Skip to content

Commit

Permalink
Merge pull request #68 from alexandreborges/dev
Browse files Browse the repository at this point in the history
Update for Malwoverview 6.1.1
  • Loading branch information
alexandreborges authored Dec 13, 2024
2 parents 5d730d5 + fbaeef3 commit d5fc570
Show file tree
Hide file tree
Showing 7 changed files with 86 additions and 54 deletions.
79 changes: 47 additions & 32 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Malwoverview

[<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases/tag/v6.1.0) [<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge">](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE)
[<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases/tag/v6.1.1) [<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge">](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE)
[<img alt="GitHub stars" src="https://img.shields.io/github/stars/alexandreborges/malwoverview?logoColor=Red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/stargazers)
[<img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/ale_sp_brazil?style=for-the-badge&logo=X&color=blueviolet">](https://twitter.com/ale_sp_brazil)
[<img alt="Downloads/Last Month" src="https://img.shields.io/pypi/dm/malwoverview?color=blue&style=for-the-badge&label=Last%20Month">](https://pypistats.org/packages/malwoverview)
Expand Down Expand Up @@ -55,6 +55,8 @@
![Alt text](pictures/picture_46.jpg?raw=true "Title")
![Alt text](pictures/picture_47.jpg?raw=true "Title")
![Alt text](pictures/picture_48.jpg?raw=true "Title")
![Alt text](pictures/picture_49.jpg?raw=true "Title")
![Alt text](pictures/picture_50.jpg?raw=true "Title")

Copyright (C) 2018-2025 Alexandre Borges (https://exploitreversing.com)

Expand All @@ -71,7 +73,7 @@
See GNU Public License on <http://www.gnu.org/licenses/>.


## Current Version: 6.1.0
## Current Version: 6.1.1

Important note: Malwoverview does NOT submit samples to any endpoint by default,
so it respects possible Non-Disclosure Agreements (NDAs). There're specific options
Expand All @@ -87,17 +89,17 @@ from several endpoints. In few words, it works as a client to main existing sand

This tool aims to :

1. Determine similar executable malware samples (PE/PE+) according to the import table (imphash) and group
them by different colors (pay attention to the second column from output). Thus, colors matter!
2. Show hash information on Virus Total, Hybrid Analysis, Malshare, Polyswarm, URLhaus, Alien Vault,
Malpedia and ThreatCrowd engines.
3. Determining whether the malware samples contain overlay and, if you want, extract it.
4. Check suspect files on Virus Total, Hybrid Analysis and Polyswarm.
5. Check URLs on Virus Total, Malshare, Polyswarm, URLhaus engines and Alien Vault.
6. Download malware samples from Hybrid Analysis, Malshare, URLHaus, Polyswarm and Malpedia engines.
7. Submit malware samples to VirusTotal, Hybrid Analysis and Polyswarm.
8. List last suspected URLs from URLHaus.
9. List last payloads from URLHaus.
01. Determine similar executable malware samples (PE/PE+) according to the import table (imphash) and group
them by different colors (pay attention to the second column from output). Thus, colors matter!
02. Show hash information on Virus Total, Hybrid Analysis, Malshare, Polyswarm, URLhaus, Alien Vault,
Malpedia and ThreatCrowd engines.
03. Determining whether the malware samples contain overlay and, if you want, extract it.
04. Check suspect files on Virus Total, Hybrid Analysis and Polyswarm.
05. Check URLs on Virus Total, Malshare, Polyswarm, URLhaus engines and Alien Vault.
06. Download malware samples from Hybrid Analysis, Malshare, URLHaus, Polyswarm and Malpedia engines.
07. Submit malware samples to VirusTotal, Hybrid Analysis and Polyswarm.
08. List last suspected URLs from URLHaus.
09. List last payloads from URLHaus.
10. Search for specific payloads on the Malshare.
11. Search for similar payloads (PE32/PE32+) on Polyswarm engine.
12. Classify all files in a directory searching information on Virus Total and Hybrid Analysis.
Expand Down Expand Up @@ -128,9 +130,9 @@ This tool aims to :

## CONTRIBUTORS

Alexandre Borges (project owner)
Artur Marzano (https://github.com/Macmod)
Corey Forman (https://github.com/digitalsleuth)
Alexandre Borges (https://github.com/alexandreborges) | project owner and main developer
Artur Marzano (https://github.com/Macmod) | co-main developer
Corey Forman (https://github.com/digitalsleuth) | responsible for REMnux integration
Christian Clauss (https://github.com/cclauss)

## HOW TO CONTRIBUTE TO THIS PROJECT
Expand Down Expand Up @@ -174,22 +176,30 @@ AFTER having installed Malwoverview:

* python-magic is NOT installed. (pip show python-magic)
* python-magic-bin IS installed. (pip show python-magic-bin)
To use Malwoverview you should insert VirusTotal, Hybrid Analysis, URLHaus, Malshare, Polyswarm,
Alien Vault, Malpedia and Triage into the .malwapi.conf configuration file
(the default one at the home directory (/home/[username] or /root) -- if the file doesn't exist,
so you should create it) or you could create a custom configuration file and indicate it by

#### Note: It is recommended to save the .malwapi.conf before any update!


## REQUIRED APIs

Malwoverview does not require to insert all APIs anymore. Therefore, professionals can
us it without having registered such APIs. Obviously, to use certain options is necessary to
add respective API into .malwapi.conf file, whose format is shown below.

To use all options of Malwoverview you must insert respective API of the following services:
VirusTotal, Hybrid Analysis, URLHaus, Malshare, Polyswarm, Alien Vault, Malpedia, Triage,
InQuest, Virus Exchange and APInfo into the .malwapi.conf configuration file, which must be present
(or created) in the home directory (/home/[username] or /root on Linux, and C:\Users\[username]
on Windows. Alternatively, users could create a custom configuration file and indicate it by
using the -c option.

Nonetheless, starting on version 4.4.2, it isn't longer necessary to insert all APIs into
.malwapi.conf file before using Malwoverview. Therefore, users can only insert few APIs
and use the respective options to these APIs.
To highlight: if the .malwapi.conf file does not exist in your home directory, so you must
create it!

* A special note about the Alien Vault: it is necessary to subscribe to pulses on Alien Vault
website before using -n 1 option.

The .malwapi.conf configuration file (from the the home directory -- /home/[username] or /root)
has the following format:
The .malwapi.conf configuration file has the following format:

[VIRUSTOTAL]
VTAPI =
Expand Down Expand Up @@ -243,6 +253,7 @@ The APIs can be requested on the respective service websites:
13. IPInfo: https://ipinfo.io/
14. BGPView: ihttps://bgpview.docs.apiary.io/


----------------------------------------------------
A special note about API requests to the MALPEDIA:
----------------------------------------------------
Expand All @@ -254,7 +265,6 @@ you provided further information about you (LinkedIn account, Twitter and so on)
because it would make simpler to proof your identity, professional profile and
legitimacy, so making quicker the approval of your request.

-----------------------------------------------------

----------------------------------------------------
Additional explanation about Triage:
Expand All @@ -265,7 +275,6 @@ use the "-x 1 -X \<attribute\>:\<value\>" to search for the correct ID of the ar
so use this ID information with the remaining Triage options (-x [2-7]) for getting
further threat hunting information from Triage endpoint.

-----------------------------------------------------

----------------------------------------------------
Note about background color of the terminal:
Expand All @@ -278,8 +287,6 @@ light background.

-----------------------------------------------------

On Linux and MacOS systems, create the .malwapi.conf file within
/home/\[username\] directory (Linux home user directory -- /home/[username] or /root).

To check the installation, execute:

Expand All @@ -291,11 +298,12 @@ Further information is available on:
(Github) https://github.com/alexandreborges/malwoverview

If you want to perform the manual installation (it is not usually necessary), so few steps
should be executed:
should be executed, as shown in the next sub-section.


## MANUAL INSTALLATION (REMnux and Ubuntu)

1. Python version 3.8 or later (Only Python 3.x !!! It does NOT work using Python 2.7)
1. Python version 3.11 or later (Only Python 3.x !!! It does NOT work using Python 2.7)

$ apt-get install python3.11 (for example)

Expand Down Expand Up @@ -779,6 +787,13 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
## HISTORY


Version 6.1.1:

This version:

* Modifies the code to not require to registers all APIs at the first usage.
* Add a new section in the README (this file) about required APIs.

Version 6.1.0:

This version:
Expand Down
38 changes: 24 additions & 14 deletions malwoverview/malwoverview.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
# Christian Clauss (https://github.com/cclauss)
# Artur Marzano (https://github.com/Macmod)

# Malwoverview.py: version 6.1.0
# Malwoverview.py: version 6.1.1

import os
import argparse
Expand Down Expand Up @@ -56,7 +56,7 @@
__author__ = "Alexandre Borges"
__copyright__ = "Copyright 2018-2025, Alexandre Borges"
__license__ = "GNU General Public License v3.0"
__version__ = "6.1.0"
__version__ = "6.1.1"
__email__ = "reverseexploit at proton.me"

def finish_hook(signum, frame):
Expand Down Expand Up @@ -115,17 +115,24 @@ def main():
config_file = configparser.ConfigParser()
config_file.read(args.config)
config_dict = config_file
VTAPI = config_dict.get('VIRUSTOTAL', 'VTAPI')
HAAPI = config_dict.get('HYBRID-ANALYSIS', 'HAAPI')
MALSHAREAPI = config_dict.get('MALSHARE', 'MALSHAREAPI')
HAUSSUBMITAPI = config_dict.get('HAUSSUBMIT', 'HAUSSUBMITAPI')
POLYAPI = config_dict.get('POLYSWARM', 'POLYAPI')
ALIENAPI = config_dict.get('ALIENVAULT', 'ALIENAPI')
MALPEDIAAPI = config_dict.get('MALPEDIA', 'MALPEDIAAPI')
TRIAGEAPI = config_dict.get('TRIAGE', 'TRIAGEAPI')
INQUESTAPI = config_dict.get('INQUEST', 'INQUESTAPI')
VXAPI = config_dict.get('VIRUSEXCHANGE', 'VXAPI')
IPINFOAPI = config_dict.get('IPINFO', 'IPINFOAPI')

def getoption(section, name):
if config_dict.has_option(section,name):
return config_dict.get(section,name)
else:
return ''

VTAPI = getoption('VIRUSTOTAL', 'VTAPI')
HAAPI = getoption('HYBRID-ANALYSIS', 'HAAPI')
MALSHAREAPI = getoption('MALSHARE', 'MALSHAREAPI')
HAUSSUBMITAPI = getoption('HAUSSUBMIT', 'HAUSSUBMITAPI')
POLYAPI = getoption('POLYSWARM', 'POLYAPI')
ALIENAPI = getoption('ALIENVAULT', 'ALIENAPI')
MALPEDIAAPI = getoption('MALPEDIA', 'MALPEDIAAPI')
TRIAGEAPI = getoption('TRIAGE', 'TRIAGEAPI')
INQUESTAPI = getoption('INQUEST', 'INQUESTAPI')
VXAPI = getoption('VIRUSEXCHANGE', 'VXAPI')
IPINFOAPI = getoption('IPINFO', 'IPINFOAPI')

optval = range(2)
optval1 = range(3)
Expand Down Expand Up @@ -194,7 +201,10 @@ def main():
args.backg not in optval,
args.malsharelist not in optval8,
args.virustotaloption not in optval9,
args.vtpubpremium not in optval
args.vtpubpremium not in optval,
args.vxoption not in optval1,
args.ipoption not in optval4,
args.androidoption not in optval5
]

MIN_OPTIONS = [
Expand Down
15 changes: 9 additions & 6 deletions malwoverview/modules/ipinfo.py
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
import malwoverview.modules.configvars as cv
from malwoverview.utils.colors import mycolors
from malwoverview.utils.colors import mycolors, printc
import requests

class IPInfoExtractor:
def __init__(self, IPINFOAPI):
self.IPINFOAPI = IPINFOAPI

"""
IPInfo API can be used anonymously up to 1000 requests per day
def requestIPINFOAPI(self):
if self.IPINFOAPI == '':
print(mycolors.foreground.red + "\nTo use IPInfo.io services, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the IPInfo API key according to the format shown on the Github website." + mycolors.reset + "\n")
exit(1)

if self.IPINFOAPI == '':
print(mycolors.foreground.red + "\nTo use IPInfo.io services, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the IPInfo API key according to the format shown on the Github website." + mycolors.reset + "\n")
exit(1)
"""

def _raw_ip_info(self, ip_address):
url = f"https://ipinfo.io/{ip_address}?token={self.IPINFOAPI}"

Expand All @@ -21,7 +24,7 @@ def _raw_ip_info(self, ip_address):
return {'error': e}

def get_ip_details(self, ip_address):
self.requestIPINFOAPI()
# self.requestIPINFOAPI()

data = self._raw_ip_info(ip_address)

Expand Down
6 changes: 5 additions & 1 deletion malwoverview/modules/multipleip.py
Original file line number Diff line number Diff line change
@@ -1,11 +1,15 @@
from malwoverview.utils.colors import mycolors, printr
from malwoverview.utils.colors import mycolors, printr, printc
import malwoverview.modules.configvars as cv

class MultipleIPExtractor:
def __init__(self, extractors):
self.extractors = extractors

def get_multiple_ip_details(self, ip_address):
if ip_address is None:
printc("A valid IP address is required.", mycolors.foreground.error(cv.bkg))
return

for extractor in self.extractors:
extractor_obj = self.extractors[extractor]
if extractor == "IPInfo":
Expand Down
Binary file added pictures/picture_49.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added pictures/picture_50.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@

setup(
name="malwoverview",
version="6.1.0",
version="6.1.1",
author="Alexandre Borges",
author_email="[email protected]",
license="GNU GPL v3.0",
Expand Down

0 comments on commit d5fc570

Please sign in to comment.