diff --git a/.malwapi.conf b/.malwapi.conf index fbf8ec8..1ad84b0 100644 --- a/.malwapi.conf +++ b/.malwapi.conf @@ -13,3 +13,8 @@ HAUSSUBMITAPI = [POLYSWARM] POLYAPI = +[ALIENVAULT] +ALIENAPI = + +[MALPEDIA] +MALPEDIAAPI = diff --git a/README.md b/README.md index e3b9804..ab5638c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# Malwoverview.py +# Malwoverview -[GitHub release (latest by date)](https://github.com/alexandreborges/malwoverview/releases/tag/3.1.2) [GitHub last commit](https://github.com/alexandreborges/malwoverview/releases) [GitHub Release Date](https://github.com/alexandreborges/malwoverview/releases) [GitHub](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) +[GitHub release (latest by date)](https://github.com/alexandreborges/malwoverview/releases/tag/4.0.0) [GitHub last commit](https://github.com/alexandreborges/malwoverview/releases) [GitHub Release Date](https://github.com/alexandreborges/malwoverview/releases) [GitHub](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) [GitHub stars](https://github.com/alexandreborges/malwoverview/stargazers) [Twitter Follow](https://twitter.com/ale_sp_brazil) [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=M8F458EZH8UZE&source=url) @@ -56,6 +56,28 @@ ![Alt text](pictures/picture_49.jpg?raw=true "Title") ![Alt text](pictures/picture_50.jpg?raw=true "Title") ![Alt text](pictures/picture_51.jpg?raw=true "Title") +![Alt text](pictures/picture_52.jpg?raw=true "Title") +![Alt text](pictures/picture_53.jpg?raw=true "Title") +![Alt text](pictures/picture_54.jpg?raw=true "Title") +![Alt text](pictures/picture_55.jpg?raw=true "Title") +![Alt text](pictures/picture_56.jpg?raw=true "Title") +![Alt text](pictures/picture_57.jpg?raw=true "Title") +![Alt text](pictures/picture_58.jpg?raw=true "Title") +![Alt text](pictures/picture_59.jpg?raw=true "Title") +![Alt text](pictures/picture_60.jpg?raw=true "Title") +![Alt text](pictures/picture_61.jpg?raw=true "Title") +![Alt text](pictures/picture_62.jpg?raw=true "Title") +![Alt text](pictures/picture_63.jpg?raw=true "Title") +![Alt text](pictures/picture_64.jpg?raw=true "Title") +![Alt text](pictures/picture_65.jpg?raw=true "Title") +![Alt text](pictures/picture_66.jpg?raw=true "Title") +![Alt text](pictures/picture_67.jpg?raw=true "Title") +![Alt text](pictures/picture_68.jpg?raw=true "Title") +![Alt text](pictures/picture_69.jpg?raw=true "Title") +![Alt text](pictures/picture_70.jpg?raw=true "Title") +![Alt text](pictures/picture_71.jpg?raw=true "Title") +![Alt text](pictures/picture_72.jpg?raw=true "Title") +![Alt text](pictures/picture_73.jpg?raw=true "Title") Copyright (C) 2018-2020 Alexandre Borges @@ -72,9 +94,9 @@ See GNU Public License on . -# Current Version: 3.1.2 +# Current Version: 4.0.0 -## Important note: Malwoverview does NOT submit samples to Virus Total or Hybrid Analysis by default. It submits only hashes, so respecting Non-Disclosure Agreements (NDAs). Nonetheless, if you use the "-V" (uppercase), "-A" (uppercase) or "-P" (uppercase), so Malwoverview SUBMITS your malware sample to Virus Total, Hybrid Analysis and Polyswarm, respectively. +## Important note: Malwoverview does NOT submit samples to Virus Total or Hybrid Analysis by default. It submits only hashes, so respecting Non-Disclosure Agreements (NDAs). Nonetheless, if you use the "-V" (uppercase), "-A" (uppercase) or "-P" (uppercase), so Malwoverview SUBMITS your malware sample to Virus Total, Hybrid Analysis and Polyswarm, respectively. Additionally, options "-Y" and "-T" also sent the Android package from Android device to Hybrid-Analysis and Virus Total, respectively. # ABOUT @@ -86,25 +108,31 @@ This tool aims to : 1. Determine similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter! -2. Show hash information on Virus Total, Hybrid Analysis, Malshare, Polyswarm and URLhaus engines. +2. Show hash information on Virus Total, Hybrid Analysis, Malshare, Polyswarm, URLhaus, Alien Vault, i + Malpedia and ThreatCrowd engines. 3. Determining whether the malware samples contain overlay and, if you want, extract it. 4. Check suspect files on Virus Total, Hybrid Analysis and Polyswarm. -5. Check URLs on Virus Total, Malshare, Polyswarm and URLhaus engines. -6. Download malware samples from Hybrid Analysis, Malshare and HausURL engines. +5. Check URLs on Virus Total, Malshare, Polyswarm, URLhaus engines and Alien Vault. +6. Download malware samples from Hybrid Analysis, Malshare, HausURL, Polyswarm and Malpedia engines. 7. Submit malware samples to VirusTotal, Hybrid Analysis and Polyswarm. 8. List last suspected URLs from URLHaus. 9. List last payloads from URLHaus. 10. Search for specific payloads on the Malshare. 11. Search for similar payloads (PE32/PE32+) on Polyswarm engine. 12. Classify all files in a directory searching information on Virus Total and Hybrid Analysis. -13. Make reports about a suspect domain. +13. Make reports about a suspect domain using different engines such as VirusTotal, Malpedia and + ThreatCrowd. 14. Check APK packages directly from Android devices against Hybrid Analysis and Virus Total. 15. Submit APK packages directly from Android devices to Hybrid Analysis and Virus Total. 16. Show URLs related to an user provided tag from URLHaus. 17. Show payloads related to a tag (signature) from URLHaus. -18. Show information about an IP address from Virus Total. +18. Show information about an IP address from Virus Total, Alien Vault, Malpedia and ThreatCrowd. 19. Show IP address, domain and URL information from Polyswarm. -20. List different types of payloads from Malshare along their Yara hits. +21. Perform meta-search on Polyswarm Network using several criterias: imphash, IPv4, domain, URL and + malware family. +22. Gather threat hunting information from AlienVault using different criteria. +23. Gather threat hunting information from Malpedia using different criteria. +24. Gather threat hunting information from ThreatCrowd using different criteria. # CONTRIBUTORS: @@ -113,7 +141,8 @@ This tool aims to : # REQUERIMENTS -This tool has been tested on Ubuntu, Kali Linux 2020, REMnux, Windows 8.1 and 10. Malwoverview can be installed by executing the following command: +This tool has been tested on Ubuntu, Kali Linux 2020, REMnux, Windows 8.1 and 10. Malwoverview +can be installed by executing the following command: pip3.8 install git+https://github.com/alexandreborges/malwoverview (preferred method) or... @@ -122,9 +151,13 @@ This tool has been tested on Ubuntu, Kali Linux 2020, REMnux, Windows 8.1 and 10 git clone https://github.com/alexandreborges/malwoverview -To use Malwoverview you should insert VirusTotal, Hybrid Analysis, URLHaus, Malshare and Polyswarm APIs into the .malwapi.conf configuration -file (the default one at the home directory -- if the file doesn't exist, so you should create it) or you could create a custom configuration file -and indicate it by using the -c option. +To use Malwoverview you should insert VirusTotal, Hybrid Analysis, URLHaus, Malshare, Polyswarm, +Alien Vault and Malpedia APIs into the .malwapi.conf configuration file (the default one at the +home directory -- if the file doesn't exist, so you should create it) or you could create a +custom configuration file and indicate it by using the -c option. + +A special note about the Alien Vault: it is necessary to subscribe to pulses on Alien Vault +website before using -n 1 option. The .malwapi.conf configuration file (from the the home directory) has the following format: @@ -143,8 +176,15 @@ The .malwapi.conf configuration file (from the the home directory) has the follo [POLYSWARM] POLYAPI = -In Windows systems, when the package is installed using pip, the suggestion is to create the .malwapi.conf in either C:\Users\ directory. -Additionally, you don't need to specify "-w 1" option while using malwoverview.py on Windows anymore. + [ALIENVAULT] + ALIENAPI = + + [MALPEDIA] + MALPEDIAAPI = + +In Windows systems, when the package is installed using pip, the suggestion is to create the +.malwapi.conf in either C:\Users\ directory. Additionally, you don't need to specify +"-w 1" option while using malwoverview.py on Windows anymore. To check the installation, execute: @@ -162,37 +202,38 @@ If you want to perform the manual steps, so few steps will be necessary: 1. Python version 3.8 or later (Only Python 3.x !!! It does NOT work using Python 2.7) $ apt-get install python3.8 (for example) - + 2. Python-magic. To install python-magic package you can execute the following command: - + $ pip3.8 install python-magic - + Or compiling it from the github repository: - + $ git clone https://github.com/ahupp/python-magic $ cd python-magic/ $ python3.8 setup.py build $ python3.8 setup.py install - - As there are serious problems about existing two versions of python-magic package, my recommendation is to install it - from github (second procedure above) and copy the magic.py file to the SAME directory of malwoverview tool. + + As there are serious problems about existing two versions of python-magic package, my + recommendation is to install it from github (second procedure above) and copy the magic.py + file to the SAME directory of malwoverview tool. 3. Install several Python packages: $ pip3.8 install -r requirements.txt - + OR - + $ pip3.8 install -U pefile $ pip3.8 install -U colorama $ pip3.8 install -U simplejson $ pip3.8 install -U python-magic - $ pip3.8 install requests==2.2.22 + $ pip3.8 install -U requests $ pip3.8 install -U validators $ pip3.8 install -U geocoder - $ pip3.8 install polyswarm-api==1.1.1 + $ pip3.8 install -U polyswarm-api $ pip3.8 install -U pathlib $ pip3.8 install -U configparser @@ -201,7 +242,7 @@ If you want to perform the manual steps, so few steps will be necessary: # apt get install adb PS: before trying Android's options, check: - + * If the adb program is listed in the PATH environment variable. * If the system has authorized access to the device by using "adb devices -l" @@ -209,44 +250,45 @@ If you want to perform the manual steps, so few steps will be necessary: 1. Install the Python version 3.8.x or later from https://www.python.org/downloads/windows/ -2. Python-magic. +2. Python-magic. To install python-magic package you can execute the following command: - + C:\> python.exe -m pip install python-magic - + Or compiling it from the github repository: - + C:\> git clone https://github.com/ahupp/python-magic C:\> cd python-magic/ C:\> python.exe setup.py build C:\> python.exe setup.py install - + 3. Install several Python packages: - + C:\> python.exe -m pip install -r requirements.txt - + OR: - - C:\> python.exe -m pip install pefile - C:\> python.exe -m pip install colorama - C:\> python.exe -m pip install simplejson - C:\> python.exe -m pip install python-magic - C:\> python.exe -m pip install requests - C:\> python.exe -m pip install validators - C:\> python.exe -m pip install geocoder - C:\> python.exe -m pip install polyswarm-api - C:\> python.exe -m pip install pathlib - C:\> python.exe -m pip install configparser - C:\> python.exe -m pip install python-magic-bin + + C:\> python.exe -m pip install -U pefile + C:\> python.exe -m pip install -U colorama + C:\> python.exe -m pip install -U simplejson + C:\> python.exe -m pip install -U python-magic + C:\> python.exe -m pip install -U requests + C:\> python.exe -m pip install -U validators + C:\> python.exe -m pip install -U geocoder + C:\> python.exe -m pip install -U polyswarm-api + C:\> python.exe -m pip install -U pathlib + C:\> python.exe -m pip install -U configparser + C:\> python.exe -m pip install -U python-magic-bin 4. To check an Android mobile you need to install the "adb" program by: - * Downloading and installing the Android Studio from: https://developer.android.com/studio#downloads (Recommended) + * Downloading and installing the Android Studio from: https://developer.android.com/ + studio#downloads (Recommended) * Downloading it from https://dl.google.com/android/repository/platform-tools-latest-windows.zip - + PS: before trying Android's options, check: - + * If the adb program is listed in the PATH environment variable. * If the system has authorized access to the device by using "adb devices -l" @@ -257,250 +299,335 @@ To use the malwoverview, execute the command as shown below: root@ubuntu19:~/malwoverview# python3.8 malwoverview.py | more - usage: python malwoverview.py -c -d -f -i <0|1> -b <0|1> -v <0|1> - -a <0|1> -p <0|1> -s <0|1> -x <0|1> -w <|1> -u -H -V -D <0|1> -e<0|1|2|3|4> - -A -g -r -t <0|1> -Q <0|1> -l <0|1> -n <1-12> -m -M <0|1> - -U -S -z -B <0|1> -K <0|1> -j -J -P -N - -R -G <0|1|2|3|4> -y <0|1> -Y -Z <0|1> - -X <0|1> -Y -T -W -k -I - + usage: python malwoverview.py -c -d -f + -b <0|1> -v <0|1|2|3> -a <0|1|2|3|4|5> -x <0|1> -w <0|1> -u -H -V + -D <0|1> -e<0|1|2|3|4> -A -g -r -t <0|1> -l <1-14> -L + -U -S -z -K <0|1|2> -j -J -P -R -G <0|1|2|3|4> -y <0|1|2|3> -Y -Y -T -W + -k -I -n <1|2|3|4|5> -N -M <1-8> -m -Q <1-5> + -q Malwoverview is a malware triage tool written by Alexandre Borges. - optional arguments: +optional arguments: - -h, --help show this help message and exit + -h, --help Show this help message and exit -c CONFIG FILE, --config CONFIG FILE Use a custom config file to specify API's -d DIRECTORY, --directory DIRECTORY - specify directory containing malware samples. + Specifies the directory containing malware samples. -f FILENAME, --filename FILENAME - Specifies a full path to a file. Shows general information about the file (any filetype) + Specifies a full path to a malware sample. It returns general information + about the file (any filetype) -b BACKGROUND, --background BACKGROUND - (optional) Adapts the output colors to a white terminal. The default is black terminal - -i IAT_EAT, --iat_eat IAT_EAT - (optional) Shows imports and exports (it is used with -f option). + Adapts the output colors to a white terminal. The default is black terminal -x OVERLAY, --overlay OVERLAY - (optional) Extracts overlay (it is used with -f option). - -s SHOW_VT_REPORT, --vtreport SHOW_VT_REPORT - Shows antivirus reports from the main players. This option is used with the -f option (any filetype). + Extracts the overlay (it is used with -f option). -v VIRUSTOTAL, --virustotal VIRUSTOTAL - Queries the Virus Total database for positives and totals.Thus, you need to edit the configmalw.py - and insert your VT API. + If using "-v 1", so it queries the Virus Total database for positives and + totals. If "v 2" (which can be used only together with -f option), so it + shows antivirus reports from the main players. If "v 3", so the binary's IAT + and EAT are also shown. Remember: you need to edit the .malwapi.conf and insert + your VT API. -a HYBRID_ANALYSIS, --hybrid HYBRID_ANALYSIS - Queries the Hybrid Analysis database for general report. Use the -e option to specify which - environment are looking for the associate report because the sample can have been submitted to a - different environment that you are looking for. Thus, you need to edit the configmalw.py i - and insert your HA API and secret. - -p USE_VT_PUB_KEY, --vtpub USE_VT_PUB_KEY - (optional) You should use this option if you have a public Virus Total API. It forces a one - minute wait every 4 malware samples, but allows obtaining a complete evaluation of the - malware repository. - -w RUN_ON_WINDOWS, --windows RUN_ON_WINDOWS - This option is used when the OS is Microsoft Windows. + Queries the Hybrid Analysis database for getting a general report. Possible + values are: 1: Windows 7 32-bit; 2: Windows 7 32-bit (HWP Support); 3: + Windows 64-bit; 4: Android; 5: Linux 64-bit. Remember: you need to edit the + .malwapi.conf and insert your HA API and secret. -u URL_VT, --vturl URL_VT - SUBMITS a URL for the Virus Total scanning. + SUBMITS a URL to the Virus Total scanning. -I IP_VT, --ipaddrvt IP_VT - This options checks an IP address on Virus Total. + This option checks an IP address on Virus Total. -r URL_DOMAIN, --urldomain URL_DOMAIN - GETS a domain's report from Virus Total. + This option gets a domain's report from Virus Total. -H FILE_HASH, --hash FILE_HASH - Specifies the hash to be checked on Virus Total and Hybrid Analysis. For the Hybrid Analysis - report you must use it together -e option. + This option specifies the hash to be checked on Virus Total and Hybrid Analysis. + For the Hybrid Analysis report you must use it with the -e option. -V FILENAME_VT, --vtsubmit FILENAME_VT - SUBMITS a FILE(up to 32MB) to Virus Total scanning and read the report. Attention: use forward - slash to specify the target file even on Windows systems. Furthermore, the minimum waiting time - is set up in 90 seconds because the Virus Total queue. If an error occurs, so wait few minutes - and try to access the report by using -f option. + Submits a file(up to 32MB) for Virus Total scanning and gets the report. Attention: + use forward slash to specify the target file even on Windows systems. Furthermore, + the minimum waiting time is set up in 90 seconds because the Virus Total waiting + queue. If an error occurs, so wait few minutes and try to access the report by + using -f option. -A SUBMIT_HA, --submitha SUBMIT_HA - SUBMITS a FILE(up to 32MB) to be scanned by Hybrid Analysis engine. Use the -e option to specify - the best environment to run the suspicious file. + Submits a file(up to 32MB) to be scanned by the Hybrid Analysis engine. Use the + -e option to specify the best environment to run the suspicious file. -g HA_STATUS, --hastatus HA_STATUS - Checks the report's status of submitted samples to Hybrid Analysis engine by providing the - job ID. Possible returned status values are: IN_QUEUE, SUCCESS, ERROR, IN_PROGRESS and - PARTIAL_SUCCESS. + Checks the report's status of submitted samples to Hybrid Analysis engine by + providing the job ID. Possible returned status values are: IN_QUEUE, SUCCESS, + ERROR, IN_PROGRESS and PARTIAL_SUCCESS. -D DOWNLOAD, --download DOWNLOAD - Downloads the sample from Hybrid Analysis. Option -H must be specified. + Downloads the sample from Hybrid Analysis, Malshare and Polyswarm. Options i + -H or -L (Hybrid Analysis and Malshare, respectively) must be specified as well + -O option for Polyswarm engine. -e HA_ENVIRONMENT, --haenv HA_ENVIRONMENT - This option specifies the used environment to be used to test the samlple on Hybrid Analysis: - <0> Windows 7 32-bits; <1> Windows 7 32-bits (with HWP Support); <2> Windows 7 64-bits; - <3> Android; <4> Linux 64-bits environment. This option is used together either -H option - or the -A option or -a option. + This option specifies the used environment to be used to test the samlple on + Hybrid Analysis: <0> Windows 7 32-bits; <1> Windows 7 32-bits (with HWP Support); + <2> Windows 7 64-bits; <3> Android; <4> Linux 64-bits environment. This option + is used together either -H option or the -A option. -t MULTITHREAD, --thread MULTITHREAD - (optional) This option is used to force multithreads on Linux whether: the -d option is specifed - AND you have a PAID Virus Total API or you are NOT checking the VT while using the -d option. - PS1: using this option causes the Imphashes not to be grouped anymore; PS2: it also works on - Windows, but there is not gain in performance. - -Q QUICK_CHECK, --quick QUICK_CHECK - This option should be used with -d option in two scenarios: 1) either including the -v option - (Virus Total -- you'll see a complete VT response whether you have the private API) for a - multithread search and reduced output; 2) or including the -a option (Hybrid Analysis) for a - multithread search and complete and amazing output. If you are using the -a option, so -e option - can also be used to adjust the output to your sample types. PS1: certainly, if you have a - directory holding many malware samples, so you will want to test this option with -a option; i - PS2: it also works on Windows, but there is not gain in performance. + (optional) This option has several different meanings according to chosen the + value. Possible values: <1>: This value is used to force multithreads on Linux + whether: the -d option is specifed AND you have a PAID Virus Total API or you + are NOT checking the VT while using the -d option. PS1: using this option causes + Imphashes not to be grouped anymore; PS2: it also works on Windows, but there is + not gain in performance; <2>: This value should be used with -d option in + two scenarios: 1) either including the "-v 1" option (Virus Total -- you'll see + a complete VT response whether you have the private API) for a multithread searching + and reduced output; 2) or including the -a option (Hybrid Analysis) for a multithread + searching to get a complete and amazing output. If you are using the -a option, so + you should pickup the right number represening the testing environment to adjust the + output to your sample types. PS1: certainly, if you have a directory holding + many malware samples, so you will want to test this option with -a option; PS2: it + also works on Windows, but there is not gain in performance; <3>: You should use + this value with -v option if you have a public Virus Total API. It forces a one + minute wait every 4 malware samples, but allows obtaining a complete evaluation of + the malware repository. -l MALSHARE_HASHES, --malsharelist MALSHARE_HASHES - Show hashes from last 24 hours from Malshare. You need to insert your Malshare API into the - configmalw.py file. - -m MALSHARE_HASH_SEARCH, --malsharehash MALSHARE_HASH_SEARCH - Searches for the provided hash on the Malshare repository. You need to insert your Malshare API - into the configmalw.py file. PS: sometimes the Malshare website is unavailable, so should check - the website availability if you get some error message. - -n FILE_TYPE, --filetype FILE_TYPE - Specifies the file type to be listed by -l option. Therefore, it must be used together i - -l option. Possible values: 1: PE32 (default) ; 2: Dalvik ; 3: ELF ; 4: HTML ; 5: ASCII ; - 6: PHP ; 7: Java ; 8: RAR ; 9: Zip ; 10: UTF-8 ; 11: MS-DOS ; 12: data ; 13: PDF ; i - 14: Composite(OLE). - -M MALSHARE_DOWNLOAD, --malsharedownload MALSHARE_DOWNLOAD - Downloads the sample from Malshare. This option must be specified with -m option. - -B URL_HAUS_BATCH, --haus_batch URL_HAUS_BATCH - Retrieves a list of recent URLs (last 3 days, limited to 1000 entries) from URLHaus website. - -K HAUS_PAYLOADS, --haus_payloadbatch HAUS_PAYLOADS - Retrieves a list of downloadable links to recent PAYLOADS (last 3 days, limited to 1000 - entries) from URLHaus website. Take care: each link take you to download a passworless zip file - containing a malware, so your AV can generate alerts! + This option shows hashes of a specific type from the last 24 hours from Malshare + repository. Possible values are: 1: PE32 (default) ; 2: Dalvik ; 3: ELF ; 4: HTML ; + 5: ASCII ; 6: PHP ; 7: Java ; 8: RAR ; 9: Zip ; 10: UTF-8 ; 11: MS-DOS ; 12: data ; + 13: PDF ; 14: Composite(OLE). You need to insert your Malshare API into the + .malwapi.conf file. + -L MALSHARE_HASH_SEARCH, --malsharehash MALSHARE_HASH_SEARCH + Searches for the provided hash on the Malshare repository. You need to insert your + Malshare API into the .malwapi.conf file. PS: sometimes the Malshare website is + unavailable, so should check the website availability if you get some error message. + -K HAUS_PAYLOAD_URL, --haus_payloadbatch HAUS_PAYLOAD_URL + THis option has few possible values: <1> Retrieves a list of downloadable links of + recent PAYLOADS (last 3 days, limited to 1000 entries) from URLHaus website; <2>: + Retrieves a list of recent URLs (last 3 days, limited to 1000 entries) from URLHaus + website. Take care: each link take you to download a passworless zip file containing + a malware, so your AV can generate alerts! -U URL_HAUS_QUERY, --haus_query URL_HAUS_QUERY Queries a URL on the URLHaus website. -j HAUS_HASH, --haus_hash HAUS_HASH - Queries a payload's hash (md5 or sha256) on the URLHaus website. + Queries information about a provided payload's hash (md5 or sha256) on the URLHaus + website. -S URL_HAUS_SUB, --haus_submission URL_HAUS_SUB - Submits a URL used to distribute malware (executable, script, document) to the URLHaus website. - Pay attention: Any other submission will be ignored/deleted from URLhaus. You have to register - your URLHaus API into the configmalw.py file. + Submits a URL used to distribute malware (executable, script, document) to the + URLHaus website. Pay attention: Any other submission will be ignored/deleted from + URLhaus. You have to register your URLHaus API into the .malwapi.conf file. -z [HAUSTAG [HAUSTAG ...]], --haustag [HAUSTAG [HAUSTAG ...]] - Associates tags (separated by spaces) to the specified URL. Please, only upper case, lower - case, '-' and '.' are allowed. This parameter is optional, which could be used with the - -S option. + Associates tags (separated by spaces) to the specified URL. Please, only upper case, + lower case, '-' and '.' are allowed. This parameter is optional, which could be used + with the -S option. -W [HAUSTAGSEARCH [HAUSTAGSEARCH ...]], --haustagsearch [HAUSTAGSEARCH [HAUSTAGSEARCH ...]] - This option is for searching malicious URLs by tag on URLhaus. Tags are case-senstive and only - upper case, lower case, '-' and '.' are allowed. + This option is for searching malicious URLs by tag on URLhaus. Tags are case-senstive + and only upper case, lower case, '-' and '.' are allowed. -k [HAUSSIGSEARCH [HAUSSIGSEARCH ...]], --haussigsearch [HAUSSIGSEARCH [HAUSSIGSEARCH ...]] - This option is for searching malicious payload by tag on URLhaus. Tags are case-sensitive and - only upper case, lower case, '-' and '.' are allowed. + This option is for searching malicious payload by tag on URLhaus. Tags are + case-sensitive and only upper case, lower case, '-' and '.' are allowed. -J HAUS_DOWNLOAD, --haus_download HAUS_DOWNLOAD - Downloads a sample (if it is available) from the URLHaus repository. It is necessary to provide - the SHA256 hash. + Downloads a malware sample (if it is available) from the URLHaus repository. It is + necessary to provide the SHA256 hash. -P POLYSWARMFILE, --polyswarm_scan POLYSWARMFILE - (Only for Linux) Performs a file scan using the Polyswarm engine. - -N POLYSWARMURL, --polyswarm_url POLYSWARMURL - (Only for Linux) Performs a URL scan using the Polyswarm engine. + (Only for Linux) Submits a sample to Polyswarm engine and performs a file scan. -O POLYSWARMHASH, --polyswarm_hash POLYSWARMHASH - (Only for Linux) Performs a hash scan using the Polyswarm engine. + (Only for Linux) Performs a hash scanning using the Polyswarm engine. Optionally, + you can specify -D option to download the sample. Take care: Polyswarm enforces a + restriction to number of downloaded samples in 20/month. -R POLYSWARMMETA, --polyswarm_meta POLYSWARMMETA - (Only for Linux) Performs a complementary search for similar PE executables through - meta-information or IP addresses using the Polyswarm engine. This parameters depends on - -G parameters, so check it, please. + (Only for Linux) Provides the argument value for searches on Polyswarm engine through + imphash (the PE file must be provided), ipv4, domain, URL and family. This argument + must be used with -G option, so check it, please. Pay attention: you should check your + metadata search limit on your Polyswarm account because once you have got the limit, + so you will got an error. -G METATYPE, --metatype METATYPE - (Only for Linux) This parameter specifies whether the -R option will gather information about - the PE executable or IP address using the Polyswarm engine. Thus, 0: PE Executable ; - 1: IP Address ; 2: Domains ; 3. URL. + (Only for Linux) This parameter specifies search type for arguments provided by + -R option (above) while searching on Polyswarm engine. Thus, the following values are + valid -- 0: PE Executable (look for samples with the same ImpHash); 1: IP Address ; + 2: Domain ; 3. URL; 4. Family -y ANDROID_HA, --androidha ANDROID_HA - Check all third-party APK packages from the USB-connected Android device against Hybrid Analysis - using multithreads. The Android device does not need be rooted and you need have adb in your - PATH environment variable. + This option has multiple options: <1>: Check all third-party APK packages from the + USB-connected Android device against Hybrid Analysis using multithreads. The Android + device does not need to be rooted and the system does need to + have the adb tool in the PATH environment variable; <2>: Check all third-party APK + packages from the USB-connected + Android device against VirusTotal using Public API (slower because of 60 seconds delay + for each 4 hashes). The Android device does not need to be rooted and the system does + need to have adb tool in the PATH environment variable; <3>: Check all third-party + APK packages from the USB-connected Android device against VirusTotal using + multithreads (only for Private Virus API). The Android device does not need to be + rooted and the system needs to have adb tool in the PATH environment variable. -Y ANDROID_SEND_HA, --androidsendha ANDROID_SEND_HA - Send an third-party APK packages from your USB-connected Android device to Hybrid Analysis. The - Android device does not need be rooted and you need have adb in your PATH environment variable. + Sends an third-party APK package from your USB-connected Android device to Hybrid + Analysis. The Android device does not need to be rooted and the system needs to have + adb tool in the PATH environment variable. -T ANDROID_SEND_VT, --androidsendvt ANDROID_SEND_VT - Send an third-party APK packages from your USB-connected Android device to Virus Total. The - Android device does not need be rooted and you need have adb in your PATH environment variable. - -Z ANDROID_VT, --androidvt ANDROID_VT - Check all third-party APK packages from the USB-connected Android device against VirusTotal - using Public API (slower because of 60 seconds delay for each 4 hashes). The Android device - does not need be rooted and you need have adb in your PATH environment variable. - -X ANDROID_VT, --androidvtt ANDROID_VT - Check all third-party APK packages from the USB-connected Android device against VirusTotal - using multithreads (only for Private Virus API). The Android device does not need be rooted and - you need have adb in your PATH environment variable. - - - Remember that public VT API only allows 4 searches per second (as shown at the image above). Therefore, - if you are willing to wait some minutes, so you can use the -p option, which forces a one minute wait - every 4 malware samples, but allows obtaining a complete evaluation of the repository. - - - * ATTENTION 1: if the directory contains many malware samples while using -d option, so malwoverview.py - could take some time. Nonetheless, you can use the new -t option (multithreading) to - speed-up things. :) + Sends an third-party APK package from your USB-connected Android device to Virus + Total. The Android device does not need be rooted and the system needis to have the + adb tool in the PATH environment variable. + -n ALIENVAULT, --alienvault ALIENVAULT + Checks multiple information from AlienVault. The possible values are: 1: Get the + subscribed pulses ; 2: Get information about an IP address; 3: Get information about + a domain; 4: Get information about a hash; 5: Get information about a URL + -N ALIENVAULT_ARGS, --alienvaultargs ALIENVAULT_ARGS + Provides argument to AlienVault -n option.The allowed values are: 1, 2, 3, 4, 5. + -M MALPEDIA, --malpedia MALPEDIA + This option is related to MALPEDIA and presents different meanings depending on the + chosen value. Thus, 1: List meta information for all families ; 2: List all actors + ID ; 3: List all available payloads organized by family from Malpedia; 4: Get meta + information from an specific actor, so it is necesary to use the -m option. Additionally, + try to confirm the correct actor ID by executing malwoverview with option -M 3; 5: + List all families IDs; 6: Get meta information from an specific family, so it is + necesary to use the -m option. Additionally, try to confirm the correct + family ID by executing malwoverview with option -M 5; 7: Get a malware sample from + malpedia (zip format -- password: infected). It is necessary to specifiy the requested + hash by using -m option; 8: Get a zip file containing Yara rules for a specific + family (get the possible families using -M 5), which must be specified by using + -m option. + -m MALPEDIAARG, --malpediarg MALPEDIAARG + This option provides an argument to the -M option, which is related to MALPEDIA. + -Q THREATCROWD, --threatcrowd THREATCROWD + Checks multiple information from ThreatCrowd. The possible values are: 1: Get + information about the provided e-mail ; + 2: Get information about an IP address; 3: Get information about a domain; 4: Get + information about a provided MD5 hash; 5: Get information about a specific malware + family. + -q THREATCROWDARG, --threatcrowdarg THREATCROWDARG + This option provides an argument to the -Q option, which is related to THREATCROWD. + + Remember that public VT API only allows 4 searches per second (as shown at the image above). Therefore, + if you are willing to wait some minutes, so you can use the -p option, which forces a one minute wait + every 4 malware samples, but allows obtaining a complete evaluation of the repository. + + + * ATTENTION 1: if the directory contains many malware samples while using -d option, so malwoverview.py + could take some time. Nonetheless, you can use the new -t option (multithreading) to + speed-up things. :) - ** ATTENTION 2: All engines enforces quota of submission and/or verification per day and/or month. - Take care! - - *** ATTENTION 3: Some options searching on Hybrid Analysis strongly depend of the "-e" option, which - specifies the environment. Therefore, to check an Android sample (for example) it is - necessary to use the right environment (-e 3 for Android). + ** ATTENTION 2: All engines enforces quota of submission and/or verification per day and/or month. + Take care! + + *** ATTENTION 3: Some options searching on Hybrid Analysis strongly depend of the "-e" option, which + specifies the environment. Therefore, to check an Android sample (for example) it is + necessary to use the right environment (-e 3 for Android). - **** ATTENTION 4: When you execute Malwoverview on Windows systems, you MUST to specify the "-w 1" option - if you've clone using git tool. + **** ATTENTION 4: When you execute Malwoverview on Windows systems, you MUST to specify the "-w 1" option + if you've clone using git tool. ## Examples: python3.8 malwoverview.py -d /root/malware/misc/ - python3.8 malwoverview.py -d /root/malware/misc/ -t 1 - python3.8 malwoverview.py -d /root/malware/misc/ -t 1 -v 1 - python3.8 malwoverview.py -d /root/malware/misc/ -v 1 -p 1 - python3.8 malwoverview.py -d /root/malware/misc/ -Q 1 -v 1 - python3.8 malwoverview.py -d /root/malware/misc/ -Q 1 -a 1 - python3.8 malwoverview.py -d /root/malware/android/ -Q 1 -a 1 -e 3 - python3.8 malwoverview.py -d /root/malware/linux/ -Q 1 -a 1 -e 4 - python3.8 malwoverview.py -f /root/malware/misc/sample1 -v 1 -s 1 - python3.8 malwoverview.py -f /root/malware/misc/sample1 -i 1 - python3.8 malwoverview.py -f /root/malware/misc/sample1 -v 1 -s 1 -x 1 - python3.8 malwoverview.py -u - python3.8 malwoverview.py -r - python3.8 malwoverview.py -H -e 2 - python3.8 malwoverview.py -H -e 1 - python3.8 malwoverview.py -V /root/malware/android/sample.apk - python3.8 malwoverview.py -A /root/malware/windows/sample1 - python3.8 malwoverview.py -A /root/malware/android/sample.apk -e 3 - python3.8 malwoverview.py -g + python3.8 malwoverview.py -d /root/malware/misc -t 1 + python3.8 malwoverview.py -d /root/malware/misc -v 1 -t 3 + python3.8 malwoverview.py -d /root/malware/misc -v 1 -t 1 + python3.8 malwoverview.py -d /root/malware/misc -a 1 -t 2 + python3.8 malwoverview.py -f /root/malware/misc/8a87a1261603af4d976faa57e49ebdd8fd8317e9dd13bd36ff25 + 99d1031f53ce -v 2 + python3.8 malwoverview.py -f /root/malware/misc/806fc33650b7ec35dd01a06be3037674ae3cc0db6ba1e3f690ee + 9ba9403c0627 -a 1 -v 1 + python3.8 malwoverview.py -f /root/malware/misc/8a87a1261603af4d976faa57e49ebdd8fd8317e9dd13bd36ff25 + 99d1031f53ce -v 3 + python3.8 malwoverview.py -f /root/malware/misc/blackstorm.php -v 2 -x + python3.8 malwoverview.py -u http://mobiletech.net/images/138907/8g7c645373370255099hf4at12buy2lgrdeqo/ + python3.8 malwoverview.py -r xurl.es + python3.8 malwoverview.py -H 9ce861b93e7ddeebec8ed052450fc136162fb3239c502aab8fa9bc8962572457 + python3.8 malwoverview.py -H 893339624602c7b3a6f481aed9509b53e4e995d6771c72d726ba5a6b319608a7 -e 1 + python3.8 malwoverview.py -d /root/malware/linux/ -a 5 + python3.8 malwoverview.py -d /root/malware/android/ -a 4 + python3.8 malwoverview.py -d /root/malware/android/ -v 1 -t 3 + python3.8 malwoverview.py -d /root/malware/android/ -a 4 -t 2 + python3.8 malwoverview.py -V /root/malware/misc/malware999 + python3.8 malwoverview.py -A /root/malware/android/NubankConvidado.apk -e 3 + python3.8 malwoverview.py -g 5f2e727f70fa896603576725 + python3.8 malwoverview.py -A /root/malware/windows/806fc33650b7ec35dd01a06be3037674ae3cc0db6ba1e3f690 + ee9ba9403c0627 python3.8 malwoverview.py -l 1 - python3.8 malwoverview.py -l 1 -n 2 - python3.8 malwoverview.py -l 1 -n 3 - python3.8 malwoverview.py -m - python3.8 malwoverview.py -m -M 1 - python3.8 malwoverview.py -B 1 - python3.8 malwoverview.py -U + python3.8 malwoverview.py -l 6 + python3.8 malwoverview.py -l 4 + python3.8 malwoverview.py -L bc9d356f8d08396d620d249b8f34a664c9397467b1a6033013c788df734f8bda python3.8 malwoverview.py -K 1 - python3.8 malwoverview.py -j - python3.8 malwoverview.py -J - python3.8 malwoverview.py -S -z SpelevoEK exe psixbot - python3.8 malwoverview.py -O - python3.8 malwoverview.py -N - python3.8 malwoverview.py -P sample1 - python3.8 malwoverview.py -R /root/malware/windows/sample1 + python3.8 malwoverview.py -K 2 + python3.8 malwoverview.py -U http://pusatppm.poltekkesbandung.com/wp-admin/report/b17892056589733xcz + cjkjvqctpr9v9sm/ + python3.8 malwoverview.py -J 9e7d263c3c9f155229a7d6fb29dfa4b62bfec31ed0d3bf4cc2dc60ffd9fd6d0e + python3.8 malwoverview.py -S http://jamogames.com/templates/JLHk/ + python3.8 malwoverview.py -S http://pusatppm.poltekkesbandung.com/wp-admin/report/b17892056589733xc + zcjkjvqctpr9v9sm/ + python3.8 malwoverview.py -P 9e7d263c3c9f155229a7d6fb29dfa4b62bfec31ed0d3bf4cc2dc60ffd9fd6d0e + python malwoverview.py -O f3ebeeeba13c82daef9731a5f3e8dbe535e963f83e531918ba1a8904b094d3b8 + python malwoverview.py -R /root/malware/windows/Scarab_Ransomware -G 0 + python./malwoverview.py -R 164.132.92.180 -G 1 + python3.8 malwoverview.py -R sndoffo79.ddns.net -G 2 + python3.8 malwoverview.py -R http://0uso87.com/bolb/jaent.php?l=liut1.cab -G 3 + python3.8 malwoverview.py -R *Trickbot* -G 4 + python3.8 malwoverview.py -R *Trojan* -G 4 + python3.8 malwoverview.py -R *Ransomware* -G 4 python3.8 malwoverview.py -y 1 - python3.8 malwoverview.py -Y skype - python3.8 malwoverview.py -Z 1 - python3.8 malwoverview.py -X 1 - python3.8 malwoverview.py -T twitter - python3.8 malwoverview.py -u https://toulousa.com/omg/159EYJSFYHMS.exe - python3.8 malwoverview.py -k Trickbot - python3.8 malwoverview.py -m e47a415662b5fad1f3049764456ba2ac33a1bde6fd3181ec2b658d382ad17d41 - python3.8 malwoverview.py -W mirai + python3.8 malwoverview.py -y 2 + python3.8 malwoverview.py -y 3 + python3.8 malwoverview.py -T icompass + python3.8 malwoverview.py -Y icompass + python3.8 malwoverview.py -k Trickbot | more + python3.8 malwoverview.py -W Quakbot python3.8 malwoverview.py -I 149.56.79.215 - python3.8 malwoverview.py -R 164.132.92.180 -G 1 - python3.8 malwoverview.py -R sndoffo79.ddns.net -G 2 - python3.8 malwoverview.py -R http://t.turconfiok.pro -G 3 - + python3.8 malwoverview.py -n 1 -N 12 + python3.8 malwoverview.py -n 2 -N 79.124.8.24 + python3.8 malwoverview.py -n 3 -N covid19tracer.ca + python3.8 malwoverview.py -n 4 -N ba42665872ea41e3d2edd8978bc38c24 + python3.8 malwoverview.py -n 5 -N http://ksahosting.net/wp-includes/utf8.php + python3.8 malwoverview.py -M 1 + python3.8 malwoverview.py -M 2 | more + python3.8 malwoverview.py -M 3 | more + python3.8 malwoverview.py -M 4 -m apt41 | mor + python3.8 malwoverview.py -M 5 | more + python3.8 malwoverview.py -M 6 -m win.locky + python3.8 malwoverview.py -M 7 -m efbdb14f38c20c55e32cd98e4b2fdf197709581581d31fac683aabbf361df5f3 + python3.8 malwoverview.py -M 8 -m win.trickbot + python3.8 malwoverview.py -Q 1 -q potrafamin44as@gmail.com + python3.8 malwoverview.py -Q 2 -q 188.40.75.132 + python3.8 malwoverview.py -Q 3 -q aoldaily.com + python3.8 malwoverview.py -Q 4 -q fa6fbd1dd2d58885772bd0b37633d5d7 + python3.8 malwoverview.py -Q 5 -q plugx # HISTORY +Version 4.0.0: + + This version: + + * Introduces new engines such as Alien Vault, Malpedia and ThreatCrowd. + * The -s option has been removed. Use -v 2 option for antivirus report. + * The -n option is not longer associated to Malshare. Use -l option with + values between 1 and 14. + * To specify the hash in Malshare use the L option instead of -m option. + * The -i option has been removed. Use the -v 3 option for IAT/EAT. + * The -a option has been changed to include the system environments in Hybrid + Analysis. However, the -e option has been kept to be used with other options. + * The -M option is not longer responsible for downloading samples in Malshare. Use + -D option for this task. + * The -B option for list URLs from URLHaus has been replaced by -K 2 option. + * The -Z and -X options (related to Android) have been replaced for -y 2 and -y 3, + respectively. + * The -D option (download a malware sample) has been extended to Polyswarm. + * The malware sample's DLL list has been introduced. + * The -R and -G options from Polyswarm have been completely fixed. Additionally, both + ones also include the polyscore in the output. + * The -N option is not longer associated to Polyswarm . + * The -G 4 option has been introduced and it makes possible to search samples by + families and types such as "*Trickbot*", "*Ransomware", "*Trojan*" and so on. + * Colors from -I option have been fixed. + * The -w option has been removed. + * Several issues in the help have been fixed. + + Version 3.1.2: This version: - + * Introduces the -c option that allows the user to specify a custom API configuration file. * The API configuration file has been changed to .malwapi.conf file. * The project structure has been changed to make easier to install it in different operating systems. * Updates for this version are a contribution from Corey Forman (https://github.com/digitalsleuth). - + Version 3.0.0: This version: - + * Includes fixes in the URL reporting (-u option) from Virus Total. * New players have have been included in the URL reporting (-u option) from Virus Total. * Fixes have been included in payload listing (-K option) from URLhaus. @@ -517,7 +644,7 @@ Version 3.0.0: Version 2.5.0: This version: - + * Introduces the following options: * -y to check all third-party APKs from an Android device against the Hybrid Analysis. @@ -534,7 +661,7 @@ Version 2.5.0: Version 2.1.9.1: This version: - + * Fixes several issues about colors in outputs. * Removes the -L option from Malshare (unfortunately, Malshare doesn't provide an URL list anymore). @@ -544,7 +671,7 @@ Version 2.1.9.1: Version 2.1: This version: - + * Fixes formatting issues related to Hybrid Analysis output (-Q 1 -a 1). * Fixes color issues. * Fixes small issues related to Polyswarm. @@ -552,7 +679,7 @@ Version 2.1: Version 2.0.8.1: This version: - + * Introduces installation using: pip3.8 install malwoverview (Linux) or python -m pip install malwoverviewwin (Windows). * Fixes small problems related to Polyswarm usage. @@ -561,14 +688,14 @@ Version 2.0.8.1: Version 2.0.1: This version: - + * Fixes a problem related to searching by hash on Malshare (-m option). * Fixes a problem related to searching by hash on Polyswarm (-O option). Version 2.0.0: This version: - + * Introduces a completely ported version of Malwoverview to Python 3.x (it does not work in Python 2.7.x anymore!) * Fixes several bugs related to IAT/EAT listing. @@ -587,14 +714,14 @@ Version 2.0.0: Version 1.7.5: This version: - + * It has been fixed a problem related to sample submission to Hybrid Analysis on Windows operating system. Additionally, file name handling has been also fixed. Version 1.7.3: This version: - + * Malwoverview has been adapted to API version 2.6.0 of Hybrid Analysis. * -A option has been fixed according to new version (2.6.0) of Hybrid Analysis. * -a option has been modified to work together with -e option. @@ -603,67 +730,67 @@ Version 1.7.3: Version 1.7.2: This version: - + * A small fix related to -g option has been included. Version 1.7.1: This version: - + * Relevant fix of a problem related to options -A and -H options. * Includes a new Hybrid Analysis environment to the -e option (Windows 7 32-bits with HWP support). * Updates the Malwoverview to support Hybrid Analysis API version 2.5.0. - + Version 1.7.0: This version: - + * Includes -A option for submitting a sample to Hybrid Analysis. * Includes -g option for checking the status a submission of a sample to Hybrid Analysis. * Includes -e option for specifying the testing environment on the Hybrid Analysis. * Includes -r option for getting a complete domain report from Virus Total. * Modifies the -H options for working together the -e option. * Modifies several functions of the tool to prepare it for version 1.8.0 - + Version 1.6.3: This version: - + * Includes creation of new functions aiming 1.7.0 version. * Includes new exception handling blocks. - + Version 1.6.2: This version: - + * Includes small fixes. * For the Hybrid Analysis API version 2.40 is not longer necessary to include the API Secret. - + Version 1.6.1: This version: - + * Includes small format fixes. - + Version 1.6.0: This version: - + * It is using the Hybrid Analysis API version 2.4.0. * Includes certificate information in the Hybrid Analysis report. * Includes MITRE information in the Hybrid Analysis report. * Includes an option to download samples from Hybrid Analysis. - + Version 1.5.1: This version: - + * Small change to fix format issue in -d option. - + Version 1.5.0: This version: - + * Includes the -u option to check URLs against Virus Total and associated engines. * Includes the -H option to find existing reports on Virus Total and Hybrid Analysis through the hash. @@ -682,11 +809,11 @@ Version 1.4.5.1: This version: * Includes one small fix. - + Version 1.4.5: This version: - + * Adds the -w option to use malwoverview in Windows systems. * Improves and fixes colors when using -b option with black window. @@ -697,13 +824,13 @@ Version 1.4: * Adds the -a option for getting the Hybrid Analysis summary report. * Adds the -i option for listing imported and exported functions. Therefore, imported/exported function report was decoupled for a separated option. - + Version 1.3: This version: * Adds the -p option for public Virus Total API. - + Version 1.2: This version includes: diff --git a/malwoverview/malwoverview.py b/malwoverview/malwoverview.py index c597414..647af35 100755 --- a/malwoverview/malwoverview.py +++ b/malwoverview/malwoverview.py @@ -19,7 +19,7 @@ # Alexandre Borges (project owner) # Corey Forman (https://github.com/digitalsleuth) -# Malwoverview.py: version 3.1.2 +# Malwoverview.py: version 4.0.0 import os import sys @@ -38,8 +38,12 @@ import socket import urllib3 import subprocess +import types +import textwrap +import base64 import configparser import platform +from operator import itemgetter from polyswarm_api.api import PolyswarmAPI from urllib.parse import urlparse from colorama import init, Fore, Back, Style @@ -52,10 +56,9 @@ # On Windows systems, it is necessary to install python-magic-bin: pip install python-magic-bin __author__ = "Alexandre Borges" -__updated_by__ = "Corey Forman (https://github.com/digitalsleuth)" __copyright__ = "Copyright 2018-2020, Alexandre Borges" __license__ = "GNU General Public License v3.0" -__version__ = "3.1.2" +__version__ = "4.0.0" __email__ = "alexandreborges at blackstormsecurity.com" haurl = 'https://www.hybrid-analysis.com/api/v2' @@ -64,7 +67,7 @@ user_agent = 'Falcon Sandbox' urlvt = 'https://www.virustotal.com/vtapi/v2/url/scan' ipvt = 'https://www.virustotal.com/vtapi/v2/ip-address/report' -urlvtreport = 'https://www.virustotal.com/vtapi/v2/url/report' +urlvtreport = 'https://www.virustotal.com/vtapi/v2/url/report' urlvtdomain = 'https://www.virustotal.com/vtapi/v2/domain/report' urlfilevtcheck = 'https://www.virustotal.com/vtapi/v2/file/scan' urlmalshare = 'https://malshare.com/api.php?api_key=' @@ -76,6 +79,9 @@ hausd = 'https://urlhaus-api.abuse.ch/v1/download/' haust = 'https://urlhaus-api.abuse.ch/v1/tag/' haussig = 'https://urlhaus-api.abuse.ch/v1/signature/' +urlalien = 'http://otx.alienvault.com/api/v1' +malpediaurl = 'https://malpedia.caad.fkie.fraunhofer.de/api' +threatcrowdurl = 'https://www.threatcrowd.org/searchApi/v2/' F = [] H = [] @@ -211,6 +217,19 @@ def listsections(fname): print("%17s" % (sect.Name).decode('utf-8'), end='') print(("\t\t%5.2f" % sect.get_entropy())) +def listdlls(fname): + + pe=pefile.PE(fname) + + if(bkg == 1): + print(mycolors.foreground.lightgreen + "\nImported DLLs: ", end='\n\n') + for x in pe.DIRECTORY_ENTRY_IMPORT: + print("\t " + mycolors.foreground.lightgreen + x.dll.decode('utf-8') + mycolors.reset) + else: + print(mycolors.foreground.purple + "\nImported DLLs: ", end='\n\n') + for x in pe.DIRECTORY_ENTRY_IMPORT: + print("\t " + mycolors.foreground.purple + x.dll.decode('utf-8') + mycolors.reset) + def impext(targetfile): @@ -605,7 +624,7 @@ def vtdomaincheck(mydomain, param): if (bkg == 0): print(mycolors.foreground.blue + "Detected Referrer Samples: ".ljust(17)) else: - print(mycolors.foreground.pink + "Detected Referrer Samples: ".ljust(17)) + print(mycolors.foreground.yellow + "Detected Referrer Samples: ".ljust(17)) if 'detected_referrer_samples' in vttext: if (bool(vttext['detected_referrer_samples'])): @@ -780,19 +799,19 @@ def vtdomaincheck(mydomain, param): pass if (bkg == 0): - print(mycolors.foreground.red + "\nUndetected URLs: ".ljust(17)) + print(mycolors.foreground.green + "\nUndetected URLs: ".ljust(17)) else: - print(mycolors.foreground.lightred + "\nUndetected URLs: ".ljust(17)) + print(mycolors.foreground.lightgreen + "\nUndetected URLs: ".ljust(17)) if 'undetected_urls' in vttext: if (bool(vttext['undetected_urls'])): try: for i in range(len(vttext['undetected_urls'])): if (bkg == 0): - print((mycolors.foreground.red + "".ljust(28)), end=' ') + print((mycolors.foreground.green + "".ljust(28)), end=' ') print(("data %s\n" % i)) else: - print((mycolors.foreground.lightred + "".ljust(28)), end=' ') + print((mycolors.foreground.lightgreen + "".ljust(28)), end=' ') print(("data %s\n" % i)) for y in range(len(vttext['undetected_urls'][i])): if (bkg == 0): @@ -869,25 +888,27 @@ def ipvtcheck(ipaddress, urlvtip): if 'country' in vttext: if (bkg == 0): - print(mycolors.foreground.red + "Country:\t" + vttext['country'] + mycolors.reset, end='\n') + print(mycolors.foreground.red + "Country:\t" + mycolors.reset + vttext['country'] + mycolors.reset, end='\n') else: - print(mycolors.foreground.orange + "Country:\t" + vttext['country'] + mycolors.reset, end='\n') + print(mycolors.foreground.orange + "Country:\t" + mycolors.reset + vttext['country'] + mycolors.reset, end='\n') else: if (bkg == 0): - print(mycolors.foreground.red + "Country:\t" + "Not specified" + mycolors.reset, end='\n') + print(mycolors.foreground.red + "Country:\t" + mycolors.reset + "Not specified" + mycolors.reset, end='\n') else: - print(mycolors.foreground.orange + "Country:\t" + "Not specified" + mycolors.reset, end='\n') + print(mycolors.foreground.red + "Country:\t" + mycolors.reset + "Not specified" + mycolors.reset, end='\n') if 'asn' in vttext: if (bkg == 0): - print(mycolors.foreground.red + "ASN:\t\t%d" % vttext['asn'] + mycolors.reset, end='\n\n') + print(mycolors.foreground.red + "ASN:\t\t", end='') + print(mycolors.reset + str(vttext['asn']) + mycolors.reset, end='\n\n') else: - print(mycolors.foreground.orange + "ASN:\t\t%d" % vttext['asn'] + mycolors.reset, end='\n\n') + print(mycolors.foreground.orange + "ASN:\t\t", end='') + print(mycolors.reset + str(vttext['asn']) + mycolors.reset, end='\n\n') else: if (bkg == 0): - print(mycolors.foreground.red + "ASN:\t\t" + "Not specified" + mycolors.reset, end='\n\n') + print(mycolors.foreground.red + "ASN:\t\t" + mycolors.reset + "Not specified" + mycolors.reset, end='\n\n') else: - print(mycolors.foreground.orange + "ASN:\t\t" + "Not specified" + mycolors.reset, end='\n\n') + print(mycolors.foreground.orange + "ASN:\t\t" + mycolors.reset + "Not specified" + mycolors.reset, end='\n\n') print(mycolors.reset + "\nResolutions") print("-" * 11) @@ -896,59 +917,83 @@ def ipvtcheck(ipaddress, urlvtip): if (vttext['resolutions']): for i in vttext['resolutions']: if (bkg == 0): - print(mycolors.foreground.green + "\nLast Resolved:\t" + i['last_resolved'] + mycolors.reset) - print(mycolors.foreground.green + "Hostname:\t" + i['hostname'] + mycolors.reset) + print(mycolors.foreground.green + "\nLast Resolved:\t" + mycolors.reset + i['last_resolved'] + mycolors.reset) + print(mycolors.foreground.green + "Hostname:\t" + mycolors.reset + i['hostname'] + mycolors.reset) else: - print(mycolors.foreground.lightgreen + "\nLast Resolved:\t" + i['last_resolved'] + mycolors.reset) - print(mycolors.foreground.lightgreen + "Hostname:\t" + i['hostname'] + mycolors.reset) + print(mycolors.foreground.lightgreen + "\nLast Resolved:\t" + mycolors.reset + i['last_resolved'] + mycolors.reset) + print(mycolors.foreground.lightgreen + "Hostname:\t" + mycolors.reset + i['hostname'] + mycolors.reset) - print(mycolors.reset + "\nDetected URLs") + print(mycolors.reset + "\n\nDetected URLs") print("-" * 13) if 'detected_urls' in vttext: for j in vttext['detected_urls']: if (bkg == 0): - print(mycolors.foreground.cyan + "\nURL:\t\t%s" % j['url'] + mycolors.reset) - print(mycolors.foreground.cyan + "Scan Date:\t%s" % j['scan_date'] + mycolors.reset) - print(mycolors.foreground.cyan + "Positives:\t%d" % j['positives'] + mycolors.reset) - print(mycolors.foreground.cyan + "Total:\t\t%d" % j['total'] + mycolors.reset) + print(mycolors.foreground.cyan + "\nURL:\t\t", end='') + print(mycolors.reset + j['url'] + mycolors.reset) + print(mycolors.foreground.cyan+ "Scan Date:\t", end='') + print(mycolors.reset + j['scan_date'] + mycolors.reset) + print(mycolors.foreground.cyan + "Positives:\t", end='') + print(mycolors.reset + str(j['positives']) + mycolors.reset) + print(mycolors.foreground.cyan + "Total:\t\t", end='') + print(mycolors.reset + str(j['total']) + mycolors.reset) else: - print(mycolors.foreground.lightred + "\nURL:\t\t%s" % j['url'] + mycolors.reset) - print(mycolors.foreground.lightred + "Scan date:\t%s" % j['scan_date'] + mycolors.reset) - print(mycolors.foreground.lightred + "Positives:\t%d" % j['positives'] + mycolors.reset) - print(mycolors.foreground.lightred + "Total:\t\t%d" % j['total'] + mycolors.reset) - - print(mycolors.reset + "\nDetected Downloaded Samples") + print(mycolors.foreground.lightred + "\nURL:\t\t", end='') + print(mycolors.reset + j['url'] + mycolors.reset) + print(mycolors.foreground.lightred + "Scan Date:\t", end='') + print(mycolors.reset + j['scan_date'] + mycolors.reset) + print(mycolors.foreground.lightred + "Positives:\t", end='') + print(mycolors.reset + str(j['positives']) + mycolors.reset) + print(mycolors.foreground.lightred + "Total:\t\t", end='') + print(mycolors.reset + str(j['total']) + mycolors.reset) + + print(mycolors.reset + "\n\nDetected Downloaded Samples") print("-" * 27) if 'detected_downloaded_samples' in vttext: for k in vttext['detected_downloaded_samples']: if (bkg == 0): - print(mycolors.foreground.red + "\nSHA256:\t\t%s" % k['sha256'] + mycolors.reset) - print(mycolors.foreground.red + "Date:\t\t%s" % k['date'] + mycolors.reset) - print(mycolors.foreground.red + "Positives:\t%d" % k['positives'] + mycolors.reset) - print(mycolors.foreground.red + "Total:\t\t%d" % k['total'] + mycolors.reset) + print(mycolors.foreground.red + "\nSHA256:\t\t" + mycolors.reset, end='') + print(mycolors.reset + k['sha256'] + mycolors.reset) + print(mycolors.foreground.red + "Date:\t\t" + mycolors.reset, end='') + print(mycolors.reset + k['date'] + mycolors.reset) + print(mycolors.foreground.red + "Positives:\t" + mycolors.reset, end='') + print(mycolors.reset + str(k['positives']) + mycolors.reset) + print(mycolors.foreground.red + "Total:\t\t" + mycolors.reset, end='') + print(mycolors.reset + str(k['total']) + mycolors.reset) else: - print(mycolors.foreground.yellow + "\nSHA256:\t\t%s" % k['sha256'] + mycolors.reset) - print(mycolors.foreground.yellow + "Date:\t\t%s" % k['date'] + mycolors.reset) - print(mycolors.foreground.yellow + "Positives:\t%d" % k['positives'] + mycolors.reset) - print(mycolors.foreground.yellow + "Total:\t\t%d" % k['total'] + mycolors.reset) - - print(mycolors.reset + "\nUndetected Downloaded Samples") + print(mycolors.foreground.yellow + "\nSHA256:\t\t" + mycolors.reset, end='') + print(mycolors.reset + k['sha256'] + mycolors.reset) + print(mycolors.foreground.yellow + "Date:\t\t" + mycolors.reset, end='') + print(mycolors.reset + k['date'] + mycolors.reset) + print(mycolors.foreground.yellow + "Positives:\t" + mycolors.reset, end='') + print(mycolors.reset + str(k['positives']) + mycolors.reset) + print(mycolors.foreground.yellow + "Total:\t\t" + mycolors.reset, end='') + print(mycolors.reset + str(k['total']) + mycolors.reset) + + print(mycolors.reset + "\n\nUndetected Downloaded Samples") print("-" * 27) if 'undetected_downloaded_samples' in vttext: for m in vttext['undetected_downloaded_samples']: if (bkg == 0): - print(mycolors.foreground.green + "\nSHA256:\t\t%s" % m['sha256'] + mycolors.reset) - print(mycolors.foreground.green + "Date:\t\t%s" % m['date'] + mycolors.reset) - print(mycolors.foreground.green + "Positives:\t%d" % m['positives'] + mycolors.reset) - print(mycolors.foreground.green + "Total:\t\t%d" % m['total'] + mycolors.reset) + print(mycolors.foreground.purple + "\nSHA256:\t\t" + mycolors.reset, end='') + print(mycolors.reset + m['sha256'] + mycolors.reset) + print(mycolors.foreground.purple + "Date:\t\t" + mycolors.reset, end='') + print(mycolors.reset + m['date'] + mycolors.reset) + print(mycolors.foreground.purple + "Positives:\t" + mycolors.reset, end='') + print(mycolors.reset + str(m['positives']) + mycolors.reset) + print(mycolors.foreground.purple + "Total:\t\t" + mycolors.reset, end='') + print(mycolors.reset + str(m['total']) + mycolors.reset) else: - print(mycolors.foreground.lightcyan + "\nSHA256:\t\t%s" % m['sha256'] + mycolors.reset) - print(mycolors.foreground.lightcyan + "Date:\t\t%s" % m['date'] + mycolors.reset) - print(mycolors.foreground.lightcyan + "Positives:\t%d" % m['positives'] + mycolors.reset) - print(mycolors.foreground.lightcyan + "Total:\t\t%d" % m['total'] + mycolors.reset) + print(mycolors.foreground.lightcyan + "\nSHA256:\t\t" + mycolors.reset, end='') + print(mycolors.reset + m['sha256'] + mycolors.reset) + print(mycolors.foreground.lightcyan + "Date:\t\t" + mycolors.reset, end='') + print(mycolors.reset + m['date'] + mycolors.reset) + print(mycolors.foreground.lightcyan + "Positives:\t" + mycolors.reset, end='') + print(mycolors.reset + str(m['positives']) + mycolors.reset) + print(mycolors.foreground.lightcyan + "Total:\t\t" + mycolors.reset, end='') + print(mycolors.reset + str(m['total']) + mycolors.reset) except ValueError: @@ -1307,9 +1352,9 @@ def hashow(filehash): print(i, end=' ') if (bkg == 1): - print((mycolors.foreground.lightcyan)) + print((mycolors.foreground.pink)) else: - print((mycolors.foreground.blue)) + print((mycolors.foreground.purple)) print("\nCertificates:\n", end=' ') for i in certificates: @@ -1390,32 +1435,35 @@ def polymetasearch(poly, metainfo): exit(1) print(mycolors.reset) - print("POLYSWARM.IO RESULTS") - print('-' * 20, end="\n\n") + print("POLYSWARM.NETWORK RESULTS") + print('-' * 25, end="\n\n") try: if (metainfo == 0): metaresults = polyswarm.search_by_metadata("pefile.imphash:" + fimph) - for meta in metaresults: - for x in meta: - if (bkg == 1): + for x in metaresults: + if (bkg == 1): + if(x.sha256): print(mycolors.reset + "\nSHA256: " + mycolors.foreground.lightred + "%s" % x.sha256, end=' ') - print(mycolors.reset + "firstseen: " + mycolors.foreground.lightgreen + "%s" % x.first_seen, end=' ') - if len(x.detections) > 0: - print(mycolors.reset + "scan: " + mycolors.foreground.yellow + "%s" % len(x.detections) + "/" + "%s malicious" % len(x.last_scan.assertions), end=' ') - else: - print(mycolors.reset + "scan: " + mycolors.foreground.pink + "not scanned yet", end=' ') - else: + else: + print(mycolors.reset + "\nSHA256: " + mycolors.foreground.lightred + "%s" + "None", end=' ') + if(x.md5): + print(mycolors.reset + "MD5: " + mycolors.foreground.lightgreen + "%s" % x.md5, end=' ') + else: + print(mycolors.reset + "MD5: " + mycolors.foreground.lightgreen + "%s" + "None", end=' ') + else: + if(x.sha256): print(mycolors.reset + "\nSHA256: " + mycolors.foreground.red + "%s" % x.sha256, end=' ') - print(mycolors.reset + "firstseen: " + mycolors.foreground.blue + "%s" % x.first_seen, end=' ') - if len(x.detections) > 0: - print(mycolors.reset + "scan: " + mycolors.foreground.green + "%s" % len(x.detections) + "/" + "%s malicious" % len(x.last_scan.assertions), end=' ') - else: - print(mycolors.reset + "scan: " + mycolors.foreground.purple + "not scanned yet", end=' ') - print(mycolors.reset) - exit(0) - + else: + print(mycolors.reset + "\nSHA256: " + mycolors.foreground.red + "%s" + "None", end=' ') + if(x.md5): + print(mycolors.reset + "MD5: " + mycolors.foreground.green + "%s" % x.md5, end=' ') + else: + print(mycolors.reset + "MD5: " + mycolors.foreground.green + "%s" + "None", end=' ') + print(mycolors.reset + "\n") + sys.exit(0) + if (metainfo == 1): metaresults = polyswarm.search_by_metadata("strings.ipv4:" + poly) if (metainfo == 2): @@ -1423,22 +1471,36 @@ def polymetasearch(poly, metainfo): if (metainfo == 3): poly = (r'"' + poly + r'"') metaresults = polyswarm.search_by_metadata("strings.urls:" + poly) - for meta in metaresults: - for y in meta: - if (bkg == 1): + if (metainfo == 4): + poly = ('scan.latest_scan.\*.metadata.malware_family:' + poly) + metaresults = polyswarm.search_by_metadata(poly) + for y in metaresults: + if (bkg == 1): + if (y.sha256): print(mycolors.reset + "\nSHA256: " + mycolors.foreground.lightgreen + "%s" % y.sha256, end=' ') - print(mycolors.reset + "firstseen: " + mycolors.foreground.lightcyan + "%s" % y.first_seen, end=' ') - if len(y.detections) > 0: - print(mycolors.reset + "scan: " + mycolors.foreground.yellow + "%s" % len(y.detections) + "/" + "%s malicious" % len(y.last_scan.assertions), end=' ') - else: - print(mycolors.reset + "scan: " + mycolors.foreground.pink + "not scanned yet", end=' ') else: + print(mycolors.reset + "Result: " + mycolors.foreground.yellow + "Sample not found!", end=' ') + exit(0) + score = next(polyswarm.search(y.sha256)) + print(mycolors.reset + "Polyscore: " + mycolors.foreground.blue + "%20s" % score.polyscore, end=' ') + if (str(y.scan.get('detections',{}).get('malicious'))) != 'None': + print(mycolors.reset + "scan: " + mycolors.foreground.yellow + "%s" % y.scan.get('detections', {}).get('malicious'), end=' ') + print("/ " + "%2s malicious" % y.scan.get('detections',{}).get('total'), end=' ') + else: + print(mycolors.reset + "scan: " + mycolors.foreground.pink + "not scanned yet", end=' ') + else: + if (y.sha256): print(mycolors.reset + "\nSHA256: " + mycolors.foreground.green + "%s" % y.sha256, end=' ') - print(mycolors.reset + "firstseen: " + mycolors.foreground.cyan + "%s" % y.first_seen, end=' ') - if len(y.detections) > 0: - print(mycolors.reset + "scan: " + mycolors.foreground.red + "%s" % len(y.detections) + "/" + "%s malicious" % len(y.last_scan.assertions), end=' ') - else: - print(mycolors.reset + "scan: " + mycolors.foreground.purple + "not scanned yet", end=' ') + else: + print(mycolors.reset + "scan: " + mycolors.foreground.purple + "Sample not found!", end=' ') + exit(0) + score = next(polyswarm.search(y.sha256)) + print(mycolors.reset + "Polyscore: " + mycolors.foreground.blue + "%20s" % score.polyscore, end=' ') + if (str(y.scan.get('detections',{}).get('malicious'))) != 'None': + print(mycolors.reset + "scan: " + mycolors.foreground.red + "%s" % y.scan.get('detections', {}).get('malicious'), end=' ') + print("/ " + "%2s malicious" % y.scan.get('detections',{}).get('total'), end=' ') + else: + print(mycolors.reset + "Result: " + mycolors.foreground.purple + "not scanned yet", end=' ') print(mycolors.reset) @@ -1450,7 +1512,7 @@ def polymetasearch(poly, metainfo): print(mycolors.reset) exit(1) - except: + except Exception: if (bkg == 1): print((mycolors.foreground.lightred + "\nAn error has ocurred while connecting to Polyswarm.\n")) else: @@ -1464,140 +1526,152 @@ def polyfile(poly): sha256 = '' filetype = '' extended = '' - m = '' firstseen = '' score = 0 - results = polyswarm.scan(poly) - myhash = sha256hash(poly) - print(mycolors.reset) - print("POLYSWARM.IO RESULTS") - print('-' * 20, end="\n\n") - for fileresults in results: - if fileresults.result: - for myfiles in fileresults.result.files: - score = myfiles.polyscore - for assertion in myfiles.assertions: - if (bkg == 1): - print(mycolors.reset + "Engine: " + mycolors.foreground.lightgreen + "%-12s" % assertion.author_name, end='') - print(mycolors.reset + "\tVerdict:" + mycolors.foreground.lightred + " ", "Malicious" if assertion.verdict else "Clean") - else: - print(mycolors.reset + "Engine: " + mycolors.foreground.green + "%-12s" % assertion.author_name, end='') - print(mycolors.reset + "\tVerdict:" + mycolors.foreground.red + " ", "Malicious" if assertion.verdict else "Clean") + try: + + myhash = sha256hash(poly) + instance = polyswarm.submit(poly) + result = polyswarm.wait_for(instance) + print(mycolors.reset) + print("POLYSWARM.NETWORK RESULTS") + print('-' * 25, end="\n\n") + for assertion in result.assertions: + if (bkg == 1): + print(mycolors.reset + "Engine: " + mycolors.foreground.lightgreen + "%-12s" % assertion.author_name, end='') + print(mycolors.reset + "\tVerdict:" + mycolors.foreground.lightred + " ", "Malicious" if assertion.verdict else "Clean") + else: + print(mycolors.reset + "Engine: " + mycolors.foreground.green + "%-12s" % assertion.author_name, end='') + print(mycolors.reset + "\tVerdict:" + mycolors.foreground.red + " ", "Malicious" if assertion.verdict else "Clean") - results = polyswarm.search(myhash) - print(mycolors.reset) - for hashresults in results: - if hashresults.result: - for myhashes in hashresults.result: + results = polyswarm.search(myhash) + print(mycolors.reset) + for myhashes in results: + if(myhashes.sha256): sha256 = myhashes.sha256 + if(myhashes.mimetype): filetype = myhashes.mimetype + if(myhashes.extended_type): extended = myhashes.extended_type + if(myhashes.first_seen): firstseen = myhashes.first_seen - filenames = myhashes.filenames - if (myhashes.countries): - countries = myhashes.countries + if(myhashes.polyscore): + score = myhashes.polyscore - if (bkg == 1): - for j in filenames: - print(mycolors.foreground.lightcyan + "\nFilenames: \t%s" % j, end=' ') - print(mycolors.foreground.lightcyan + "\nSHA256: \t%s" % sha256) - print(mycolors.foreground.lightred + "File Type: \t%s" % filetype) - print(mycolors.foreground.lightred + "Extended Info: \t%s" % extended) - print(mycolors.foreground.pink + "First seen: \t%s" % firstseen) - for m in countries: - print(mycolors.foreground.pink + "Countries: \t%s" % m, end=' ') - if (score is not None): - print(mycolors.foreground.yellow + "\nPolyscore: \t%f" % score) - else: - for j in filenames: - print(mycolors.foreground.cyan + "\nFilenames: \t%s" % j, end=' ') - print(mycolors.foreground.cyan + "\nSHA256: \t%s" % sha256) - print(mycolors.foreground.purple + "File Type: \t%s" % filetype) - print(mycolors.foreground.purple + "Extended Info: \t%s" % extended) - print(mycolors.foreground.blue + "First seen: \t%s" % firstseen) - for m in countries: - print(mycolors.foreground.blue + "Countries: \t%s" % m, end=' ') - if (score is not None): - print(mycolors.foreground.red + "\nPolyscore: \t%f" % score) - print(mycolors.reset) + if (bkg == 1): + if(sha256): + print(mycolors.foreground.lightcyan + "\nSHA256: \t%s" % sha256) + if(filetype): + print(mycolors.foreground.lightred + "File Type: \t%s" % filetype) + if(extended): + print(mycolors.foreground.lightred + "Extended Info: \t%s" % extended) + if(firstseen): + print(mycolors.foreground.pink + "First seen: \t%s" % firstseen) + if (score is not None): + print(mycolors.foreground.yellow + "\nPolyscore: \t%f" % score) + else: + if(sha256): + print(mycolors.foreground.cyan + "\nSHA256: \t%s" % sha256) + if(filetype): + print(mycolors.foreground.purple + "File Type: \t%s" % filetype) + if(extended): + print(mycolors.foreground.purple + "Extended Info: \t%s" % extended) + if(firstseen): + print(mycolors.foreground.blue + "First seen: \t%s" % firstseen) + if (score is not None): + print(mycolors.foreground.red + "\nPolyscore: \t%f" % score) + print(mycolors.reset) + except: + if (bkg == 1): + print((mycolors.foreground.lightred + "\nAn error has ocurred while connecting to Polyswarm.\n")) + else: + print((mycolors.foreground.red + "\nAn error has ocurred while connecting to Polyswarm.\n")) + print(mycolors.reset) + exit(1) -def polyurlcheck(poly): +def polyhashsearch(poly): - results = polyswarm.scan_urls(poly) - print(mycolors.reset) - print("POLYSWARM.IO RESULTS") - print('-' * 20, end="\n\n") - for urlresults in results: - if urlresults.result: - for myurls in urlresults.result.files: - for assertion in myurls.assertions: - if (bkg == 1): - print(mycolors.reset + "Engine: " + mycolors.foreground.lightblue + "%-12s" % assertion.author_name, end='') - print(mycolors.reset + "\tVerdict:" + mycolors.foreground.lightred + " ", "Malicious" if assertion.verdict else "Clean") - else: - print(mycolors.reset + "Engine: " + mycolors.foreground.blue + "%-12s" % assertion.author_name, end='') - print(mycolors.reset + "\tVerdict: " + mycolors.foreground.red + " ", "Malicious" if assertion.verdict else "Clean") - print(mycolors.reset) + sha256 = '' + filetype = '' + extended = '' + firstseen = '' + score = 0 + DOWN_DIR = '.' + try: -def polyhashsearch(poly): + results = polyswarm.search(poly) - filenames = '' - sha256 = '' - results = polyswarm.search(poly) - print(mycolors.reset) - print("POLYSWARM.IO RESULTS") - print('-' * 20, end="\n\n") - for hashresults in results: - if hashresults.result: - for myhashes in hashresults.result: - score = myhashes.last_scan.polyscore + print(mycolors.reset) + print("POLYSWARM.NETWORK RESULTS") + print('-' * 25, end="\n\n") + print(mycolors.reset) + + for myhashes in results: + if not myhashes.assertions: + if(bkg == 1): + print(mycolors.foreground.lightred + "This sample has not been scanned on Polyswarm yet!\n" + mycolors.reset) + exit(1) + else: + print(mycolors.foreground.red + "This sample has not been scanned on Polyswarmi yet!\n" + mycolors.reset) + exit(1) + if(myhashes.sha256): sha256 = myhashes.sha256 + if(myhashes.mimetype): filetype = myhashes.mimetype + if(myhashes.extended_type): extended = myhashes.extended_type + if(myhashes.first_seen): firstseen = myhashes.first_seen - filenames = myhashes.filenames - countries = myhashes.countries - results = myhashes.last_scan.assertions - for i in results: - if (bkg == 1): - print(mycolors.foreground.lightcyan + "%s" % i) - else: - print(mycolors.foreground.cyan + "%s" % i) - if (bkg == 1): - if (filenames == ''): - if (sha256 == ''): - if(bkg == 1): - print(mycolors.foreground.lightred + "This sample could not be found on Polyswarm!\n" + mycolors.reset) - exit(1) + if(myhashes.polyscore): + score = myhashes.polyscore + results = myhashes.assertions + for i in results: + if (bkg == 1): + print(mycolors.foreground.lightgreen + "%s" % i) else: - print(mycolors.foreground.red + "This sample could not be found on Polyswarm!\n" + mycolors.reset) - exit(1) - for j in filenames: - print(mycolors.foreground.lightgreen + "\nFilenames: \t%s" % j, end=' ') - print(mycolors.foreground.lightgreen + "\nSHA256: \t%s" % sha256) - print(mycolors.foreground.lightred + "File Type: \t%s" % filetype) - print(mycolors.foreground.lightred + "Extended Info: \t%s" % extended) - print(mycolors.foreground.pink + "First seen: \t%s" % firstseen) - for m in countries: - print(mycolors.foreground.pink + "Countries: \t%s" % m, end=' ') - if (score is not None): - print(mycolors.foreground.yellow + "\nPolyscore: \t%f" % score) - else: - for j in filenames: - print(mycolors.foreground.green + "\nFilenames: \t%s" % j, end=' ') - print(mycolors.foreground.green + "\nSHA256: \t%s" % sha256) - print(mycolors.foreground.purple + "File Type: \t%s" % filetype) - print(mycolors.foreground.purple + "Extended Info: \t%s" % extended) - print(mycolors.foreground.blue + "First seen: \t%s" % firstseen) - for m in countries: - print(mycolors.foreground.blue + "Countries: \t%s" % m, end=' ') - if (score is not None): - print(mycolors.foreground.red + "\nPolyscore: \t%f" % score) - print(mycolors.reset) + print(mycolors.foreground.green + "%s" % i) + + if (bkg == 1): + if(sha256): + print(mycolors.foreground.lightcyan + "\nSHA256: \t%s" % sha256) + if(filetype): + print(mycolors.foreground.lightred + "File Type: \t%s" % filetype) + if(extended): + print(mycolors.foreground.lightred + "Extended Info: \t%s" % extended) + if(firstseen): + print(mycolors.foreground.pink + "First seen: \t%s" % firstseen) + if (score is not None): + print(mycolors.foreground.yellow + "\nPolyscore: \t%f" % score) + if (down == 1): + artifact = polyswarm.download(DOWN_DIR, sha256) + print(mycolors.reset + "\n\nThe sample has been SAVED!") + else: + if(sha256): + print(mycolors.foreground.cyan + "\nSHA256: \t%s" % sha256) + if(filetype): + print(mycolors.foreground.purple + "File Type: \t%s" % filetype) + if(extended): + print(mycolors.foreground.purple + "Extended Info: \t%s" % extended) + if(firstseen): + print(mycolors.foreground.blue + "First seen: \t%s" % firstseen) + if (score is not None): + print(mycolors.foreground.red + "\nPolyscore: \t%f" % score) + if (down == 1): + artifact = polywarm.download(DOWN_DIR, sha256) + print(mycolors.reset + "\n\nThe sample has been SAVED!") + print(mycolors.reset) + + except: + if (bkg == 1): + print((mycolors.foreground.yellow + "\nThis hash couldn't be found on Polyswarm.\n")) + else: + print((mycolors.foreground.red + "\nThis hash couldn't be found Polyswarm.\n")) + print(mycolors.reset) + exit(1) def hafilecheck(filenameha): @@ -1921,6 +1995,7 @@ def filechecking(ffpname2): else: print((mycolors.foreground.green + "")) listsections(targetfile) + listdlls(targetfile) if (showreport == 1): print(mycolors.reset) print("\nMain Antivirus Reports:") @@ -2332,6 +2407,7 @@ def run(self): def dirwork(d): + x = d global n n = 90 @@ -2369,13 +2445,13 @@ def dirquick(d): if (vt == 1): print("FileName".center(70) + "VT".center(12)) print((83*'-').center(41)) - if (ha == 1): + if (ha >= 1): print("FileName".center(70) + "Found?".center(10) + "Verdict".center(14) + "AVdet".center(6) + "Sigs".center(5) + "Score".center(14) + "Procs".center(6) + "Conns".center(6)) print((130*'-').center(60)) for key,value in sorted(iter(y.items()), key=lambda k_v:(k_v[1],k_v[0])): - if (ha == 1): + if (ha >= 1): if (windows == 1): thread = quickHAThread(key) thread.start() @@ -3616,141 +3692,1953 @@ def urlhauspost(urlx, haus, mytags): print(mycolors.reset) -def quickhashowAndroid(filehash): +def alien_subscribed(url, arg1): hatext = '' haresponse = '' - final = 'Yes' - verdict = '-' - avdetect = '0' - totalsignatures = '-' - threatscore = '-' - totalprocesses = '-' - networkconnections = '-' + history = arg1 + user_agent = {'X-OTX-API-KEY': ALIENAPI} + search_params = {'limit': history} + myargs = arg1 try: - resource = filehash + resource = url requestsession = requests.Session( ) - requestsession.headers.update({'user-agent': user_agent}) - requestsession.headers.update({'api-key': HAAPI}) - requestsession.headers.update({'content-type': 'application/x-www-form-urlencoded'}) - finalurl = '/'.join([haurl,'report', 'summary']) - resource1 = resource + ":200" - datahash = { - 'hashes[0]': resource1 - } - - haresponse = requestsession.post(url=finalurl, data = datahash) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource,'pulses', 'subscribed']) + haresponse = requestsession.post(url=finalurl, headers=user_agent, params=search_params) hatext = json.loads(haresponse.text) - rc = str(hatext) - if 'message' in rc: - final = 'Not Found' - return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) + if(bkg == 1): + if 'results' in hatext: + x = 0 + c = 1 + for d in hatext['results']: + print(mycolors.reset) + print(mycolors.foreground.lightblue + "INFORMATION: %d" % c) + print(mycolors.reset + '-' * 15 + "\n") + if d['name']: + print(mycolors.foreground.yellow + "Headline:".ljust(13) + mycolors.reset + hatext['results'][x]['name'], end='\n') + if d['description']: + print(mycolors.foreground.yellow + "Description:" + "\n".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap((hatext['results'][x]['description']).ljust(14), width=90)), end='\n') + if hatext['results'][x]['references']: + for r in hatext['results'][x]['references']: + print(mycolors.foreground.yellow + "\nReferences: ".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(r,width=100)), end='') + if hatext['results'][x]['tags']: + if (hatext['results'][x]['tags']): + print(mycolors.foreground.yellow + "\nTags:".ljust(13) + mycolors.reset, end=' ') + b = 0 + for z in hatext['results'][x]['tags']: + b = b + 1 + if ((b % 5) == 0): + print(mycolors.reset + z, end='\n'.ljust(14)) + else: + print(mycolors.reset + z, end=' ') + if (b == (len(hatext['results'][x]['tags']))): + print(mycolors.reset + z, end='\n') + + if hatext['results'][x]['industries']: + print(mycolors.foreground.yellow + "\nIndustries: ".ljust(14), end='') + for r in hatext['results'][x]['industries']: + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(r,width=100)), end='\n'.ljust(14)) + if hatext['results'][x]['created']: + print(mycolors.foreground.yellow + "\nCreated: ".ljust(14) + mycolors.reset + hatext['results'][x]['created'], end='') + if hatext['results'][x]['modified']: + print(mycolors.foreground.yellow + "\nModified: ".ljust(14) + mycolors.reset + hatext['results'][x]['modified'], end='') + if hatext['results'][x]['malware_families']: + print(mycolors.foreground.yellow + "\nFamily: ".ljust(14), end='') + for r in hatext['results'][x]['malware_families']: + print(mycolors.reset + r, end=' ') + if hatext['results'][x]['adversary']: + print(mycolors.foreground.yellow + "\nAdversary: ".ljust(14) + mycolors.reset + hatext['results'][x]['adversary'], end='') + if hatext['results'][x]['targeted_countries']: + print(mycolors.foreground.yellow + "\nTargets: ".ljust(14), end='') + for r in hatext['results'][x]['targeted_countries']: + print(mycolors.reset + r, end=' ') + if hatext['results'][x]['indicators']: + limit = 0 + print("\n") + for r in hatext['results'][x]['indicators']: + if r['indicator']: + print(mycolors.foreground.yellow + "Indicator: ".ljust(13) + mycolors.reset + r['indicator'].ljust(64), end='\t') + print(mycolors.foreground.yellow + "Title: " + mycolors.reset + r['title'], end='\n') + limit = limit + 1 + if (limit > 9): + break + x = x + 1 + c = c + 1 - if 'verdict' in hatext[0]: - verdict = str(hatext[0]['verdict']) else: - verdict = '' + if 'results' in hatext: + x = 0 + c = 1 + for d in hatext['results']: + print(mycolors.reset) + print(mycolors.foreground.purple + "INFORMATION: %d" % c) + print(mycolors.reset + '-' * 15 + "\n") + if d['name']: + print(mycolors.foreground.blue + "Headline:".ljust(13) + mycolors.reset + hatext['results'][x]['name'], end='\n') + if d['description']: + print(mycolors.foreground.blue + "Description:" + "\n".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap((hatext['results'][x]['description']).ljust(14), width=90)), end='\n') + if hatext['results'][x]['references']: + for r in hatext['results'][x]['references']: + print(mycolors.foreground.blue + "\nReferences: ".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(r,width=100)), end='') + if hatext['results'][x]['tags']: + print(mycolors.foreground.blue + "\nTags:".ljust(13) + mycolors.reset, end=' ') + b = 0 + for z in hatext['results'][x]['tags']: + b = b + 1 + if ((b % 5) == 0): + print(mycolors.reset + z, end='\n'.ljust(14)) + else: + print(mycolors.reset + z, end=' ') + if (b == (len(hatext['results'][x]['tags']))): + print(mycolors.reset + z, end='\n') + + if hatext['results'][x]['industries']: + print(mycolors.foreground.blue + "\nIndustries: ".ljust(14), end='') + for r in hatext['results'][x]['industries']: + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(r,width=100)), end='\n'.ljust(14)) + if hatext['results'][x]['created']: + print(mycolors.foreground.blue + "\nCreated: ".ljust(14) + mycolors.reset + hatext['results'][x]['created'], end='') + if hatext['results'][x]['modified']: + print(mycolors.foreground.blue + "\nModified: ".ljust(14) + mycolors.reset + hatext['results'][x]['modified'], end='') + if hatext['results'][x]['malware_families']: + print(mycolors.foreground.blue + "\nFamily: ".ljust(14), end='') + for r in hatext['results'][x]['malware_families']: + print(mycolors.reset + r, end=' ') + if hatext['results'][x]['adversary']: + print(mycolors.foreground.blue + "\nAdversary: ".ljust(14) + mycolors.reset + hatext['results'][x]['adversary'], end='') + if hatext['results'][x]['targeted_countries']: + print(mycolors.foreground.blue + "\nTargets: ".ljust(14), end='') + for r in hatext['results'][x]['targeted_countries']: + print(mycolors.reset + r, end=' ') + if hatext['results'][x]['indicators']: + limit = 0 + print("\n") + for r in hatext['results'][x]['indicators']: + if r['indicator']: + print(mycolors.foreground.blue + "Indicator: ".ljust(13) + mycolors.reset + r['indicator'].ljust(64), end='\t') + print(mycolors.foreground.blue + "Title: " + mycolors.reset + r['title'], end='\n') + limit = limit + 1 + if (limit > 9): + break + x = x + 1 + c = c + 1 - if 'threat_score' in hatext[0]: - threatscore = str(hatext[0]['threat_score']) + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Alien Vault!\n")) else: - threatscore = '' + print((mycolors.foreground.red + "Error while connecting to Alien Vault!\n")) + print(mycolors.reset) - if 'av_detect' in hatext[0]: - avdetect = str(hatext[0]['av_detect']) - else: - avdetect = '' - if 'total_signatures' in hatext[0]: - totalsignatures = str(hatext[0]['total_signatures']) - else: - totalsignatures = '' +def alien_ipv4(url, arg1): - if 'total_processes' in hatext[0]: - totalprocesses = str(hatext[0]['total_processes']) + hatext = '' + haresponse = '' + history = '10' + user_agent = {'X-OTX-API-KEY': ALIENAPI} + search_params = {'limit': history} + myargs = arg1 + + try: + + resource = url + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource,'indicators', 'IPv4', myargs]) + haresponse = requestsession.post(url=finalurl, headers=user_agent, params=search_params) + hatext = json.loads(haresponse.text) + + if(bkg == 1): + if 'sections' in hatext: + print(mycolors.reset) + if hatext['asn']: + print(mycolors.foreground.lightgreen + "ASN:".ljust(13) + mycolors.reset + hatext['asn'], end='\n') + if hatext['city']: + print(mycolors.foreground.lightgreen + "City:".ljust(13) + mycolors.reset + hatext['city'], end='\n') + if hatext['country_name']: + print(mycolors.foreground.lightgreen + "Country:".ljust(13) + mycolors.reset + hatext['country_name'], end='\n') + if hatext['pulse_info']: + if 'count' in (hatext['pulse_info']): + if ((hatext['pulse_info']['count']) == 0): + print(mycolors.foreground.red + "\nNo further information about the provided IP address!\n" + mycolors.reset) + exit(0) + z = 0 + i = 0 + for key in hatext['pulse_info']: + if (isinstance(hatext['pulse_info'][key], list)): + while i < len(hatext['pulse_info'][key]): + if(isinstance(hatext['pulse_info'][key][i], dict)): + if 'malware_families' in hatext['pulse_info'][key][i]: + for z in hatext['pulse_info'][key][i]['malware_families']: + print(mycolors.foreground.lightgreen + "Malware:".ljust(13) + mycolors.reset + z['display_name']) + if 'tags' in hatext['pulse_info'][key][i]: + if (hatext['pulse_info'][key][i]['tags']): + print(mycolors.foreground.lightgreen + "Tags:".ljust(12) + mycolors.reset, end=' ') + b = 0 + for z in hatext['pulse_info'][key][i]['tags']: + b = b + 1 + if ((b % 5) == 0): + print(mycolors.reset + z, end='\n'.ljust(14)) + else: + print(mycolors.reset + z, end=' ') + if (b == (len(hatext['pulse_info'][key][i]['tags']))): + print(mycolors.reset + z, end='\n') + i = i + 1 + if hatext['pulse_info']: + if hatext['pulse_info']['pulses']: + i = 0 + while (i < len(hatext['pulse_info']['pulses'])): + if "modified" in (hatext['pulse_info']['pulses'][i]): + print(mycolors.foreground.lightgreen + "Modified".ljust(13) + mycolors.reset + (hatext['pulse_info']['pulses'][i]['modified']), end='') + if "name" in (hatext['pulse_info']['pulses'][i]): + print(mycolors.foreground.lightgreen + "\nNews".ljust(14) + mycolors.reset + (hatext['pulse_info']['pulses'][i]['name']), end='') + if "created" in (hatext['pulse_info']['pulses'][i]): + print(mycolors.foreground.lightgreen + "\nCreated".ljust(14) + mycolors.reset + (hatext['pulse_info']['pulses'][i]['created']), end='') + break + else: + i = i + i + + k = 0 + while (k < len(hatext['pulse_info']['pulses'])): + for key in hatext['pulse_info']['pulses'][k]: + if (key == 'description'): + if (hatext['pulse_info']['pulses'][k]['description']): + print(mycolors.foreground.lightgreen + "\nDescription:" + "\n".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(hatext['pulse_info']['pulses'][k]['description'],width=100)), end='') + break + k = k + 1 + + if hatext['pulse_info']: + if hatext['pulse_info']['references']: + print("\n") + for r in hatext['pulse_info']['references']: + print(mycolors.foreground.lightgreen + "\nReferences: ".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(r,width=100)), end='') else: - totalprocesses = '' + if 'sections' in hatext: + print(mycolors.reset + "\n\n" + "ALIEN VAULT IPv4 REPORT".center(120)) + print(mycolors.reset) + print(mycolors.reset + '-' * 120 + "\n") + if hatext['asn']: + print(mycolors.foreground.green + "ASN:".ljust(13) + mycolors.reset + hatext['asn'], end='\n') + if hatext['city']: + print(mycolors.foreground.green + "City:".ljust(13) + mycolors.reset + hatext['city'], end='\n') + if hatext['country_name']: + print(mycolors.foreground.green + "Country:".ljust(13) + mycolors.reset + hatext['country_name'], end='\n') + if hatext['pulse_info']: + if 'count' in (hatext['pulse_info']): + if ((hatext['pulse_info']['count']) == 0): + print(mycolors.foreground.red + "\nNo further information about the provided IP address!\n" + mycolors.reset) + exit(0) + z = 0 + i = 0 + for key in hatext['pulse_info']: + if (isinstance(hatext['pulse_info'][key], list)): + while i < len(hatext['pulse_info'][key]): + if(isinstance(hatext['pulse_info'][key][i], dict)): + if 'malware_families' in hatext['pulse_info'][key][i]: + for z in hatext['pulse_info'][key][i]['malware_families']: + print(mycolors.foreground.green + "Malware:".ljust(13) + mycolors.reset + z['display_name']) + if 'tags' in hatext['pulse_info'][key][i]: + print(mycolors.foreground.green + "Tags:".ljust(12) + mycolors.reset, end=' ') + b = 0 + for z in hatext['pulse_info'][key][i]['tags']: + b = b + 1 + if ((b % 5) == 0): + print(mycolors.reset + z, end='\n'.ljust(14)) + else: + print(mycolors.reset + z, end=' ') + if (b == (len(hatext['pulse_info'][key][i]['tags']))): + print(mycolors.reset + z, end='\n') + i = i + 1 + if hatext['pulse_info']: + if hatext['pulse_info']['pulses']: + i = 0 + while (i < len(hatext['pulse_info']['pulses'])): + if "modified" in (hatext['pulse_info']['pulses'][i]): + print(mycolors.foreground.green + "Modified".ljust(13) + mycolors.reset + (hatext['pulse_info']['pulses'][i]['modified']), end='') + if "name" in (hatext['pulse_info']['pulses'][i]): + print(mycolors.foreground.green + "\nNews".ljust(14) + mycolors.reset + (hatext['pulse_info']['pulses'][i]['name']), end='') + if "created" in (hatext['pulse_info']['pulses'][i]): + print(mycolors.foreground.green + "\nCreated".ljust(14) + mycolors.reset + (hatext['pulse_info']['pulses'][i]['created']), end='') + break + else: + i = i + i + + k = 0 + while (k < len(hatext['pulse_info']['pulses'])): + for key in hatext['pulse_info']['pulses'][k]: + if (key == 'description'): + if (hatext['pulse_info']['pulses'][k]['description']): + print(mycolors.foreground.green + "\nDescription:" + "\n".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(hatext['pulse_info']['pulses'][k]['description'],width=100)), end='') + break + k = k + 1 + + if hatext['pulse_info']: + if hatext['pulse_info']['references']: + print("\n") + for r in hatext['pulse_info']['references']: + print(mycolors.foreground.green + "\nReferences: ".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(r,width=100)), end='') - if 'total_network_connections' in hatext[0]: - networkconnections = str(hatext[0]['total_network_connections']) + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Alien Vault!\n")) else: - networkconnections = '' + print((mycolors.foreground.red + "Error while connecting to Alien Vault!\n")) + print(mycolors.reset) - return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) + +def alien_domain(url, arg1): + + hatext = '' + haresponse = '' + history = '10' + user_agent = {'X-OTX-API-KEY': ALIENAPI} + search_params = {'limit': history} + myargs = arg1 + + try: + + resource = url + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource,'indicators', 'domain', myargs]) + haresponse = requestsession.post(url=finalurl, headers=user_agent, params=search_params) + hatext = json.loads(haresponse.text) + + if(bkg == 1): + if 'indicator' in hatext: + print(mycolors.reset) + if hatext['alexa']: + print(mycolors.foreground.yellow + "Alexa:".ljust(13) + mycolors.reset + hatext['alexa'], end='\n') + if hatext['pulse_info']: + if 'count' in (hatext['pulse_info']): + if ((hatext['pulse_info']['count']) == 0): + print(mycolors.foreground.red + "\nNot further information about the provided DOMAIN!\n" + mycolors.reset) + exit(0) + if hatext['pulse_info']['pulses']: + i = 0 + while (i < len(hatext['pulse_info']['pulses'])): + if "tags" in (hatext['pulse_info']['pulses'][i]): + print(mycolors.foreground.yellow + "Tags:".ljust(13), end='') + for j in hatext['pulse_info']['pulses'][i]['tags']: + print(mycolors.reset + j, end=' ') + if 'malware_families' in hatext['pulse_info']['pulses'][i]: + print(mycolors.foreground.yellow + "\nMalware:".ljust(14) + mycolors.reset, end='') + for z in hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.reset + z['display_name'], end=' ') + if 'targeted_countries' in hatext['pulse_info']['pulses'][i]: + print(mycolors.foreground.yellow + "\nCountries:".ljust(14), end='') + for z in hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.reset + z, end=' ') + if 'name' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['name']: + print(mycolors.foreground.yellow + "\nNews:".ljust(14) + mycolors.reset + hatext['pulse_info']['pulses'][i]['name'], end='') + if 'attack_ids' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['attack_ids']: + for k in hatext['pulse_info']['pulses'][i]['attack_ids']: + print(mycolors.foreground.yellow + "\nAttack IDs:".ljust(14) + mycolors.reset + str(k['display_name']), end='') + break + i = i + i + + print(mycolors.foreground.yellow + "\nDescription:", end=' ') + for x in hatext['pulse_info']['pulses']: + if (isinstance(x, dict)): + for y in x: + if 'description' in y: + if (x['description']): + print("\n".ljust(13),end=' ') + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(x['description'],width=100)), end='\n') + if hatext['pulse_info']: + if hatext['pulse_info']['references']: + print("\n") + for r in hatext['pulse_info']['references']: + print(mycolors.foreground.yellow + "\nReferences: ".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(r,width=100)), end='') + + else: + if 'indicator' in hatext: + print(mycolors.reset) + if hatext['alexa']: + print(mycolors.foreground.purple + "Alexa:".ljust(13) + mycolors.reset + hatext['alexa'], end='\n') + if hatext['pulse_info']: + if 'count' in (hatext['pulse_info']): + if ((hatext['pulse_info']['count']) == 0): + print(mycolors.foreground.red + "\nNo further information about the provided DOMAIN!\n" + mycolors.reset) + exit(0) + if hatext['pulse_info']['pulses']: + i = 0 + while (i < len(hatext['pulse_info']['pulses'])): + if "tags" in (hatext['pulse_info']['pulses'][i]): + print(mycolors.foreground.purple + "Tags:".ljust(13), end='') + for j in hatext['pulse_info']['pulses'][i]['tags']: + print(mycolors.reset + j, end=' ') + if 'malware_families' in hatext['pulse_info']['pulses'][i]: + print(mycolors.foreground.purple + "\nMalware:".ljust(14) + mycolors.reset, end='') + for z in hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.reset + z['display_name'], end=' ') + if 'targeted_countries' in hatext['pulse_info']['pulses'][i]: + print(mycolors.foreground.purple + "\nCountries:".ljust(14), end='') + for z in hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.reset + z, end=' ') + if 'name' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['name']: + print(mycolors.foreground.purple + "\nNews:".ljust(14) + mycolors.reset + hatext['pulse_info']['pulses'][i]['name'], end='') + if 'attack_ids' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['attack_ids']: + for k in hatext['pulse_info']['pulses'][i]['attack_ids']: + print(mycolors.foreground.purple + "\nAttack IDs:".ljust(14) + mycolors.reset + str(k['display_name']), end='') + break + i = i + i + + print(mycolors.foreground.purple + "\nDescription:", end=' ') + for x in hatext['pulse_info']['pulses']: + if (isinstance(x, dict)): + for y in x: + if 'description' in y: + if (x['description']): + print("\n".ljust(13),end=' ') + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(x['description'],width=100)), end='\n') + if hatext['pulse_info']: + if hatext['pulse_info']['references']: + print("\n") + for r in hatext['pulse_info']['references']: + print(mycolors.foreground.purple + "\nReferences: ".ljust(14) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(r,width=100)), end='') except ValueError as e: print(e) if (bkg == 1): - print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n")) + print((mycolors.foreground.lightred + "Error while connecting to Alien Vault!\n")) else: - print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n")) + print((mycolors.foreground.red + "Error while connecting to Alien Vault!\n")) print(mycolors.reset) -class androidVTThread(threading.Thread): +def alien_hash(url, arg1): - def __init__(self, key, package): + hatext = '' + haresponse = '' + history = '10' + user_agent = {'X-OTX-API-KEY': ALIENAPI} + search_params = {'limit': history} + myargs = arg1 - threading.Thread.__init__(self) - self.key = key - self.package = package + try: - def run(self): + resource = url + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource,'indicators', 'file', myargs]) + haresponse = requestsession.post(url=finalurl, headers=user_agent, params=search_params) + hatext = json.loads(haresponse.text) - key1 = self.key - package1 = self.package + if(bkg == 1): + if 'indicator' in hatext: + print(mycolors.reset) + if hatext['pulse_info']: + if 'count' in (hatext['pulse_info']): + if ((hatext['pulse_info']['count']) == 0): + print(mycolors.foreground.red + "\nNo further information about the provided HASH!\n" + mycolors.reset) + exit(0) + i = 0 + if 'pulses' in (hatext['pulse_info']): + while (i < len(hatext['pulse_info']['pulses'])): + if "tags" in (hatext['pulse_info']['pulses'][i]): + if (hatext['pulse_info']['pulses'][i]['tags']): + print(mycolors.foreground.lightcyan + "\nTags:".ljust(13), end='') + b = 0 + for j in hatext['pulse_info']['pulses'][i]['tags']: + b = b + 1 + if ((b % 5) == 0): + print(mycolors.reset + j, end='\n'.ljust(13)) + else: + print(mycolors.reset + j, end=' ') + if (b == (len(hatext['pulse_info']['pulses'][i]['tags']))): + print(mycolors.reset + j, end='\n') + + if 'malware_families' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.foreground.lightcyan + "\nMalware:".ljust(13) + mycolors.reset, end='') + for z in hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.reset + z['display_name'], end=' ') + if 'created' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['created']: + print(mycolors.foreground.lightcyan + "\nCreated:".ljust(13) + mycolors.reset, end='') + print(mycolors.reset + hatext['pulse_info']['pulses'][i]['created'], end=' ') + if 'modified' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['modified']: + print(mycolors.foreground.lightcyan + "\nModified:".ljust(13) + mycolors.reset, end='') + print(mycolors.reset + hatext['pulse_info']['pulses'][i]['modified'], end=' ') + if 'targeted_countries' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.foreground.lightcyan + "\nCountries:".ljust(13), end='') + for z in hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.reset + z, end=' ') + if 'attack_ids' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['attack_ids']: + for k in hatext['pulse_info']['pulses'][i]['attack_ids']: + print(mycolors.foreground.lightcyan + "\nAttack IDs:".ljust(13) + mycolors.reset + str(k['display_name']), end='') + if 'name' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['name']: + print(mycolors.foreground.lightcyan + "\nNews:".ljust(13) + mycolors.reset + hatext['pulse_info']['pulses'][i]['name'], end='') + break + i = i + 1 + + print(mycolors.foreground.lightcyan + "\nDescription:", end='') + for x in hatext['pulse_info']['pulses']: + if (isinstance(x, dict)): + for y in x: + if 'description' in y: + if (x['description']): + print("\n".ljust(13),end='') + print(mycolors.reset + ("\n".ljust(13)).join(textwrap.wrap(x['description'],width=100)), end='\n') + + if "references" in (hatext['pulse_info']): + for j in hatext['pulse_info']['references']: + print(mycolors.foreground.lightcyan + "\nReferences: ".ljust(13) + mycolors.reset + ("\n".ljust(13)).join(textwrap.wrap(j,width=100)), end='') + print("\n") + else: + if 'indicator' in hatext: + print(mycolors.reset) + if hatext['pulse_info']: + if 'count' in (hatext['pulse_info']): + if ((hatext['pulse_info']['count']) == 0): + print(mycolors.foreground.red + "\nNo further information about the provided HASH!\n" + mycolors.reset) + exit(0) + i = 0 + if 'pulses' in (hatext['pulse_info']): + while (i < len(hatext['pulse_info']['pulses'])): + if "tags" in (hatext['pulse_info']['pulses'][i]): + if (hatext['pulse_info']['pulses'][i]['tags']): + print(mycolors.foreground.cyan + "\nTags:".ljust(13), end='') + b = 0 + for j in hatext['pulse_info']['pulses'][i]['tags']: + b = b + 1 + if ((b % 5) == 0): + print(mycolors.reset + j, end='\n'.ljust(13)) + else: + print(mycolors.reset + j, end=' ') + if (b == (len(hatext['pulse_info']['pulses'][i]['tags']))): + print(mycolors.reset + j, end='\n') + if 'malware_families' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.foreground.cyan + "\nMalware:".ljust(13) + mycolors.reset, end='') + for z in hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.reset + z['display_name'], end=' ') + if 'created' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['created']: + print(mycolors.foreground.cyan + "\nCreated:".ljust(13) + mycolors.reset, end='') + print(mycolors.reset + hatext['pulse_info']['pulses'][i]['created'], end=' ') + if 'modified' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['modified']: + print(mycolors.foreground.cyan + "\nModified:".ljust(13) + mycolors.reset, end='') + print(mycolors.reset + hatext['pulse_info']['pulses'][i]['modified'], end=' ') + if 'targeted_countries' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.foreground.cyan + "\nCountries:".ljust(13), end='') + for z in hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.reset + z, end=' ') + if 'attack_ids' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['attack_ids']: + for k in hatext['pulse_info']['pulses'][i]['attack_ids']: + print(mycolors.foreground.cyan + "\nAttack IDs:".ljust(13) + mycolors.reset + str(k['display_name']), end='') + if 'name' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['name']: + print(mycolors.foreground.cyan + "\nNews:".ljust(13) + mycolors.reset + hatext['pulse_info']['pulses'][i]['name'], end='') + break + i = i + 1 + + print(mycolors.foreground.cyan + "\nDescription:", end='') + for x in hatext['pulse_info']['pulses']: + if (isinstance(x, dict)): + for y in x: + if 'description' in y: + if (x['description']): + print("\n".ljust(13),end='') + print(mycolors.reset + ("\n".ljust(13)).join(textwrap.wrap(x['description'],width=100)), end='\n') + + if "references" in (hatext['pulse_info']): + for j in hatext['pulse_info']['references']: + print(mycolors.foreground.cyan + "\nReferences: ".ljust(13) + mycolors.reset + ("\n".ljust(13)).join(textwrap.wrap(j,width=100)), end='') + print("\n") - myhash = key1 - vtfinal = vtcheck(myhash, url, param) - + except ValueError as e: + print(e) if (bkg == 1): - print((mycolors.foreground.orange + "%-50s" % package1), end=' ') - print((mycolors.foreground.lightcyan + "%-32s" % key1), end=' ') - print((mycolors.reset + mycolors.foreground.lightgreen + "%8s" % vtfinal + mycolors.reset)) + print((mycolors.foreground.lightred + "Error while connecting to Alien Vault!\n")) else: - print((mycolors.foreground.green + "%-08s" % package), end=' ') - print((mycolors.foreground.cyan + "%-32s" % key1), end=' ') - print((mycolors.reset + mycolors.foreground.red + "%8s" % vtfinal + mycolors.reset)) + print((mycolors.foreground.red + "Error while connecting to Alien Vault!\n")) + print(mycolors.reset) -class quickHAAndroidThread(threading.Thread): +def alien_url(urlx, arg1): - def __init__(self, key, package): + hatext = '' + haresponse = '' + history = '10' + user_agent = {'X-OTX-API-KEY': ALIENAPI} + search_params = {'limit': history} + myargs = arg1 - threading.Thread.__init__(self) - self.key = key - self.package = package + try: - def run(self): + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource,'indicators', 'url', myargs, 'general']) + haresponse = requestsession.post(url=finalurl, headers=user_agent, params=search_params) + hatext = json.loads(haresponse.text) - key1 = self.key - package1 = self.package + if(bkg == 1): + if 'indicator' in hatext: + print(mycolors.reset) + if hatext['pulse_info']: + i = 0 + if 'count' in (hatext['pulse_info']): + if ((hatext['pulse_info']['count']) == 0): + print(mycolors.foreground.lightred + "\nURL not found!\n" + mycolors.reset) + exit(0) + if 'pulses' in (hatext['pulse_info']): + if 'name' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['name']: + print(mycolors.foreground.lightred + "\nNews:".ljust(13) + mycolors.reset + hatext['pulse_info']['pulses'][i]['name'], end='') + print(mycolors.foreground.lightred + "\nDescription:", end='') + for x in hatext['pulse_info']['pulses']: + if (isinstance(x, dict)): + for y in x: + if 'description' in y: + if (x['description']): + print("\n".ljust(13),end='') + print(mycolors.reset + ("\n".ljust(13)).join(textwrap.wrap(x['description'],width=100)), end='\n') + if "references" in (hatext['pulse_info']): + for j in hatext['pulse_info']['references']: + print(mycolors.foreground.lightred + "\nReferences:".ljust(13) + mycolors.reset + ("\n".ljust(13)).join(textwrap.wrap(j,width=100)), end='') + while (i < len(hatext['pulse_info']['pulses'])): + if "tags" in (hatext['pulse_info']['pulses'][i]): + if hatext['pulse_info']['pulses'][i]['tags']: + print(mycolors.foreground.lightred + "\nTags:".ljust(13), end='') + for j in hatext['pulse_info']['pulses'][i]['tags']: + print(mycolors.reset + j, end=' ') + if 'malware_families' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.foreground.lightred + "\nMalware:".ljust(13) + mycolors.reset, end='') + for z in hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.reset + z['display_name'], end=' ') + if 'created' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['created']: + print(mycolors.foreground.lightred + "\nCreated:".ljust(13) + mycolors.reset, end='') + print(mycolors.reset + hatext['pulse_info']['pulses'][i]['created'], end=' ') + if 'modified' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['modified']: + print(mycolors.foreground.lightred + "\nModified:".ljust(13) + mycolors.reset, end='') + print(mycolors.reset + hatext['pulse_info']['pulses'][i]['modified'], end=' ') + if 'targeted_countries' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.foreground.lightred + "\nCountries:".ljust(13), end='') + for z in hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.reset + z, end=' ') + if 'attack_ids' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['attack_ids']: + for k in hatext['pulse_info']['pulses'][i]['attack_ids']: + print(mycolors.foreground.lightred + "\nAttack IDs:".ljust(13) + mycolors.reset + str(k['display_name']), end='') + break + i = i + 1 + + j = 0 + while (j < len(hatext['pulse_info']['pulses'])): + if "tags" in (hatext['pulse_info']['pulses'][i]): + if hatext['pulse_info']['pulses'][j]['tags']: + print(mycolors.foreground.lightred + "\nTags:".ljust(13), end='') + for z in hatext['pulse_info']['pulses'][j]['tags']: + print(mycolors.reset + z, end=' ') + j = j + 1 + + t = 0 + while (t < len(hatext['pulse_info']['pulses'])): + if 'malware_families' in hatext['pulse_info']['pulses'][t]: + if hatext['pulse_info']['pulses'][t]['malware_families']: + print(mycolors.foreground.lightred + "\nMalware:".ljust(13) + mycolors.reset, end='') + for w in hatext['pulse_info']['pulses'][t]['malware_families']: + print(mycolors.reset + w['display_name'], end=' ') + t = t + 1 + if hatext['alexa']: + print(mycolors.foreground.lightred + "\nAlexa:".ljust(13) + mycolors.reset + hatext['alexa'], end='') - myhash = key1 - (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) = quickhashowAndroid(myhash) + else: + if 'indicator' in hatext: + print(mycolors.reset) + if hatext['pulse_info']: + i = 0 + if 'count' in (hatext['pulse_info']): + if ((hatext['pulse_info']['count']) == 0): + print(mycolors.foreground.red + "\nURL not found!\n" + mycolors.reset) + exit(0) + if 'pulses' in (hatext['pulse_info']): + if 'name' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['name']: + print(mycolors.foreground.red + "\nNews:".ljust(13) + mycolors.reset + hatext['pulse_info']['pulses'][i]['name'], end='') + print(mycolors.foreground.red + "\nDescription:", end='') + for x in hatext['pulse_info']['pulses']: + if (isinstance(x, dict)): + for y in x: + if 'description' in y: + if (x['description']): + print("\n".ljust(13),end='') + print(mycolors.reset + ("\n".ljust(13)).join(textwrap.wrap(x['description'],width=100)), end='\n') + if "references" in (hatext['pulse_info']): + for j in hatext['pulse_info']['references']: + print(mycolors.foreground.red + "\nReferences:".ljust(13) + mycolors.reset + ("\n".ljust(13)).join(textwrap.wrap(j,width=100)), end='') + while (i < len(hatext['pulse_info']['pulses'])): + if "tags" in (hatext['pulse_info']['pulses'][i]): + if hatext['pulse_info']['pulses'][i]['tags']: + print(mycolors.foreground.red + "\nTags:".ljust(13), end='') + for j in hatext['pulse_info']['pulses'][i]['tags']: + print(mycolors.reset + j, end=' ') + if 'malware_families' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.foreground.red + "\nMalware:".ljust(13) + mycolors.reset, end='') + for z in hatext['pulse_info']['pulses'][i]['malware_families']: + print(mycolors.reset + z['display_name'], end=' ') + if 'created' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['created']: + print(mycolors.foreground.red + "\nCreated:".ljust(13) + mycolors.reset, end='') + print(mycolors.reset + hatext['pulse_info']['pulses'][i]['created'], end=' ') + if 'modified' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['modified']: + print(mycolors.foreground.red + "\nModified:".ljust(13) + mycolors.reset, end='') + print(mycolors.reset + hatext['pulse_info']['pulses'][i]['modified'], end=' ') + if 'targeted_countries' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.foreground.red + "\nCountries:".ljust(13), end='') + for z in hatext['pulse_info']['pulses'][i]['targeted_countries']: + print(mycolors.reset + z, end=' ') + if 'attack_ids' in hatext['pulse_info']['pulses'][i]: + if hatext['pulse_info']['pulses'][i]['attack_ids']: + for k in hatext['pulse_info']['pulses'][i]['attack_ids']: + print(mycolors.foreground.red + "\nAttack IDs:".ljust(13) + mycolors.reset + str(k['display_name']), end='') + break + i = i + 1 + + j = 0 + while (j < len(hatext['pulse_info']['pulses'])): + if "tags" in (hatext['pulse_info']['pulses'][i]): + if hatext['pulse_info']['pulses'][j]['tags']: + print(mycolors.foreground.red + "\nTags:".ljust(13), end='') + for z in hatext['pulse_info']['pulses'][j]['tags']: + print(mycolors.reset + z, end=' ') + j = j + 1 + + t = 0 + while (t < len(hatext['pulse_info']['pulses'])): + if 'malware_families' in hatext['pulse_info']['pulses'][t]: + if hatext['pulse_info']['pulses'][t]['malware_families']: + print(mycolors.foreground.red + "\nMalware:".ljust(13) + mycolors.reset, end='') + for w in hatext['pulse_info']['pulses'][t]['malware_families']: + print(mycolors.reset + w['display_name'], end=' ') + t = t + 1 + if hatext['alexa']: + print(mycolors.foreground.red + "\nAlexa:".ljust(13) + mycolors.reset + hatext['alexa'], end='') + + except ValueError as e: + print(e) if (bkg == 1): - print((mycolors.foreground.lightgreen + "%-50s" % package1), end=' ') - print((mycolors.foreground.yellow + "%-34s" % key1), end=' ') - print((mycolors.foreground.lightcyan + "%9s" % final), end='') - if (verdict == "malicious"): - print((mycolors.foreground.lightred + "%20s" % verdict), end='') - else: - print((mycolors.foreground.yellow + "%20s" % verdict), end='') - if(avdetect == 'None'): - print((mycolors.foreground.lightcyan + "%7s" % avdetect), end='') - else: - print((mycolors.foreground.lightcyan + "%6s%%" % avdetect), end='') - print((mycolors.foreground.orange + "%7s" % totalsignatures), end='') - if(threatscore == 'None'): - print((mycolors.foreground.lightred + "%12s" % threatscore), end='') - else: - print((mycolors.foreground.lightred + "%8s/100" % threatscore), end='') - print((mycolors.foreground.lightgreen + "%6s" % totalprocesses), end='') + print((mycolors.foreground.lightred + "Error while connecting to Alien Vault!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Alien Vault!\n")) + print(mycolors.reset) + + +def malpedia_families(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + requestsession.headers.update({'Authorization': 'apitoken ' + MALPEDIAAPI }) + finalurl = '/'.join([resource, 'get', 'families']) + haresponse = requestsession.get(url=finalurl) + hatext = json.loads(haresponse.text) + + if(not '200' in str(haresponse)): + print(mycolors.foreground.red + "\nAn error has occured while accessing Malpedia.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + for key,value in hatext.items(): + print(mycolors.foreground.orange + "Family:".ljust(13) + mycolors.reset + key) + print(mycolors.foreground.lightgreen + "\nUpdated:".ljust(14) + mycolors.reset + value['updated'], end=' ') + if (value['attribution']): + print(mycolors.foreground.lightgreen + "\nAttribution:".ljust(13), end=' ') + for i in value['attribution']: + print(mycolors.reset + str(i), end=' ') + if (value['alt_names']): + print(mycolors.foreground.lightgreen + "\nAliases:".ljust(13), end=' ') + for i in value['alt_names']: + print(mycolors.reset + i, end=' ') + if (value['common_name']): + print(mycolors.foreground.lightgreen + "\nCommon Name: ".ljust(13) + mycolors.reset + value['common_name'], end=' ') + if (value['description']): + print(mycolors.foreground.lightgreen + "\nDescription: ".ljust(13) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(value['description'],width=110)), end=' ') + + if (value['urls']): + j = 0 + for i in value['urls']: + if (j < 10): + print(mycolors.foreground.lightgreen + "\nURL_%d:".ljust(15) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + if (j > 9 and j < 100): + print(mycolors.foreground.lightgreen + "\nURL_%d:".ljust(14) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + if (j > 99): + print(mycolors.foreground.lightgreen + "\nURL_%d:".ljust(13) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + j = j + 1 + + print(mycolors.reset + "\n" + "-" * 123) + + if(bkg == 0): + for key,value in hatext.items(): + print(mycolors.foreground.red + "Family:".ljust(13) + mycolors.reset + key) + print(mycolors.foreground.blue + "\nUpdated:".ljust(14) + mycolors.reset + value['updated'], end=' ') + if (value['attribution']): + print(mycolors.foreground.blue + "\nAttribution:".ljust(13), end=' ') + for i in value['attribution']: + print(mycolors.reset + str(i), end=' ') + if (value['alt_names']): + print(mycolors.foreground.blue + "\nAliases:".ljust(13), end=' ') + for i in value['alt_names']: + print(mycolors.reset + i, end=' ') + if (value['common_name']): + print(mycolors.foreground.blue + "\nCommon Name: ".ljust(13) + mycolors.reset + value['common_name'], end=' ') + if (value['description']): + print(mycolors.foreground.blue + "\nDescription: ".ljust(13) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(value['description'],width=110)), end=' ') + + if (value['urls']): + j = 0 + for i in value['urls']: + if (j < 10): + print(mycolors.foreground.blue + "\nURL_%d:".ljust(15) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + if (j > 9 and j < 100): + print(mycolors.foreground.blue + "\nURL_%d:".ljust(14) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + if (j > 99): + print(mycolors.foreground.blue + "\nURL_%d:".ljust(13) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + j = j + 1 + + print(mycolors.reset + "\n" + "-" * 123) + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) + print(mycolors.reset) + + +def malpedia_actors(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + requestsession.headers.update({'Authorization': 'apitoken ' + MALPEDIAAPI }) + finalurl = '/'.join([resource, 'list', 'actors']) + haresponse = requestsession.get(url=finalurl) + hatext = json.loads(haresponse.text) + + if(not '200' in str(haresponse)): + print(mycolors.foreground.red + "\nAn error has occured while accessing Malpedia.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + print(mycolors.foreground.lightgreen + "\nActors:".ljust(13), end='\n'.ljust(11)) + j = 1 + for i in hatext: + if (j < 10): + print(mycolors.foreground.lightred + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if ((j > 9) and (j < 100)): + print(mycolors.foreground.lightred + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if (j > 99): + print(mycolors.foreground.lightred + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + j = j + 1 + + if(bkg == 0): + print(mycolors.foreground.green + "\nActors:".ljust(13), end='\n'.ljust(11)) + j = 1 + for i in hatext: + if (j < 10): + print(mycolors.foreground.red + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if ((j > 9) and (j < 100)): + print(mycolors.foreground.red + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if (j > 99): + print(mycolors.foreground.red + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + j = j + 1 + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) + print(mycolors.reset) + + +def malpedia_payloads(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + requestsession.headers.update({'Authorization': 'apitoken ' + MALPEDIAAPI }) + finalurl = '/'.join([resource, 'list', 'samples']) + haresponse = requestsession.get(url=finalurl) + hatext = json.loads(haresponse.text) + + if(not '200' in str(haresponse)): + print(mycolors.foreground.red + "\nAn error has occured while accessing Malpedia.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + for key,value in hatext.items(): + print(mycolors.foreground.orange + "Family:".ljust(11) + mycolors.reset + key, end=' ') + for i in value: + for j in i.items(): + for k in i.keys(): + if (k == 'status'): + if (i['status']): + print(mycolors.foreground.lightgreen + "\n\nStatus:".ljust(13) + mycolors.reset + str(i['status']), end='') + if (k == 'sha256'): + if (i['sha256']): + print(mycolors.foreground.lightgreen + "\nHash:".ljust(12) + mycolors.reset + str(i['sha256']), end='') + if (k == 'version'): + if (i['version']): + print(mycolors.foreground.lightgreen + "\nVersion:".ljust(12) + mycolors.reset + str(i['version']), end=' ') + print("\n" + '-' * 75) + + if(bkg == 0): + for key,value in hatext.items(): + print(mycolors.foreground.red + "Family:".ljust(11) + mycolors.reset + key, end=' ') + for i in value: + for j in i.items(): + for k in i.keys(): + if (k == 'status'): + if (i['status']): + print(mycolors.foreground.green + "\n\nStatus:".ljust(13) + mycolors.reset + str(i['status']), end='') + if (k == 'sha256'): + if (i['sha256']): + print(mycolors.foreground.green + "\nHash:".ljust(12) + mycolors.reset + str(i['sha256']), end='') + if (k == 'version'): + if (i['version']): + print(mycolors.foreground.green + "\nVersion:".ljust(12) + mycolors.reset + str(i['version']), end=' ') + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) + print(mycolors.reset) + + +def malpedia_get_actor(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + wrapper = textwrap.TextWrapper(width=100) + + try: + + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + requestsession.headers.update({'Authorization': 'apitoken ' + MALPEDIAAPI }) + finalurl = '/'.join([resource, 'get', 'actor', myargs]) + haresponse = requestsession.get(url=finalurl) + hatext = json.loads(haresponse.text) + + if (bkg == 1): + if('Not found.' in str(hatext)): + print(mycolors.foreground.yellow + "\nInformation about this actor couldn't be found on Malpedia.\n", mycolors.reset) + exit(1) + + if (bkg == 0): + if('Not found.' in str(hatext)): + print(mycolors.foreground.cyan + "\nInformation about this actor couldn't be found on Malpedia.\n", mycolors.reset) + exit(1) + + if(not '200' in str(haresponse)): + print(mycolors.foreground.red + "\nAn error has occured while accessing Malpedia.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + if (hatext['value']): + print(mycolors.foreground.yellow + "\nActor:".ljust(11) + mycolors.reset + hatext['value'], end=' ') + if(hatext['description']): + print(mycolors.foreground.yellow + "\n\nOverview: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(textwrap.wrap(str(hatext['description']),width=100)), end=' ') + for key,value in hatext.items(): + if(key == 'meta'): + for key2,value2 in value.items(): + if (key2 == 'country'): + if (value['country']): + print(mycolors.foreground.yellow + "\n\nCountry:".ljust(12) + mycolors.reset + str(value['country']), end='\n') + if (key2 == 'synonyms'): + if (value['synonyms']): + print(mycolors.foreground.lightgreen + "\n\nSynonyms:".ljust(11), end=' ') + for x in value['synonyms']: + print(mycolors.reset + str(x), end=' ') + if (key2 == 'refs'): + if (value['refs']): + for x in value['refs']: + print(mycolors.foreground.lightgreen + "\nREFs:".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(wrapper.wrap(str(x))).ljust(11), end=" ") + if(key == 'families'): + for key3,value3 in value.items(): + print("\n" + '-' * 112, end='') + print(mycolors.foreground.yellow + "\nFamily: ".ljust(11) + mycolors.reset + key3) + if 'updated' in value3.keys(): + if(value3['updated']): + print(mycolors.foreground.lightgreen + "Updated: ".ljust(10) + mycolors.reset + value3['updated' ]) + if 'attribution' in value3.keys(): + if(len(value3['attribution']) > 0): + print(mycolors.foreground.lightgreen + "Attrib.: ".ljust(9), end=' ') + for y in value3['attribution']: + print(mycolors.reset + y, end=' ') + if 'alt_names' in value3.keys(): + if(len(value3['alt_names']) > 0): + print(mycolors.foreground.lightgreen + "\nAliases: ".ljust(10), end=' ') + for y in value3['alt_names']: + print(mycolors.reset + y, end=' ') + if 'common_name' in value3.keys(): + if(value3['common_name']): + print(mycolors.foreground.lightgreen + "\nCommon: ".ljust(11) + mycolors.reset + value3['common_name' ], end=' ') + if 'sources' in value3.keys(): + if(len(value3['sources']) > 0): + print(mycolors.foreground.lightgreen + "\nSources: ".ljust(11), end=' ') + for y in value3['sources']: + print(mycolors.reset + y, end=' ') + if 'description' in value3.keys(): + if value3['description']: + print(mycolors.foreground.lightgreen + "\nDescr.: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(textwrap.wrap(str(value3['description']),width=100)), end=' ') + if 'urls' in value3.keys(): + if(len(value3['urls']) > 0): + for y in value3['urls']: + print(mycolors.foreground.lightgreen + "\nURLs: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(wrapper.wrap(str(y))).ljust(11), end=" ") + + if(bkg == 0): + if (hatext['value']): + print(mycolors.foreground.red + "\nActor:".ljust(11) + mycolors.reset + hatext['value'], end=' ') + if(hatext['description']): + print(mycolors.foreground.red + "\n\nOverview: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(textwrap.wrap(str(hatext['description']),width=100)), end=' ') + for key,value in hatext.items(): + if(key == 'meta'): + for key2,value2 in value.items(): + if (key2 == 'country'): + if (value['country']): + print(mycolors.foreground.red + "\n\nCountry:".ljust(12) + mycolors.reset + str(value['country']), end='\n') + if (key2 == 'synonyms'): + if (value['synonyms']): + print(mycolors.foreground.green + "\n\nSynonyms:".ljust(11), end=' ') + for x in value['synonyms']: + print(mycolors.reset + str(x), end=' ') + if (key2 == 'refs'): + if (value['refs']): + for x in value['refs']: + print(mycolors.foreground.green + "\nREFs:".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(wrapper.wrap(str(x))).ljust(11), end=" ") + if(key == 'families'): + for key3,value3 in value.items(): + print("\n" + '-' * 112, end='') + print(mycolors.foreground.red + "\nFamily: ".ljust(11) + mycolors.reset + key3) + if 'updated' in value3.keys(): + if(value3['updated']): + print(mycolors.foreground.green + "Updated: ".ljust(10) + mycolors.reset + value3['updated' ]) + if 'attribution' in value3.keys(): + if(len(value3['attribution']) > 0): + print(mycolors.foreground.green + "Attrib.: ".ljust(9), end=' ') + for y in value3['attribution']: + print(mycolors.reset + y, end=' ') + if 'alt_names' in value3.keys(): + if(len(value3['alt_names']) > 0): + print(mycolors.foreground.green + "\nAliases: ".ljust(10), end=' ') + for y in value3['alt_names']: + print(mycolors.reset + y, end=' ') + if 'common_name' in value3.keys(): + if(value3['common_name']): + print(mycolors.foreground.green + "\nCommon: ".ljust(11) + mycolors.reset + value3['common_name' ], end=' ') + if 'sources' in value3.keys(): + if(len(value3['sources']) > 0): + print(mycolors.foreground.green + "\nSources: ".ljust(11), end=' ') + for y in value3['sources']: + print(mycolors.reset + y, end=' ') + if 'description' in value3.keys(): + if value3['description']: + print(mycolors.foreground.green + "\nDescr.: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(textwrap.wrap(str(value3['description']),width=100)), end=' ') + if 'urls' in value3.keys(): + if(len(value3['urls']) > 0): + for y in value3['urls']: + print(mycolors.foreground.green + "\nURLs: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(wrapper.wrap(str(y))).ljust(11), end=" ") + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) + print(mycolors.reset) + + +def malpedia_families(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + wrapper = textwrap.TextWrapper(width=100) + + try: + + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + requestsession.headers.update({'Authorization': 'apitoken ' + MALPEDIAAPI }) + finalurl = '/'.join([resource, 'list', 'families']) + haresponse = requestsession.get(url=finalurl) + hatext = json.loads(haresponse.text) + + if(not '200' in str(haresponse)): + print(mycolors.foreground.red + "\nAn error has occured while accessing Malpedia.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + print(mycolors.foreground.yellow + "\nFamilies:".ljust(13), end='\n'.ljust(11)) + j = 1 + for i in hatext: + if (j < 10): + print(mycolors.foreground.lightcyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if ((j > 9) and (j < 100)): + print(mycolors.foreground.lightcyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if ((j > 99) and (j < 1000)): + print(mycolors.foreground.lightcyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if (j > 999): + print(mycolors.foreground.lightcyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + j = j + 1 + + if(bkg == 0): + print(mycolors.foreground.red + "\nFamilies:".ljust(13), end='\n'.ljust(11)) + j = 1 + for i in hatext: + if (j < 10): + print(mycolors.foreground.cyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if ((j > 9) and (j < 100)): + print(mycolors.foreground.cyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if (j > 99): + print(mycolors.foreground.cyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + if ((j > 99) and (j < 1000)): + print(mycolors.foreground.cyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) + j = j + 1 + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) + print(mycolors.reset) + + +def malpedia_get_family(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + wrapper = textwrap.TextWrapper(width=100) + + try: + + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + requestsession.headers.update({'Authorization': 'apitoken ' + MALPEDIAAPI }) + finalurl = '/'.join([resource, 'get', 'family', myargs]) + haresponse = requestsession.get(url=finalurl) + hatext = json.loads(haresponse.text) + + if (bkg == 1): + if('Not found.' in str(hatext)): + print(mycolors.foreground.yellow + "\nInformation about this family couldn't be found on Malpedia.\n", mycolors.reset) + exit(1) + + if (bkg == 0): + if('Not found.' in str(hatext)): + print(mycolors.foreground.cyan + "\nInformation about this family couldn't be found on Malpedia.\n", mycolors.reset) + exit(1) + + if(not '200' in str(haresponse)): + print(mycolors.foreground.red + "\nAn error has occured while accessing Malpedia.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + print(mycolors.foreground.lightcyan + "\nFamily:".ljust(14) + mycolors.reset + myargs) + print(mycolors.foreground.yellow + "\nUpdated:".ljust(14) + mycolors.reset + hatext['updated'], end=' ') + if (hatext['attribution']): + print(mycolors.foreground.yellow + "\nAttribution:".ljust(13), end=' ') + for i in hatext['attribution']: + print(mycolors.reset + str(i), end=' ') + if (hatext['alt_names']): + print(mycolors.foreground.yellow + "\nAliases:".ljust(13), end=' ') + for i in hatext['alt_names']: + print(mycolors.reset + i, end=' ') + if (hatext['common_name']): + print(mycolors.foreground.yellow + "\nCommon Name: ".ljust(13) + mycolors.reset + hatext['common_name'], end=' ') + if (hatext['description']): + print(mycolors.foreground.yellow + "\nDescription: ".ljust(13) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(hatext['description'],width=110)), end='\n') + + if (hatext['urls']): + j = 0 + for i in hatext['urls']: + if (j < 10): + print(mycolors.foreground.yellow + "\nURL_%d:".ljust(15) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + if (j > 9 and j < 100): + print(mycolors.foreground.yellow + "\nURL_%d:".ljust(14) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + if (j > 99): + print(mycolors.foreground.yellow + "\nURL_%d:".ljust(13) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + j = j + 1 + + if(bkg == 0): + print(mycolors.foreground.purple + "\nFamily:".ljust(14) + mycolors.reset + myargs) + print(mycolors.foreground.cyan + "\nUpdated:".ljust(14) + mycolors.reset + hatext['updated'], end=' ') + if (hatext['attribution']): + print(mycolors.foreground.cyan + "\nAttribution:".ljust(13), end=' ') + for i in hatext['attribution']: + print(mycolors.reset + str(i), end=' ') + if (hatext['alt_names']): + print(mycolors.foreground.cyan + "\nAliases:".ljust(13), end=' ') + for i in hatext['alt_names']: + print(mycolors.reset + i, end=' ') + if (hatext['common_name']): + print(mycolors.foreground.cyan + "\nCommon Name: ".ljust(13) + mycolors.reset + hatext['common_name'], end=' ') + if (hatext['description']): + print(mycolors.foreground.cyan + "\nDescription: ".ljust(13) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(hatext['description'],width=110)), end='\n') + + if (hatext['urls']): + j = 0 + for i in hatext['urls']: + if (j < 10): + print(mycolors.foreground.cyan + "\nURL_%d:".ljust(15) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + if (j > 9 and j < 100): + print(mycolors.foreground.cyan + "\nURL_%d:".ljust(14) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + if (j > 99): + print(mycolors.foreground.cyan + "\nURL_%d:".ljust(13) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i,width=110)), end=' ') + j = j + 1 + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) + print(mycolors.reset) + + +def malpedia_get_sample(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + requestsession.headers.update({'Authorization': 'apitoken ' + MALPEDIAAPI }) + finalurl = '/'.join([resource, 'get', 'sample', myargs, 'zip']) + haresponse = requestsession.get(url=finalurl) + hatext = json.loads(haresponse.text) + + if (bkg == 1): + if('Not found.' in str(hatext)): + print(mycolors.foreground.yellow + "\nThis sample couldn't be found on Malpedia.\n", mycolors.reset) + exit(1) + + if (bkg == 0): + if('Not found.' in str(hatext)): + print(mycolors.foreground.cyan + "\nThis sample couldn't be found on Malpedia.\n", mycolors.reset) + exit(1) + + if(not '200' in str(haresponse)): + print(mycolors.foreground.red + "\nAn error has occured while accessing Malpedia.\n", mycolors.reset) + exit(1) + + if('200' in str(haresponse)): + if (bkg == 1): + open(myargs+".zip", 'wb').write(base64.b64decode(hatext['zipped'])) + print(mycolors.foreground.lightgreen + "\nSample successfuly downloaded from Malpedia!\n", mycolors.reset) + else: + open(myargs+".zip", 'wb').write(base64.b64decode(hatext['zipped'])) + print(mycolors.foreground.green + "\nSample successfuly downloaded from Malpedia!\n", mycolors.reset) + exit(0) + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) + print(mycolors.reset) + + +def malpedia_get_yara(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + requestsession.headers.update({'Authorization': 'apitoken ' + MALPEDIAAPI }) + finalurl = '/'.join([resource, 'get', 'yara', myargs, 'zip']) + haresponse = requestsession.get(url=finalurl) + + if (bkg == 1): + if('Not found.' in str(hatext)): + print(mycolors.foreground.yellow + "\nThe Yara rule for this family couldn't be found on Malpedia.\n", mycolors.reset) + exit(1) + + if (bkg == 0): + if('Not found.' in str(hatext)): + print(mycolors.foreground.cyan + "\nThe Yara rule for this family couldn't be found on Malpedia.\n", mycolors.reset) + exit(1) + + if(not '200' in str(haresponse)): + print(mycolors.foreground.red + "\nAn error has occured while accessing Malpedia.\n", mycolors.reset) + exit(1) + + if('200' in str(haresponse)): + if (bkg == 1): + open(myargs+".zip", 'wb').write(haresponse.content) + print(mycolors.foreground.lightgreen + "\nA zip file named %s.zip containing Yara rules has been SUCCESSFULLY downloaded from Malpedia!\n" % myargs, mycolors.reset) + else: + open(myargs+".zip", 'wb').write(haresponse.content) + print(mycolors.foreground.green + "\nA zip file named %s.zip containing Yara rules has been SUCCESSFULLY downloaded from Malpedia!\n" % myargs, mycolors.reset) + exit(0) + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) + print(mycolors.reset) + + +def threatcrowd_email(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource, 'email', 'report']) + haresponse = requestsession.get(url=finalurl, params={"email":myargs}) + hatext = json.loads(haresponse.text) + + if(hatext['response_code'] == '0'): + if (bkg == 1): + print(mycolors.foreground.yellow + "\nThe provided e-mail address hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + if (bkg == 0): + print(mycolors.foreground.purple + "\nThe provided e-mail address hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + + if(not '200' in str(haresponse)): + if (bkg == 1): + print(mycolors.foreground.lightred + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + if (bkg == 0): + print(mycolors.foreground.red + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + print(mycolors.foreground.yellow + "\nEmail:".ljust(12) + mycolors.reset + myargs) + if (hatext['domains']): + print(mycolors.foreground.purple + "\nDomains:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(12), end='') + for i in sorted(hatext['domains']): + print(mycolors.reset + str(i).ljust(12), end='\n'.ljust(12)) + if (hatext['references']): + print(mycolors.foreground.purple + "\nReferences:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(12), end='') + for i in hatext['references']: + print(mycolors.reset + str(i).ljust(12), end='\n'.ljust(12)) + + if(bkg == 0): + print(mycolors.foreground.red + "\nEmail:".ljust(12) + mycolors.reset + myargs) + if (hatext['domains']): + print(mycolors.foreground.blue + "\nDomains:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(12), end='') + for i in sorted(hatext['domains']): + print(mycolors.reset + str(i).ljust(12), end='\n'.ljust(12)) + if (hatext['references']): + print(mycolors.foreground.blue + "\nReferences:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(12), end='') + for i in hatext['references']: + print(mycolors.reset + ("\n".ljust(12)).join(textwrap.wrap(str(i),width=110)).ljust(12), end="\n".ljust(12)) + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to ThreatCrowd!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to ThreatCrowd!\n")) + print(mycolors.reset) + + +def threatcrowd_ip(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource, 'ip', 'report']) + haresponse = requestsession.get(url=finalurl, params={"ip":myargs}) + hatext = json.loads(haresponse.text) + + if(hatext['response_code'] == '0'): + if (bkg == 1): + print(mycolors.foreground.yellow + "\nThe provided IP address hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + if (bkg == 0): + print(mycolors.foreground.purple + "\nThe provided IP address hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + + if(not '200' in str(haresponse)): + if (bkg == 1): + print(mycolors.foreground.lightred + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + if (bkg == 0): + print(mycolors.foreground.red + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + print(mycolors.foreground.yellow + "\nIP:".ljust(14) + mycolors.reset + myargs + mycolors.foreground.yellow + " City: " + mycolors.reset + (geocoder.ip(myargs)).city) + if (hatext['resolutions']): + print(mycolors.foreground.lightgreen + "\nResolutions:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['resolutions'], key=itemgetter('last_resolved')): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.pink + "Last Resolved: " + mycolors.reset + i['last_resolved'], end=' ') + print(mycolors.reset + mycolors.foreground.pink + "Domain: " + mycolors.reset + i['domain'], end="") + if (hatext['hashes']): + print(mycolors.foreground.lightgreen + "\n\nHashes:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['hashes']: + print(mycolors.reset + str(i).ljust(14), end='\n'.ljust(14)) + + if(bkg == 0): + print(mycolors.foreground.red + "\nIP:".ljust(14) + mycolors.reset + myargs + mycolors.foreground.red + " City: " + mycolors.reset + (geocoder.ip(myargs)).city) + if (hatext['resolutions']): + print(mycolors.foreground.green + "\nResolutions:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['resolutions'], key=itemgetter('last_resolved')): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.purple + "Last Resolved: " + mycolors.reset + i['last_resolved'], end=' ') + print(mycolors.reset + mycolors.foreground.purple + "Domain: " + mycolors.reset + i['domain'], end="") + if (hatext['hashes']): + print(mycolors.foreground.green + "\n\nHashes:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['hashes']: + print(mycolors.reset + str(i).ljust(14), end='\n'.ljust(14)) + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to ThreatCrowd!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to ThreatCrowd!\n")) + print(mycolors.reset) + + +def threatcrowd_domain(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource, 'domain', 'report']) + haresponse = requestsession.get(url=finalurl, params={"domain":myargs}) + hatext = json.loads(haresponse.text) + + if(hatext['response_code'] == '0'): + if (bkg == 1): + print(mycolors.foreground.yellow + "\nThe provided domain hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + if (bkg == 0): + print(mycolors.foreground.purple + "\nThe provided domain hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + + if(not '200' in str(haresponse)): + if (bkg == 1): + print(mycolors.foreground.lightred + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + if (bkg == 0): + print(mycolors.foreground.red + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + print(mycolors.foreground.yellow + "\nDomain:".ljust(14) + mycolors.reset + myargs) + if (hatext['resolutions']): + print(mycolors.foreground.lightcyan + "\nResolutions:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['resolutions'], key=itemgetter('last_resolved')): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.lightgreen + "Last Resolved: " + mycolors.reset + i['last_resolved'], end=' ') + print(mycolors.reset + mycolors.foreground.lightgreen + "IP Address: " + mycolors.reset + i['ip_address'], end="") + + if (hatext['hashes']): + print(mycolors.foreground.lightcyan + "\n\nHashes:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['hashes']: + print(mycolors.reset + str(i).ljust(14), end='\n'.ljust(14)) + + if (hatext['emails']): + print(mycolors.foreground.lightcyan + "\n\nEmails:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in sorted(hatext['emails']): + print(mycolors.reset + str(i).ljust(14), end='\n'.ljust(14)) + + if (hatext['subdomains']): + print(mycolors.foreground.lightcyan + "\n\nSubdomains:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in sorted(hatext['subdomains']): + print(mycolors.reset + str(i).ljust(14), end='\n'.ljust(14)) + + if (hatext['references']): + print(mycolors.foreground.lightcyan + "\n\nReferences:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['references']: + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(str(i),width=110)).ljust(14), end="\n".ljust(14)) + + if(bkg == 0): + print(mycolors.foreground.red + "\nDomain:".ljust(14) + mycolors.reset + myargs) + if (hatext['resolutions']): + print(mycolors.foreground.cyan + "\nResolutions:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['resolutions'], key=itemgetter('last_resolved')): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.green + "Last Resolved: " + mycolors.reset + i['last_resolved'], end=' ') + print(mycolors.reset + mycolors.foreground.green + "IP Address: " + mycolors.reset + i['ip_address'], end="") + + if (hatext['hashes']): + print(mycolors.foreground.cyan + "\n\nHashes:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['hashes']: + print(mycolors.reset + str(i).ljust(14), end='\n'.ljust(14)) + + if (hatext['emails']): + print(mycolors.foreground.cyan + "\n\nEmails:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in sorted(hatext['emails']): + print(mycolors.reset + str(i).ljust(14), end='\n'.ljust(14)) + + if (hatext['subdomains']): + print(mycolors.foreground.cyan + "\n\nSubdomains:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in sorted(hatext['subdomains']): + print(mycolors.reset + str(i).ljust(14), end='\n'.ljust(14)) + + if (hatext['references']): + print(mycolors.foreground.cyan + "\n\nReferences:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['references']: + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(str(i),width=110)).ljust(14), end="\n".ljust(14)) + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to ThreatCrowd!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to ThreatCrowd!\n")) + print(mycolors.reset) + + +def threatcrowd_hash(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource, 'file', 'report']) + haresponse = requestsession.get(url=finalurl, params={"resource":myargs}) + hatext = json.loads(haresponse.text) + + if(hatext['response_code'] == '0'): + if (bkg == 1): + print(mycolors.foreground.yellow + "\nThe provided hash hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + if (bkg == 0): + print(mycolors.foreground.purple + "\nThe provided hash hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + + if(not '200' in str(haresponse)): + if (bkg == 1): + print(mycolors.foreground.lightred + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + if (bkg == 0): + print(mycolors.foreground.red + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + print(mycolors.foreground.yellow + "\nHash:".ljust(14) + mycolors.reset + myargs) + + if (hatext['md5']): + print(mycolors.foreground.lightgreen + "\nMD5:".ljust(14) + mycolors.reset + hatext['md5'], end=' ') + + if (hatext['sha1']): + print(mycolors.foreground.lightgreen + "\nSHA1:".ljust(14) + mycolors.reset + hatext['sha1'], end=' ') + print(mycolors.foreground.lightgreen + "\nScans:".ljust(14) + mycolors.reset) + + if (hatext['scans']): + print(mycolors.foreground.lightgreen + "\nAntivirus:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['scans']): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.lightcyan + mycolors.reset + i, end=' ') + + if (hatext['ips']): + print(mycolors.foreground.lightgreen + "\nIPs:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['ips']): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.lightcyan + mycolors.reset + i, end=' ') + + if (hatext['domains']): + print(mycolors.foreground.lightgreen + "\n\nDomains:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['domains']): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.lightcyan + mycolors.reset + i, end=' ') + + if (hatext['references']): + print(mycolors.foreground.lightgreen + "\n\nReferences:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['references']: + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(str(i),width=110)).ljust(14), end="\n".ljust(14)) + + if(bkg == 0): + print(mycolors.foreground.yellow + "\nHash:".ljust(14) + mycolors.reset + myargs) + + if (hatext['md5']): + print(mycolors.foreground.green + "\nMD5:".ljust(14) + mycolors.reset + hatext['md5'], end=' ') + + if (hatext['sha1']): + print(mycolors.foreground.green + "\nSHA1:".ljust(14) + mycolors.reset + hatext['sha1'], end=' ') + print(mycolors.foreground.green + "\nScans:".ljust(14) + mycolors.reset) + + if (hatext['scans']): + print(mycolors.foreground.green + "\nAntivirus:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['scans']): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.cyan + mycolors.reset + i, end=' ') + + if (hatext['ips']): + print(mycolors.foreground.green + "\nIPs:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['ips']): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.cyan + mycolors.reset + i, end=' ') + + if (hatext['domains']): + print(mycolors.foreground.green + "\n\nDomains:".ljust(14) + mycolors.reset, end=' ') + for i in sorted(hatext['domains']): + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.cyan + mycolors.reset + i, end=' ') + + if (hatext['references']): + print(mycolors.foreground.green + "\n\nReferences:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['references']: + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(str(i),width=110)).ljust(14), end="\n".ljust(14)) + + print("\n") + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to ThreatCrowd!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to ThreatCrowd!\n")) + print(mycolors.reset) + + +def threatcrowd_antivirus(urlx, arg1): + + hatext = '' + haresponse = '' + myargs = arg1 + + try: + resource = urlx + requestsession = requests.Session( ) + requestsession.headers.update({'Content-Type': 'application/json'}) + finalurl = '/'.join([resource, 'antivirus', 'report']) + haresponse = requestsession.get(url=finalurl, params={"antivirus":myargs}) + hatext = json.loads(haresponse.text) + + if(hatext['response_code'] == '0'): + if (bkg == 1): + print(mycolors.foreground.yellow + "\nThis name hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + if (bkg == 0): + print(mycolors.foreground.purple + "\nThis name hasn't been found on ThreatCrowd.\n", mycolors.reset) + exit(0) + + if(not '200' in str(haresponse)): + if (bkg == 1): + print(mycolors.foreground.lightred + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + if (bkg == 0): + print(mycolors.foreground.red + "\nAn error has occured while accessing ThreatCrowd.\n", mycolors.reset) + exit(1) + + if(bkg == 1): + print(mycolors.foreground.yellow + "\nName:".ljust(14) + mycolors.reset + myargs) + + if (hatext['hashes']): + print(mycolors.foreground.lightgreen + "\nHashes:".ljust(14) + mycolors.reset, end='\n'.ljust(14)) + for k,i in enumerate(sorted(hatext['hashes']),-1): + if k % 3 == 2: + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.lightblue + f"{k+2:03}: " + mycolors.reset + i, end=' ') + else: + print(mycolors.reset + mycolors.foreground.lightblue + f"{k+2:03}: " + mycolors.reset + i, end=' ') + + if (hatext['references']): + print(mycolors.foreground.lightgreen + "\n\nReferences:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['references']: + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(str(i),width=110)).ljust(14), end="\n".ljust(14)) + + if(bkg == 0): + print(mycolors.foreground.red + "\nName:".ljust(14) + mycolors.reset + myargs) + + if (hatext['hashes']): + print(mycolors.foreground.green + "\nHashes:".ljust(14) + mycolors.reset, end='\n'.ljust(14)) + for k,i in enumerate(sorted(hatext['hashes']),-1): + if k % 3 == 2: + print(mycolors.reset + "\n".ljust(14) + mycolors.foreground.blue + f"{k+2:03}: " + mycolors.reset + i, end=' ') + else: + print(mycolors.reset + mycolors.foreground.blue + f"{k+2:03}: " + mycolors.reset + i, end=' ') + + if (hatext['references']): + print(mycolors.foreground.green + "\n\nReferences:".ljust(13) + mycolors.reset, end=' ') + print(mycolors.reset + "\n".ljust(14), end='') + for i in hatext['references']: + print(mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(str(i),width=110)).ljust(14), end="\n".ljust(14)) + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to ThreatCrowd!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to ThreatCrowd!\n")) + print(mycolors.reset) + + + +def quickhashowAndroid(filehash): + + hatext = '' + haresponse = '' + final = 'Yes' + verdict = '-' + avdetect = '0' + totalsignatures = '-' + threatscore = '-' + totalprocesses = '-' + networkconnections = '-' + + try: + + resource = filehash + requestsession = requests.Session( ) + requestsession.headers.update({'user-agent': user_agent}) + requestsession.headers.update({'api-key': HAAPI}) + requestsession.headers.update({'content-type': 'application/x-www-form-urlencoded'}) + finalurl = '/'.join([haurl,'report', 'summary']) + resource1 = resource + ":200" + datahash = { + 'hashes[0]': resource1 + } + + haresponse = requestsession.post(url=finalurl, data = datahash) + hatext = json.loads(haresponse.text) + + rc = str(hatext) + + if 'message' in rc: + final = 'Not Found' + return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) + + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Alien Vault!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Alien Vault!\n")) + print(mycolors.reset) + + +def quickhashowAndroid(filehash): + + hatext = '' + haresponse = '' + final = 'Yes' + verdict = '-' + avdetect = '0' + totalsignatures = '-' + threatscore = '-' + totalprocesses = '-' + networkconnections = '-' + + try: + + resource = filehash + requestsession = requests.Session( ) + requestsession.headers.update({'user-agent': user_agent}) + requestsession.headers.update({'api-key': HAAPI}) + requestsession.headers.update({'content-type': 'application/x-www-form-urlencoded'}) + finalurl = '/'.join([haurl,'report', 'summary']) + resource1 = resource + ":200" + datahash = { + 'hashes[0]': resource1 + } + + haresponse = requestsession.post(url=finalurl, data = datahash) + hatext = json.loads(haresponse.text) + + rc = str(hatext) + + if 'message' in rc: + final = 'Not Found' + return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) + + if 'verdict' in hatext[0]: + verdict = str(hatext[0]['verdict']) + else: + verdict = '' + + if 'threat_score' in hatext[0]: + threatscore = str(hatext[0]['threat_score']) + else: + threatscore = '' + + if 'av_detect' in hatext[0]: + avdetect = str(hatext[0]['av_detect']) + else: + avdetect = '' + + if 'total_signatures' in hatext[0]: + totalsignatures = str(hatext[0]['total_signatures']) + else: + totalsignatures = '' + + if 'total_processes' in hatext[0]: + totalprocesses = str(hatext[0]['total_processes']) + else: + totalprocesses = '' + + if 'total_network_connections' in hatext[0]: + networkconnections = str(hatext[0]['total_network_connections']) + else: + networkconnections = '' + + return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) + + except ValueError as e: + print(e) + if (bkg == 1): + print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n")) + else: + print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n")) + print(mycolors.reset) + + +class androidVTThread(threading.Thread): + + def __init__(self, key, package): + + threading.Thread.__init__(self) + self.key = key + self.package = package + + def run(self): + + key1 = self.key + package1 = self.package + + myhash = key1 + vtfinal = vtcheck(myhash, url, param) + + if (bkg == 1): + print((mycolors.foreground.orange + "%-50s" % package1), end=' ') + print((mycolors.foreground.lightcyan + "%-32s" % key1), end=' ') + print((mycolors.reset + mycolors.foreground.lightgreen + "%8s" % vtfinal + mycolors.reset)) + else: + print((mycolors.foreground.green + "%-08s" % package), end=' ') + print((mycolors.foreground.cyan + "%-32s" % key1), end=' ') + print((mycolors.reset + mycolors.foreground.red + "%8s" % vtfinal + mycolors.reset)) + + +class quickHAAndroidThread(threading.Thread): + + def __init__(self, key, package): + + threading.Thread.__init__(self) + self.key = key + self.package = package + + def run(self): + + key1 = self.key + package1 = self.package + + myhash = key1 + (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) = quickhashowAndroid(myhash) + + if (bkg == 1): + print((mycolors.foreground.lightgreen + "%-50s" % package1), end=' ') + print((mycolors.foreground.yellow + "%-34s" % key1), end=' ') + print((mycolors.foreground.lightcyan + "%9s" % final), end='') + if (verdict == "malicious"): + print((mycolors.foreground.lightred + "%20s" % verdict), end='') + else: + print((mycolors.foreground.yellow + "%20s" % verdict), end='') + if(avdetect == 'None'): + print((mycolors.foreground.lightcyan + "%7s" % avdetect), end='') + else: + print((mycolors.foreground.lightcyan + "%6s%%" % avdetect), end='') + print((mycolors.foreground.orange + "%7s" % totalsignatures), end='') + if(threatscore == 'None'): + print((mycolors.foreground.lightred + "%12s" % threatscore), end='') + else: + print((mycolors.foreground.lightred + "%8s/100" % threatscore), end='') + print((mycolors.foreground.lightgreen + "%6s" % totalprocesses), end='') print((mycolors.foreground.lightgreen + "%6s" % networkconnections + mycolors.reset)) else: print((mycolors.foreground.lightcyan + "%-50s" % key1), end=' ') @@ -4026,17 +5914,18 @@ def dirchecking(repo2): print((mycolors.reset + "\n")) + if(Q == 1): + dirquick(d) + exit(0) print("FileName".center(65) + "ImpHash(PE32/PE32+) or Type".center(40) + "Packed?".center(9) + "Overlay?".center(10) + ".text_entropy".center(13) + "VT".center(8)) print((32*'-').center(32) + (36*'-').center(35) + (11*'-').center(10) + (10*'-').ljust(10) + (13*'-').center(13) + (42*'-').center(22)) dirwork(d) - if(Q == 1): - dirquick(d) - exit(0) - + if __name__ == "__main__": + windows = '' if platform.system() == 'Windows': USER_HOME_DIR = str(Path.home()) + '\\' @@ -4045,6 +5934,7 @@ def dirchecking(repo2): else: USER_HOME_DIR = str(Path.home()) + '/' windows == 0 + backg = 1 virustotal = 0 fprovided = 0 @@ -4070,111 +5960,117 @@ def dirchecking(repo2): fileha = '' reportha = '' multithread = 0 - quick = 0 malsharelist = 0 malsharehash = '' urlhaussubmit = '' urlhausquery = '' - urlhausbatch = 0 + hausbatch = 0 hauspayloadbatch = 0 haushash = '' hausdownloadpayload = '' - malsharetype = 1 - malsharedownload = 0 filecheckpoly = 0 polycheck = 0 polyswarmscan = '' - polyswarmurl = '' polyswarmhash = '' polyswarmmeta = '' androidha = 0 androidsendha = '' androidsendvt = '' - androidvt = 0 - androidvtt = 0 + androidvtx = 0 + androidvttx = 0 haustagsearch = '' haussigsearch = '' ipaddrvt = '' metatype = 0 - - parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a malware triage tool written by Alexandre Borges. The current version is 3.1.2.", usage= "malwoverview.py -c -d -f -i <0|1> -b <0|1> -v <0|1> -a <0|1> -p <0|1> -s <0|1> -x <0|1> -w <|1> -u -H -V -D <0|1> -e<0|1|2|3|4> -A -g -r -t <0|1> -Q <0|1> -l <0|1> -n <1-12> -m -M <0|1> -U -S -z -B <0|1> -K <0|1> -j -J -P -N -R -G <0|1|2|3|4> -y <0|1> -Y -Z <0|1> -X <0|1> -Y -T -W -k -I ") + alienvault = 0 + alienvaultargs = '' + Q = 0 + T = 0 + malpedia = 0 + malpediax = 0 + malpediaarg = '' + malpediaargx = '' + threadcrowd = 0 + threatcrowdarg = 0 + + parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a malware triage tool written by Alexandre Borges. The current version is 4.0.0.", usage= "python malwoverview.py -c -d -f -b <0|1> -v <0|1|2|3> -a <0|1|2|3|4|5> -x <0|1> -w <0|1> -u -H -V -D <0|1> -e<0|1|2|3|4> -A -g -r -t <0|1> -l <1-14> -L -U -S -z -K <0|1|2> -j -J -P -R -G <0|1|2|3|4> -y <0|1|2|3> -Y -Y -T -W -k -I -n <1|2|3|4|5> -N -M <1-8> -m -Q <1-5> -q ") parser.add_argument('-c', '--config', dest='config', type=str, metavar = "CONFIG FILE", default = (USER_HOME_DIR + '.malwapi.conf'), help='Use a custom config file to specify API\'s') - parser.add_argument('-d', '--directory', dest='direct',type=str, metavar = "DIRECTORY", help='specify directory containing malware samples.') - parser.add_argument('-f', '--filename', dest='fpname',type=str, metavar = "FILENAME", default = '', help='Specifies a full path to a file. Shows general information about the file (any filetype)') - parser.add_argument('-b', '--background', dest='backg', type=int, default = 1, metavar = "BACKGROUND", help='(optional) Adapts the output colors to a white terminal. The default is black terminal') - parser.add_argument('-i', '--iat_eat', dest='impsexts', type=int, default = 0, metavar = "IAT_EAT", help='(optional) Shows imports and exports (it is used with -f option).') - parser.add_argument('-x', '--overlay', dest='over', type=int, default = 0, metavar = "OVERLAY", help='(optional) Extracts overlay (it is used with -f option).') - parser.add_argument('-s', '--vtreport', dest='showvt', type=int, default = 0, metavar = "SHOW_VT_REPORT", help='Shows antivirus reports from the main players. This option is used with the -f option (any filetype).') - parser.add_argument('-v', '--virustotal', dest='virustotal', type=int, default = 0, metavar = "VIRUSTOTAL", help='Queries the Virus Total database for positives and totals. Thus, you need to edit your config file and insert your VT API.') - parser.add_argument('-a', '--hybrid', dest='hybridanalysis', type=int, default = 0, metavar = "HYBRID_ANALYSIS", help='Queries the Hybrid Analysis database for general report. Use the -e option to specify which environment are looking for the associate report because the sample can have been submitted to a different environment that you are looking for. Thus, you need to edit the configmalw.py and insert your HA API and secret.') - parser.add_argument('-p', '--vtpub', dest='pubkey', type=int, default = 0, metavar = "USE_VT_PUB_KEY", help='(optional) You should use this option if you have a public Virus Total API. It forces a one minute wait every 4 malware samples, but allows obtaining a complete evaluation of the malware repository.') - parser.add_argument('-w', '--windows', dest='win', type=int, default = 0, metavar = "RUN_ON_WINDOWS", help='This option is used when the OS is Microsoft Windows.') - parser.add_argument('-u', '--vturl', dest='urlx', type=str, metavar = "URL_VT", help='SUBMITS a URL for the Virus Total scanning.') - parser.add_argument('-I', '--ipaddrvt', dest='ipaddrvt', type=str, metavar = "IP_VT", help='This options checks an IP address on Virus Total.') - parser.add_argument('-r', '--urldomain', dest='domainx', type=str, metavar = "URL_DOMAIN", help='GETS a domain\'s report from Virus Total.') - parser.add_argument('-H', '--hash', dest='filehash', type=str, metavar = "FILE_HASH", help='Specifies the hash to be checked on Virus Total and Hybrid Analysis. For the Hybrid Analysis report you must use it together -e option.') - parser.add_argument('-V', '--vtsubmit', dest='filenamevt', type=str, metavar = "FILENAME_VT", help='SUBMITS a FILE(up to 32MB) to Virus Total scanning and read the report. Attention: use forward slash to specify the target file even on Windows systems. Furthermore, the minimum waiting time is set up in 90 seconds because the Virus Total queue. If an error occurs, so wait few minutes and try to access the report by using -f option.') - parser.add_argument('-A', '--submitha', dest='filenameha', type=str, metavar = "SUBMIT_HA", help='SUBMITS a FILE(up to 32MB) to be scanned by Hybrid Analysis engine. Use the -e option to specify the best environment to run the suspicious file.') + parser.add_argument('-d', '--directory', dest='direct',type=str, metavar = "DIRECTORY", help='Specifies the directory containing malware samples.') + parser.add_argument('-f', '--filename', dest='fpname',type=str, metavar = "FILENAME", default = '', help='Specifies a full path to a malware sample. It returns general information about the file (any filetype)') + parser.add_argument('-b', '--background', dest='backg', type=int,default = 1, metavar = "BACKGROUND", help='Adapts the output colors to a white terminal. The default is black terminal') + parser.add_argument('-x', '--overlay', dest='over', type=int,default = 0, metavar = "OVERLAY", help='Extracts the overlay (it is used with -f option).') + parser.add_argument('-v', '--virustotal', dest='virustotal', type=int,default = 0, metavar = "VIRUSTOTAL", help='If using "-v 1", so it queries the Virus Total database for positives and totals. If "v 2" (which can be used only together with -f option), so it shows antivirus reports from the main players. If "v 3", so the binary\'s IAT and EAT are also shown. Remember: you need to edit the .malwapi.conf and insert your VT API.') + parser.add_argument('-a', '--hybrid', dest='hybridanalysis', type=int,default = 0, metavar = "HYBRID_ANALYSIS", help='Queries the Hybrid Analysis database for getting a general report. Possible values are: 1: Windows 7 32-bit; 2: Windows 7 32-bit (HWP Support); 3: Windows 64-bit; 4: Android; 5: Linux 64-bit. Remember: you need to edit the .malwapi.conf and insert your HA API and secret.') + parser.add_argument('-u', '--vturl', dest='urlx', type=str, metavar = "URL_VT", help='SUBMITS a URL to the Virus Total scanning.') + parser.add_argument('-I', '--ipaddrvt', dest='ipaddrvt', type=str, metavar = "IP_VT", help='This option checks an IP address on Virus Total.') + parser.add_argument('-r', '--urldomain', dest='domainx', type=str, metavar = "URL_DOMAIN", help='This option gets a domain\'s report from Virus Total.') + parser.add_argument('-H', '--hash', dest='filehash', type=str, metavar = "FILE_HASH", help='This option specifies the hash to be checked on Virus Total and Hybrid Analysis. For the Hybrid Analysis report you must use it with the -e option.') + parser.add_argument('-V', '--vtsubmit', dest='filenamevt', type=str, metavar = "FILENAME_VT", help='Submits a file(up to 32MB) for Virus Total scanning and gets the report. Attention: use forward slash to specify the target file even on Windows systems. Furthermore, the minimum waiting time is set up in 90 seconds because the Virus Total waiting queue. If an error occurs, so wait few minutes and try to access the report by using -f option.') + parser.add_argument('-A', '--submitha', dest='filenameha', type=str, metavar = "SUBMIT_HA", help='Submits a file(up to 32MB) to be scanned by the Hybrid Analysis engine. Use the -e option to specify the best environment to run the suspicious file.') parser.add_argument('-g', '--hastatus', dest='reportha', type=str, metavar = "HA_STATUS", help='Checks the report\'s status of submitted samples to Hybrid Analysis engine by providing the job ID. Possible returned status values are: IN_QUEUE, SUCCESS, ERROR, IN_PROGRESS and PARTIAL_SUCCESS.') - parser.add_argument('-D', '--download', dest='download', type=int, default = 0, metavar = "DOWNLOAD", help='Downloads the sample from Hybrid Analysis. Option -H must be specified.') - parser.add_argument('-e', '--haenv', dest='sysenviron', type=int, default = 0, metavar = "HA_ENVIRONMENT", help='This option specifies the used environment to be used to test the samlple on Hybrid Analysis: <0> Windows 7 32-bits; <1> Windows 7 32-bits (with HWP Support); <2> Windows 7 64-bits; <3> Android; <4> Linux 64-bits environment. This option is used together either -H option or the -A option or -a option.') - parser.add_argument('-t', '--thread', dest='multithread', type=int, default = 0, metavar = "MULTITHREAD", help='(optional) This option is used to force multithreads on Linux whether: the -d option is specifed AND you have a PAID Virus Total API or you are NOT checking the VT while using the -d option. PS1: using this option causes the Imphashes not to be grouped anymore; PS2: it also works on Windows, but there is not gain in performance.') - parser.add_argument('-Q', '--quick', dest='quick', type=int, default = 0, metavar = "QUICK_CHECK", help='This option should be used with -d option in two scenarios: 1) either including the -v option (Virus Total -- you\'ll see a complete VT response whether you have the private API) for a multithread search and reduced output; 2) or including the -a option (Hybrid Analysis) for a multithread search and complete and amazing output. If you are using the -a option, so -e option can also be used to adjust the output to your sample types. PS1: certainly, if you have a directory holding many malware samples, so you will want to test this option with -a option; PS2: it also works on Windows, but there is not gain in performance.') - parser.add_argument('-l', '--malsharelist', dest='malsharelist', type=int, default = 0, metavar = "MALSHARE_HASHES", help='Show hashes from last 24 hours from Malshare. You need to insert your Malshare API into the configmalw.py file.') - parser.add_argument('-m', '--malsharehash', dest='malsharehash', type=str, metavar = "MALSHARE_HASH_SEARCH", help='Searches for the provided hash on the Malshare repository. You need to insert your Malshare API into the configmalw.py file. PS: sometimes the Malshare website is unavailable, so should check the website availability if you get some error message.') - parser.add_argument('-n', '--filetype', dest='malsharetype', type=int, metavar = "FILE_TYPE", default = 1, help='Specifies the file type to be listed by -l option. Therefore, it must be used together -l option. Possible values: 1: PE32 (default) ; 2: Dalvik ; 3: ELF ; 4: HTML ; 5: ASCII ; 6: PHP ; 7: Java ; 8: RAR ; 9: Zip ; 10: UTF-8 ; 11: MS-DOS ; 12: data ; 13: PDF ; 14: Composite(OLE).') - parser.add_argument('-M', '--malsharedownload', dest='malsharedownload', type=int, default = 0, metavar = "MALSHARE_DOWNLOAD", help='Downloads the sample from Malshare. This option must be specified with -m option.') - parser.add_argument('-B', '--haus_batch', dest='urlhausbatch', type=int, default = 0, metavar = "URL_HAUS_BATCH", help='Retrieves a list of recent URLs (last 3 days, limited to 1000 entries) from URLHaus website.') - parser.add_argument('-K', '--haus_payloadbatch', dest='hauspayloadbatch', type=int, default = 0, metavar = "HAUS_PAYLOADS", help='Retrieves a list of downloadable links to recent PAYLOADS (last 3 days, limited to 1000 entries) from URLHaus website. Take care: each link take you to download a passworless zip file containing a malware, so your AV can generate alerts!') - parser.add_argument('-U', '--haus_query', dest='urlhausquery', type=str, metavar = "URL_HAUS_QUERY", help='Queries a URL on the URLHaus website.') - parser.add_argument('-j', '--haus_hash', dest='haushash', type=str, metavar = "HAUS_HASH", help='Queries a payload\'s hash (md5 or sha256) on the URLHaus website.') - parser.add_argument('-S', '--haus_submission', dest='urlhaussubmit', type=str, metavar = "URL_HAUS_SUB", help='Submits a URL used to distribute malware (executable, script, document) to the URLHaus website. Pay attention: Any other submission will be ignored/deleted from URLhaus. You have to register your URLHaus API into the configmalw.py file.') + parser.add_argument('-D', '--download', dest='download', type=int,default = 0, metavar = "DOWNLOAD", help='Downloads the sample from Hybrid Analysis, Malshare and Polyswarm. Options -H or -L (Hybrid Analysis and Malshare, respectively) must be specified as well -O option for Polyswarm engine.') + parser.add_argument('-e', '--haenv', dest='sysenviron', type=int,default = 0, metavar = "HA_ENVIRONMENT", help='This option specifies the used environment to be used to test the samlple on Hybrid Analysis: <0> Windows 7 32-bits; <1> Windows 7 32-bits (with HWP Support); <2> Windows 7 64-bits; <3> Android; <4> Linux 64-bits environment. This option is used together either -H option or the -A option.') + parser.add_argument('-t', '--thread', dest='multithread', type=int,default = 0, metavar = "MULTITHREAD", help='(optional) This option has several different meanings according to chosen the value. Possible values: <1>: This value is used to force multithreads on Linux whether: the -d option is specifed AND you have a PAID Virus Total API or you are NOT checking the VT while using the -d option. PS1: using this option causes Imphashes not to be grouped anymore; PS2: it also works on Windows, but there is not gain in performance; <2>: This value should be used with -d option in two scenarios: 1) either including the "-v 1" option (Virus Total -- you\'ll see a complete VT response whether you have the private API) for a multithread searching and reduced output; 2) or including the -a option (Hybrid Analysis) for a multithread searching to get a complete and amazing output. If you are using the -a option, so you should pickup the right number represening the testing environment to adjust the output to your sample types. PS1: certainly, if you have a directory holding many malware samples, so you will want to test this option with -a option; PS2: it also works on Windows, but there is not gain in performance; <3>: You should use this value with -v option if you have a public Virus Total API. It forces a one minute wait every 4 malware samples, but allows obtaining a complete evaluation of the malware repository.') + parser.add_argument('-l', '--malsharelist', dest='malsharelist', type=int,default = 0, metavar = "MALSHARE_HASHES", help='This option shows hashes of a specific type from the last 24 hours from Malshare repository. Possible values are: 1: PE32 (default) ; 2: Dalvik ; 3: ELF ; 4: HTML ; 5: ASCII ; 6: PHP ; 7: Java ; 8: RAR ; 9: Zip ; 10: UTF-8 ; 11: MS-DOS ; 12: data ; 13: PDF ; 14: Composite(OLE). You need to insert your Malshare API into the .malwapi.conf file.') + parser.add_argument('-L', '--malsharehash', dest='malsharehash', type=str, metavar = "MALSHARE_HASH_SEARCH", help='Searches for the provided hash on the Malshare repository. You need to insert your Malshare API into the .malwapi.conf file. PS: sometimes the Malshare website is unavailable, so should check the website availability if you get some error message.') + parser.add_argument('-K', '--haus_payloadbatch', dest='hauspayloadbatch', type=int, default = 0, metavar = "HAUS_PAYLOAD_URL", help='THis option has few possible values: <1> Retrieves a list of downloadable links of recent PAYLOADS (last 3 days, limited to 1000 entries) from URLHaus website; <2>: Retrieves a list of recent URLs (last 3 days, limited to 1000 entries) from URLHaus website. Take care: each link take you to download a passworless zip file containing a malware, so your AV can generate alerts!') + parser.add_argument('-U', '--haus_query', dest='urlhausquery', type=str, metavar = "URL_HAUS_QUERY", help='Queries a URL on the URLHaus website.') + parser.add_argument('-j', '--haus_hash', dest='haushash', type=str, metavar = "HAUS_HASH", help='Queries information about a provided payload\'s hash (md5 or sha256) on the URLHaus website.') + parser.add_argument('-S', '--haus_submission', dest='urlhaussubmit', type=str, metavar = "URL_HAUS_SUB", help='Submits a URL used to distribute malware (executable, script, document) to the URLHaus website. Pay attention: Any other submission will be ignored/deleted from URLhaus. You have to register your URLHaus API into the .malwapi.conf file.') parser.add_argument('-z', '--haustag', dest='tag', type=str, default='', metavar = "HAUSTAG", nargs = "*", help='Associates tags (separated by spaces) to the specified URL. Please, only upper case, lower case, \'-\' and \'.\' are allowed. This parameter is optional, which could be used with the -S option.') parser.add_argument('-W', '--haustagsearch', dest='haustagsearch', type=str, default='', metavar = "HAUSTAGSEARCH", nargs = "*", help='This option is for searching malicious URLs by tag on URLhaus. Tags are case-senstive and only upper case, lower case, \'-\' and \'.\' are allowed.') parser.add_argument('-k', '--haussigsearch', dest='haussigsearch', type=str, default='', metavar = "HAUSSIGSEARCH", nargs = "*", help='This option is for searching malicious payload by tag on URLhaus. Tags are case-sensitive and only upper case, lower case, \'-\' and \'.\' are allowed.') - parser.add_argument('-J', '--haus_download', dest='hausdownloadpayload', type=str, metavar = "HAUS_DOWNLOAD", help='Downloads a sample (if it is available) from the URLHaus repository. It is necessary to provide the SHA256 hash.') - parser.add_argument('-P', '--polyswarm_scan', dest='polyswarmscan', type=str, metavar = "POLYSWARMFILE", help='(Only for Linux) Performs a file scan using the Polyswarm engine.') - parser.add_argument('-N', '--polyswarm_url', dest='polyswarmurl', type=str, metavar = "POLYSWARMURL", help='(Only for Linux) Performs a URL scan using the Polyswarm engine.') - parser.add_argument('-O', '--polyswarm_hash', dest='polyswarmhash', type=str, metavar = "POLYSWARMHASH", help='(Only for Linux) Performs a hash scan using the Polyswarm engine.') - parser.add_argument('-R', '--polyswarm_meta', dest='polyswarmmeta', type=str, metavar = "POLYSWARMMETA", help='(Only for Linux) Performs a complementary search for similar PE executables through meta-information or IP addresses using the Polyswarm engine. This parameters depends on -G parameters, so check it, please.') - parser.add_argument('-G', '--metatype', dest='metatype', type=int, default = 0, metavar = "METATYPE", help='(Only for Linux) This parameter specifies whether the -R option will gather information about the PE executable or IP address using the Polyswarm engine. Thus, 0: PE Executable ; 1: IP Address ; 2: Domains ; 3. URL.') - parser.add_argument('-y', '--androidha', dest='androidha', type=int, default = 0, metavar = "ANDROID_HA", help='Check all third-party APK packages from the USB-connected Android device against Hybrid Analysis using multithreads. The Android device does not need be rooted and you need have adb in your PATH environment variable.') - parser.add_argument('-Y', '--androidsendha', dest='androidsendha', type=str, metavar = "ANDROID_SEND_HA", help='Send an third-party APK packages from your USB-connected Android device to Hybrid Analysis. The Android device does not need be rooted and you need have adb in your PATH environment variable.') - parser.add_argument('-T', '--androidsendvt', dest='androidsendvt', type=str, metavar = "ANDROID_SEND_VT", help='Send an third-party APK packages from your USB-connected Android device to Virus Total. The Android device does not need be rooted and you need have adb in your PATH environment variable.') - parser.add_argument('-Z', '--androidvt', dest='androidvt', type=int, default = 0, metavar = "ANDROID_VT", help='Check all third-party APK packages from the USB-connected Android device against VirusTotal using Public API (slower because of 60 seconds delay for each 4 hashes). The Android device does not need be rooted and you need have adb in your PATH environment variable.') - parser.add_argument('-X', '--androidvtt', dest='androidvtt', type=int, default = 0, metavar = "ANDROID_VT", help='Check all third-party APK packages from the USB-connected Android device against VirusTotal using multithreads (only for Private Virus API). The Android device does not need be rooted and you need have adb in your PATH environment variable.') + parser.add_argument('-J', '--haus_download', dest='hausdownloadpayload', type=str, metavar = "HAUS_DOWNLOAD", help='Downloads a malware sample (if it is available) from the URLHaus repository. It is necessary to provide the SHA256 hash.') + parser.add_argument('-P', '--polyswarm_scan', dest='polyswarmscan', type=str, metavar = "POLYSWARMFILE", help='(Only for Linux) Submits a sample to Polyswarm engine and performs a file scan.') + parser.add_argument('-O', '--polyswarm_hash', dest='polyswarmhash', type=str, metavar = "POLYSWARMHASH", help='(Only for Linux) Performs a hash scanning using the Polyswarm engine. Optionally, you can specify -D option to download the sample. Take care: Polyswarm enforces a restriction to number of downloaded samples in 20/month.') + parser.add_argument('-R', '--polyswarm_meta', dest='polyswarmmeta', type=str, metavar = "POLYSWARMMETA", help='(Only for Linux) Provides the argument value for searches on Polyswarm engine through imphash (the PE file must be provided), ipv4, domain, URL and family. This argument must be used with -G option, so check it, please. Pay attention: you should check your metadata search limit on your Polyswarm account because once you have got the limit, so you will got an error.') + parser.add_argument('-G', '--metatype', dest='metatype', type=int, default = 0, metavar = "METATYPE", help='(Only for Linux) This parameter specifies search type for arguments provided by -R option (above) while searching on Polyswarm engine. Thus, the following values are valid -- 0: PE Executable (look for samples with the same ImpHash); 1: IP Address ; 2: Domain ; 3. URL; 4. Family') + parser.add_argument('-y', '--androidha', dest='androidha', type=int, default = 0, metavar = "ANDROID_HA", help='This option has multiple options: <1>: Check all third-party APK packages from the USB-connected Android device against Hybrid Analysis using multithreads. The Android device does not need to be rooted and the system does need to have the adb tool in the PATH environment variable; <2>: Check all third-party APK packages from the USB-connected Android device against VirusTotal using Public API (slower because of 60 seconds delay for each 4 hashes). The Android device does not need to be rooted and the system does need to have adb tool in the PATH environment variable; <3>: Check all third-party APK packages from the USB-connected Android device against VirusTotal using multithreads (only for Private Virus API). The Android device does not need to be rooted and the system needs to have adb tool in the PATH environment variable.') + parser.add_argument('-Y', '--androidsendha', dest='androidsendha', type=str, metavar = "ANDROID_SEND_HA", help='Sends an third-party APK package from your USB-connected Android device to Hybrid Analysis. The Android device does not need to be rooted and the system needs to have adb tool in the PATH environment variable.') + parser.add_argument('-T', '--androidsendvt', dest='androidsendvt', type=str, metavar = "ANDROID_SEND_VT", help='Sends an third-party APK package from your USB-connected Android device to Virus Total. The Android device does not need be rooted and the system needis to have the adb tool in the PATH environment variable.') + parser.add_argument('-n', '--alienvault', dest='alienvault', type=int, default = 0, metavar = "ALIENVAULT", help='Checks multiple information from AlienVault. The possible values are: 1: Get the subscribed pulses ; 2: Get information about an IP address; 3: Get information about a domain; 4: Get information about a hash; 5: Get information about a URL') + parser.add_argument('-N', '--alienvaultargs', dest='alienvaultargs', type=str, metavar = "ALIENVAULT_ARGS", help='Provides argument to AlienVault -n option.The allowed values are: 1, 2, 3, 4, 5.') + parser.add_argument('-M', '--malpedia', dest='malpedia', type=int, default = 0, metavar = "MALPEDIA", help='This option is related to MALPEDIA and presents different meanings depending on the chosen value. Thus, 1: List meta information for all families ; 2: List all actors ID ; 3: List all available payloads organized by family from Malpedia; 4: Get meta information from an specific actor, so it is necesary to use the -m option. Additionally, try to confirm the correct actor ID by executing malwoverview with option -M 3; 5: List all families IDs; 6: Get meta information from an specific family, so it is necesary to use the -m option. Additionally, try to confirm the correct family ID by executing malwoverview with option -M 5; 7: Get a malware sample from malpedia (zip format -- password: infected). It is necessary to specifiy the requested hash by using -m option; 8: Get a zip file containing Yara rules for a specific family (get the possible families using -M 5), which must be specified by using -m option.') + parser.add_argument('-m', '--malpediarg', dest='malpediaarg', type=str, metavar = "MALPEDIAARG", help='This option provides an argument to the -M option, which is related to MALPEDIA.') + parser.add_argument('-Q', '--threatcrowd', dest='threatcrowd', type=int, default = 0, metavar = "THREATCROWD", help='Checks multiple information from ThreatCrowd. The possible values are: 1: Get information about the provided e-mail ; 2: Get information about an IP address; 3: Get information about a domain; 4: Get information about a provided MD5 hash; 5: Get information about a specific malware family.') + parser.add_argument('-q', '--threatcrowdarg', dest='threatcrowdarg', type=str, metavar = "THREATCROWDARG", help='This option provides an argument to the -Q option, which is related to THREATCROWD.') - args = parser.parse_args() - config_file = configparser.ConfigParser() - config_file.read(args.config) - VTAPI = config_file['VIRUSTOTAL']['VTAPI'] - HAAPI = config_file['HYBRID-ANALYSIS']['HAAPI'] - MALSHAREAPI = config_file['MALSHARE']['MALSHAREAPI'] - HAUSSUBMITAPI = config_file['HAUSSUBMIT']['HAUSSUBMITAPI'] - POLYAPI = config_file['POLYSWARM']['POLYAPI'] + args = parser.parse_args() - if ((not VTAPI) and (not HAAPI)): - print(mycolors.foreground.lightred + "\nBefore using Malwoverview, you must add the Virus Total and Hybrid-Analysis APIs, at the very least.\nThese should be added in " + args.config + " or you can specify your own config file using the -c option to specify your own config location. \n\nIt is also recommended to register for an API on Malshare, URLhaus and Polyswarm APIs to have access to all available options.\nAdditionally, if you are running Malwoverview in Windows systems, so you should not forget to delete the magic.py file from the same Windows directory.\n" + mycolors.reset) + try: + + config_file = configparser.ConfigParser() + config_file.read(args.config) + VTAPI = config_file['VIRUSTOTAL']['VTAPI'] + HAAPI = config_file['HYBRID-ANALYSIS']['HAAPI'] + MALSHAREAPI = config_file['MALSHARE']['MALSHAREAPI'] + HAUSSUBMITAPI = config_file['HAUSSUBMIT']['HAUSSUBMITAPI'] + POLYAPI = config_file['POLYSWARM']['POLYAPI'] + ALIENAPI = config_file['ALIENVAULT']['ALIENAPI'] + MALPEDIAAPI = config_file['MALPEDIA']['MALPEDIAAPI'] + + except KeyError: + + print(mycolors.foreground.red + "\nYou must create the .malwapi.conf file in your home directory (in Linux is $HOME\\.malwapi.conf and in Windows is on Users\\=2019.4.18 python-magic>=0.4.18 colorama>=0.4.3 simplejson>=3.17.2 -requests==2.22.0 +requests>=2.22.0 validators>=0.16 geocoder>=1.38.1 -polyswarm-api==1.1.1 +polyswarm-api>=2.1.2 pathlib>=1.0.1 configparser>=5.0.0 diff --git a/setup.py b/setup.py index 75231c3..1cb8b1a 100644 --- a/setup.py +++ b/setup.py @@ -13,7 +13,7 @@ setup( name="malwoverview", - version="3.1.2", + version="4.0.0", author="Alexandre Borges", author_email="alexandreborges@blackstormsecurity.com", license="GNU GPL v3.0", @@ -32,10 +32,10 @@ "colorama", "python-magic", "simplejson", - "requests==2.22.0", + "requests", "validators", "geocoder", - "polyswarm-api==1.1.1", + "polyswarm-api", "pathlib", "configparser", "python-magic-bin; platform_system == 'Windows'"