,19 @@ def main():
     malshare = MalshareExtractor(MALSHAREAPI)
     haus = URLHausExtractor(HAUSSUBMITAPI)
     android = AndroidExtractor(hybrid, virustotal)
+    vx = VirusExchangeExtractor(VXAPI)
+    ipinfo = IPInfoExtractor(IPINFOAPI)
+    bgpview = BGPViewExtractor()
+    multipleip = MultipleIPExtractor(
+        {
+            #"IPInfo": ipinfo,
+            #"BGPView": bgpview,
+            "VirusTotal": virustotal,
+            "AlienVault": alien,
+            #"InQuest": inquest,
+            # "PolySwarm": polyswarm,
+        }
+    )
 
     # Special parameters for hybrid analysis module
     query = haargx
@@ -385,6 +414,22 @@ def ha_show_and_down(haargx, xx=0):
                 4: (android.sendandroidha, [androidargx]),
                 5: (android.sendandroidvt, [androidargx])
             }
+        },
+        {
+            'flag': vxoptionx,
+            'actions': {
+                1: (vx.check_hash, [vxargx]),
+                2: (vx.download_sample, [vxargx])
+#               3: (vx.upload_sample, [vxargx])
+            }
+        },
+        {
+            'flag': ipoptionx,
+            'actions': {
+                1: (ipinfo.get_ip_details, [ipargx]),
+                2: (bgpview.get_ip_details, [ipargx]),
+                3: (multipleip.get_multiple_ip_details, [ipargx])
+            }
         }
     ]