├── .gitignore ├── .malwapi.conf ├── LICENSE ├── README.md ├── malwoverview ├── __init__.py ├── malwoverview.py ├── modules │ ├── __init__.py │ ├── alienvault.py │ ├── android.py │ ├── bazaar.py │ ├── bgpview.py │ ├── configvars.py │ ├── hybrid.py │ ├── inquest.py │ ├── ipinfo.py │ ├── malpedia.py │ ├── malshare.py │ ├── multipleip.py │ ├── polyswarm.py │ ├── threatfox.py │ ├── triage.py │ ├── urlhaus.py │ ├── virusexchange.py │ └── virustotal.py └── utils │ ├── __init__.py │ ├── colors.py │ ├── hash.py │ ├── peinfo.py │ └── utils.py ├── pictures ├── picture_1.jpg ├── picture_10.jpg ├── picture_11.jpg ├── picture_12.jpg ├── picture_13.jpg ├── picture_14.jpg ├── picture_15.jpg ├── picture_16.jpg ├── picture_17.jpg ├── picture_18.jpg ├── picture_19.jpg ├── picture_2.jpg ├── picture_20.jpg ├── picture_21.jpg ├── picture_22.jpg ├── picture_23.jpg ├── picture_24.jpg ├── picture_25.jpg ├── picture_26.jpg ├── picture_27.jpg ├── picture_28.jpg ├── picture_29.jpg ├── picture_3.jpg ├── picture_30.jpg ├── picture_31.jpg ├── picture_32.jpg ├── picture_33.jpg ├── picture_34.jpg ├── picture_35.jpg ├── picture_36.jpg ├── picture_37.jpg ├── picture_38.jpg ├── picture_39.jpg ├── picture_4.jpg ├── picture_40.jpg ├── picture_41.jpg ├── picture_42.jpg ├── picture_43.jpg ├── picture_44.jpg ├── picture_45.jpg ├── picture_46.jpg ├── picture_47.jpg ├── picture_48.jpg ├── picture_49.jpg ├── picture_5.jpg ├── picture_50.jpg ├── picture_6.jpg ├── picture_7.jpg ├── picture_8.jpg └── picture_9.jpg ├── requirements.txt └── setup.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST -------------------------------------------------------------------------------- /.malwapi.conf: -------------------------------------------------------------------------------- 1 | [VIRUSTOTAL] 2 | VTAPI = 3 | 4 | [HYBRID-ANALYSIS] 5 | HAAPI = 6 | 7 | [MALSHARE] 8 | MALSHAREAPI = 9 | 10 | [HAUSSUBMIT] 11 | HAUSSUBMITAPI = 12 | 13 | [POLYSWARM] 14 | POLYAPI = 15 | 16 | [ALIENVAULT] 17 | ALIENAPI = 18 | 19 | [MALPEDIA] 20 | MALPEDIAAPI = 21 | 22 | [TRIAGE] 23 | TRIAGEAPI = 24 | 25 | [INQUEST] 26 | INQUESTAPI = 27 | 28 | [VIRUSEXCHANGE] 29 | VXAPI = 30 | 31 | [IPINFO] 32 | IPINFOAPI = -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /malwoverview/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /malwoverview/malwoverview.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright (C) 2018-2025 Alexandre Borges 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # See GNU Public License on . 16 | 17 | # CONTRIBUTORS 18 | 19 | # Alexandre Borges (project owner) 20 | # Corey Forman (https://github.com/digitalsleuth) 21 | # Christian Clauss (https://github.com/cclauss) 22 | # Artur Marzano (https://github.com/Macmod) 23 | 24 | # Malwoverview.py: version 6.1.1 25 | 26 | import os 27 | import argparse 28 | import configparser 29 | import platform 30 | import signal 31 | from colorama import init 32 | from pathlib import Path 33 | from malwoverview.modules.alienvault import AlienVaultExtractor 34 | from malwoverview.modules.android import AndroidExtractor 35 | from malwoverview.modules.bazaar import BazaarExtractor 36 | from malwoverview.modules.hybrid import HybridAnalysisExtractor 37 | from malwoverview.modules.inquest import InQuestExtractor 38 | from malwoverview.modules.malpedia import MalpediaExtractor 39 | from malwoverview.modules.malshare import MalshareExtractor 40 | from malwoverview.modules.polyswarm import PolyswarmExtractor 41 | from malwoverview.modules.threatfox import ThreatFoxExtractor 42 | from malwoverview.modules.triage import TriageExtractor 43 | from malwoverview.modules.urlhaus import URLHausExtractor 44 | from malwoverview.modules.virustotal import VirusTotalExtractor 45 | from malwoverview.modules.virusexchange import VirusExchangeExtractor 46 | from malwoverview.modules.ipinfo import IPInfoExtractor 47 | from malwoverview.modules.bgpview import BGPViewExtractor 48 | from malwoverview.modules.multipleip import MultipleIPExtractor 49 | from malwoverview.utils.colors import printr 50 | from malwoverview.utils.hash import calchash 51 | import malwoverview.modules.configvars as cv 52 | 53 | 54 | # On Windows systems, it is necessary to install python-magic-bin: pip install python-magic-bin 55 | 56 | __author__ = "Alexandre Borges" 57 | __copyright__ = "Copyright 2018-2025, Alexandre Borges" 58 | __license__ = "GNU General Public License v3.0" 59 | __version__ = "6.1.1" 60 | __email__ = "reverseexploit at proton.me" 61 | 62 | def finish_hook(signum, frame): 63 | printr() 64 | exit(1) 65 | 66 | def main(): 67 | FINISH_SIGNALS = [signal.SIGINT, signal.SIGTERM] 68 | for signal_to_hook in FINISH_SIGNALS: 69 | signal.signal(signal_to_hook, finish_hook) 70 | 71 | cv.windows = '' 72 | if platform.system() == 'Windows': 73 | USER_HOME_DIR = str(Path.home()) + '\\' 74 | init(convert=True) 75 | cv.windows = 1 76 | else: 77 | USER_HOME_DIR = str(Path.home()) + '/' 78 | cv.windows = 0 79 | 80 | parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is " + __version__, usage="usage: python malwoverview.py -c -d -o <0|1> -v <1-13> -V -a <1-15> -w <0|1> -A -l <1-7> -L -j <1-7> -J -p <1-8> -P -y <1-5> -Y -n <1-5> -N -m <1-8> -M -b <1-10> -B -x <1-7> -X -i <1-13> -I -vx <1-2> -VX -O -ip <1-3> -IP ") 81 | parser.add_argument('-c', '--config', dest='config', type=str, metavar="CONFIG FILE", default=(USER_HOME_DIR + '.malwapi.conf'), help='Use a custom config file to specify API\'s.') 82 | parser.add_argument('-d', '--directory', dest='direct', type=str, default='', metavar="DIRECTORY", help='Specifies the directory containing malware samples to be checked against VIRUS TOTAL. Use the option -D to decide whether you are being using a public VT API or a Premium VT API.') 83 | parser.add_argument('-o', '--background', dest='backg', type=int, default=1, metavar="BACKGROUND", help='Adapts the output colors to a light background color terminal. The default is dark background color terminal.') 84 | parser.add_argument('-v', '--virustotal_option', dest='virustotaloption', type=int, default=0, metavar="VIRUSTOTAL", help='-v 1: given a file using -V option, it queries the VIRUS TOTAL database (API v.3) to get the report for the given file through -V option.; -v 2: it shows an antivirus report for a given file using -V option (API v.3); -v 3: equal to -v2, but the binary\'s IAT and EAT are also shown (API v.3); -v 4: it extracts the overlay; -v 5: submits an URL to VT scanning; -v 6: submits an IP address to Virus Total; -v 7: this options gets a report on the provided domain from Virus Total; -v 8: verifies a given hash against Virus Total; -v 9: submits a sample to VT (up to 32 MB). Use forward slash to specify the target file on Windows systems. Demands passing sample file with -V option; -v 10: verifies hashes from a provided file through option -V. This option uses public VT API v.3; -v 11: verifies hashes from a provided file through option -V. This option uses Premium API v.3; -v 12: it shows behaviour information of a sample given a hash through option -V. This option uses VT API v.3; -v 13: it submits LARGE files (above 32 MB) to VT using API v.3;') 85 | parser.add_argument('-V', '--virustotal_arg', dest='virustotalarg', type=str, default='', metavar="VIRUSTOTAL_ARG", help='Provides arguments for -v option.') 86 | parser.add_argument('-a', '--hybrid_option', dest='haoption', type=int, default=0, metavar="HYBRID_ANALYSIS", help='This parameter fetches reports from HYBRID ANALYSIS, download samples and submits samples to be analyzed. The possible values are: 1: gets a report for a given hash or sample from a Windows 7 32-bit environment; 2: gets a report for a given hash or sample from a Windows 7 32-bit environment (HWP Support); 3: gets a report for given hash or sample from a Windows 64-bit environment; 4: gets a report for a given hash or sample from an Android environment; 5: gets a report for a given hash or sample from a Linux 64-bit environment; 6: submits a sample to Windows 7 32-bit environment; 7. submits a sample to Windows 7 32-bit environment with HWP support environment; 8. submits a sample to Windows 7 64-bit environment ; 9. submits a sample to an Android environment ; 10. submits a sample to a Linux 64-bit environment; 11. downloads a sample from a Windows 7 32-bit environment; 12. downloads a sample from a Windows 7 32-bit HWP environment; 13. downloads a sample from a Windows 7 64-bit environment; 14. downloads a sample from an Android environment; 15. downloads a sample from a Linux 64-bit environment.') 87 | parser.add_argument('-A', '--ha_arg', dest='haarg', type=str, metavar="SUBMIT_HA", help='Provides an argument for -a option from HYBRID ANALYSIS.') 88 | parser.add_argument('-D', '--vtpubpremium', dest='vtpubpremium', type=int, default=0, metavar="VT_PUBLIC_PREMIUM", help='This option must be used with -d option. Possible values: <0> it uses the Premium VT API v3 (default); <1> it uses the Public VT API v3.') 89 | parser.add_argument('-l', '--malsharelist', dest='malsharelist', type=int, default=0, metavar="MALSHARE_HASHES", help='This option performs download a sample and shows hashes of a specific type from the last 24 hours from MALSHARE repository. Possible values are: 1: Download a sample; 2: PE32 (default) ; 3: ELF ; 4: Java; 5: PDF ; 6: Composite(OLE); 7: List of hashes from past 24 hours.') 90 | parser.add_argument('-L', '--malshare_hash', dest='malsharehash', type=str, metavar="MALSHARE_HASH_SEARCH", help='Provides a hash as argument for downloading a sample from MALSHARE repository.') 91 | parser.add_argument('-j', '--haus_option', dest='hausoption', type=int, default=0, metavar="HAUS_OPTION", help='This option fetches information from URLHaus depending of the value passed as argument: 1: performs download of the given sample; 2: queries information about a provided hash ; 3: searches information about a given URL; 4: searches a malicious URL by a given tag (case sensitive); 5: searches for payloads given a tag; 6: retrives a list of downloadable links to recent payloads; 7: retrives a list of recent malicious URLs.') 92 | parser.add_argument('-J', '--haus_arg', dest='hausarg', type=str, metavar="HAUS_ARG", help='Provides argument to -j option from URLHaus.') 93 | parser.add_argument('-p', '--poly_option', dest='polyoption', type=int, default=0, metavar="POLY_OPTION", help='(Only for Linux) This option is related to POLYSWARM operations: 1. searches information related to a given hash provided using -P option; 2. submits a sample provided by -P option to be analyzed by Polyswarm engine ; 3. Downloads a sample from Polyswarm by providing the hash throught option -P .Attention: Polyswarm enforces a maximum of 20 samples per month; 4. searches for similar samples given a sample file thought option -P; 5. searches for samples related to a provided IP address through option -P; 6. searches for samples related to a given domain provided by option -P; 7. searches for samples related to a provided URL throught option -P; 8. searches for samples related to a provided malware family given by option -P.') 94 | parser.add_argument('-P', '--poly_arg', dest='polyarg', type=str, metavar="POLYSWARM_ARG", help='(Only for Linux) Provides an argument for -p option from POLYSWARM.') 95 | parser.add_argument('-y', '--android_option', dest='androidoption', type=int, default=0, metavar="ANDROID_OPTION", help='This ANDROID option has multiple possible values: <1>: Check all third-party APK packages from the USB-connected Android device against Hybrid Analysis using multithreads. Notes: the Android device does not need to be rooted and the system does need to have the adb tool in the PATH environment variable; <2>: Check all third-party APK packages from the USB-connected Android device against VirusTotal using Public API (slower because of 60 seconds delay for each 4 hashes). Notes: the Android device does not need to be rooted and the system does need to have adb tool in the PATH environment variable; <3>: Check all third-party APK packages from the USB-connected Android device against VirusTotal using multithreads (only for Private Virus API). Notes: the Android device does not need to be rooted and the system needs to have adb tool in the PATH environment variable; <4> Sends an third-party APK from your USB-connected Android device to Hybrid Analysis; 5. Sends an third-party APK from your USB-connected Android device to Virus-Total.') 96 | parser.add_argument('-Y', '--android_arg', dest='androidarg', type=str, default='', metavar="ANDROID_ARG", help='This option provides the argument for -y from ANDROID.') 97 | parser.add_argument('-n', '--alienvault', dest='alienvault', type=int, default=0, metavar="ALIENVAULT", help='Checks multiple information from ALIENVAULT. The possible values are: 1: Get the subscribed pulses ; 2: Get information about an IP address; 3: Get information about a domain; 4: Get information about a hash; 5: Get information about a URL.') 98 | parser.add_argument('-N', '--alienvaultargs', dest='alienvaultargs', type=str, default='', metavar="ALIENVAULT_ARGS", help='Provides argument to ALIENVAULT -n option.') 99 | parser.add_argument('-m', '--malpedia', dest='malpedia', type=int, default=0, metavar="MALPEDIA", help='This option is related to MALPEDIA and presents different meanings depending on the chosen value. Thus, 1: List meta information for all families ; 2: List all actors ID ; 3: List all available payloads organized by family from Malpedia; 4: Get meta information from an specific actor, so it is necessary to use the -M option. Additionally, try to confirm the correct actor ID by executing malwoverview with option -m 3; 5: List all families IDs; 6: Get meta information from an specific family, so it is necessary to use the -M option. Additionally, try to confirm the correct family ID by executing malwoverview with option -m 5; 7: Get a malware sample from malpedia (zip format -- password: infected). It is necessary to specify the requested hash by using -M option; 8: Get a zip file containing Yara rules for a specific family (get the possible families using -m 5), which must be specified by using -M option.') 100 | parser.add_argument('-M', '--malpediarg', dest='malpediaarg', type=str, default='', metavar="MALPEDIAARG", help='This option provides an argument to the -m option, which is related to MALPEDIA.') 101 | parser.add_argument('-b', '--bazaar', dest='bazaar', type=int, default=0, metavar="BAZAAR", help='Checks multiple information from MALWARE BAZAAR and THREATFOX. The possible values are: 1: (Bazaar) Query information about a malware hash sample ; 2: (Bazaar) Get information and a list of malware samples associated and according to a specific tag; 3: (Bazaar) Get a list of malware samples according to a given imphash; 4: (Bazaar) Query latest malware samples; 5: (Bazaar) Download a malware sample from Malware Bazaar by providing a SHA256 hash. The downloaded sample is zipped using the following password: infected; 6: (ThreatFox) Get current IOC dataset from last x days given by option -B (maximum of 7 days); 7: (ThreatFox) Search for the specified IOC on ThreatFox given by option -B; 8: (ThreatFox) Search IOCs according to the specified tag given by option -B; 9: (ThreatFox) Search IOCs according to the specified malware family provided by option -B; 10. (ThreatFox) List all available malware families.') 102 | parser.add_argument('-B', '--bazaararg', dest='bazaararg', type=str, metavar = "BAZAAR_ARG", help='Provides argument to -b MALWARE BAZAAR and THREAT FOX option. If you specified "-b 1" then the -B\'s argument must be a hash and a report about the sample will be retrieved; If you specified "-b 2" then -B\'s argument must be a malware tag and last samples matching this tag will be shown; If you specified "-b 3" then the argument must be a imphash and last samples matching this impshash will be shown; If you specified "-b 4", so the argument must be "100 or time", where "100" lists last "100 samples" and "time" lists last samples added to Malware Bazaar in the last 60 minutes; If you specified "-b 5", so the sample will be downloaded and -B\'s argument must be a SHA256 hash of the sample that you want to download from Malware Bazaar; If you specified "-b 6" then a list of IOCs will be retrieved and the -B\'s value is the number of DAYS to filter such IOCs. The maximum time is 7 (days); If you used "-b 7" so the -B\'s argument is the IOC you want to search for; If you used "-b 8", so the -B\'s argument is the IOC\'s TAG that you want search for; If you used "-b 9", so the -B argument is the malware family that you want to search for IOCs;') 103 | parser.add_argument('-x', '--triage', dest='triage', type=int, default=0, metavar="TRIAGE", help='Provides information from TRIAGE according to the specified value: <1> this option gets sample\'s general information by providing an argument with -X option in the following possible formats: sha256:, sha1:, md5:, family:, score:, tag:, url:, wallet:, ip:; <2> Get a sumary report for a given Triage ID (got from option -x 1) ; <3> Submit a sample for analysis ; <4> Submit a sample through a URL for analysis ; <5> Download sample specified by the Triage ID; <6> Download pcapng file from sample associated to given Triage ID; <7> Get a dynamic report for the given Triage ID (got from option -x 1);') 104 | parser.add_argument('-X', '--triagearg', dest='triagearg', type=str, default='', metavar="TRIAGE_ARG", help='Provides argument for options especified by -x option. Pay attention: the format of this argument depends on provided -x value.') 105 | parser.add_argument('-i', '--inquest', dest='inquest', type=int, default=0, metavar="INQUEST", help='Retrieves multiple information from INQUEST. The possible values are: 1: Downloads a sample; 2: Retrives information about a sample given a SHA256; 3: Retrieves information about a sample given a MD5 hash; 4: Gets the most recent list of threats. To this option, the -I argument must be "list" (lowercase and without double quotes) ; 5: Retrives threats related to a provided domain; 6. Retrieves a list of samples related to the given IP address; 7. Retrives a list of sample related to the given e-mail address; 8. Retrieves a list of samples related to the given filename; 9. Retrieves a list of samples related to a given URL; 10. Retrieves information about a specified IOC; 11. List a list of IOCs. Note: you must pass "list" (without double quotes) as argument to -I; 12. Check for a given keyword in the reputation database; 13. List artifacts in the reputation dabatabse. Note: you must pass "list" (without double quotes) as argument to -I.') 106 | parser.add_argument('-I', '--inquestarg', dest='inquestarg', type=str, metavar="INQUEST_ARG", help='Provides argument to INQUEST -i option.') 107 | parser.add_argument('-vx', '--vx', dest='vxoption', type=int, default=0, help='VirusExchange operations. The possible values are: 1: Gets basic metadata for a given SHA256 hash; 2: Downloads sample given a SHA256 provided in the -VX argument.') 108 | parser.add_argument('-VX', '--VX', dest='vxarg', type=str, help='Provides argument to the -vx option from VirusExchange.') 109 | parser.add_argument('-O', '--output-dir', dest='output_dir', type=str, default='.', help='Set output directory for all sample downloads.') 110 | parser.add_argument('-ip', '--ip', dest='ipoption', type=int, default=0, metavar="IP", help='Get IP information from various sources. The possible values are: 1: Get details for an IP address provided with -IP from IPInfo; 2: Get details for an IP address provided with -IP from BGPView; 3: Get details for an IP address provided with -IP from all available intel services (VirusTotal/Alienvault).') 111 | parser.add_argument('-IP', '--iparg', dest='iparg', type=str, metavar="IP_ARG", help='Provides argument for IP lookup operations specified by the -ip option.') 112 | 113 | args = parser.parse_args() 114 | 115 | config_file = configparser.ConfigParser() 116 | config_file.read(args.config) 117 | config_dict = config_file 118 | 119 | def getoption(section, name): 120 | if config_dict.has_option(section,name): 121 | return config_dict.get(section,name) 122 | else: 123 | return '' 124 | 125 | VTAPI = getoption('VIRUSTOTAL', 'VTAPI') 126 | HAAPI = getoption('HYBRID-ANALYSIS', 'HAAPI') 127 | MALSHAREAPI = getoption('MALSHARE', 'MALSHAREAPI') 128 | HAUSSUBMITAPI = getoption('HAUSSUBMIT', 'HAUSSUBMITAPI') 129 | POLYAPI = getoption('POLYSWARM', 'POLYAPI') 130 | ALIENAPI = getoption('ALIENVAULT', 'ALIENAPI') 131 | MALPEDIAAPI = getoption('MALPEDIA', 'MALPEDIAAPI') 132 | TRIAGEAPI = getoption('TRIAGE', 'TRIAGEAPI') 133 | INQUESTAPI = getoption('INQUEST', 'INQUESTAPI') 134 | VXAPI = getoption('VIRUSEXCHANGE', 'VXAPI') 135 | IPINFOAPI = getoption('IPINFO', 'IPINFOAPI') 136 | 137 | optval = range(2) 138 | optval1 = range(3) 139 | optval2 = range(5) 140 | optval3 = range(7) 141 | optval4 = range(4) 142 | optval5 = range(6) 143 | optval6 = range(9) 144 | optval7 = range(11) 145 | optval8 = range(8) 146 | optval9 = range(14) 147 | optval10 = range(16) 148 | repo = args.direct 149 | cv.output_dir = args.output_dir 150 | cv.bkg = args.backg 151 | virustotaloptionx = args.virustotaloption 152 | haoptionx = args.haoption 153 | haargx = args.haarg 154 | vtpubpremiumx = args.vtpubpremium 155 | mallist = args.malsharelist 156 | maltype = args.malsharelist 157 | malhash = args.malsharehash 158 | hausoptionx = args.hausoption 159 | hausargx = args.hausarg 160 | polyoptionx = args.polyoption 161 | polyargx = args.polyarg 162 | androidoptionx = args.androidoption 163 | androidargx = args.androidarg 164 | alienx = args.alienvault 165 | alienargsx = args.alienvaultargs 166 | malpediax = args.malpedia 167 | malpediaargx = args.malpediaarg 168 | bazaarx = args.bazaar 169 | bazaarargx = args.bazaararg 170 | triagex = args.triage 171 | triageargx = args.triagearg 172 | virustotalargx = args.virustotalarg 173 | inquestx = args.inquest 174 | inquestargx = args.inquestarg 175 | vxoptionx = args.vxoption 176 | vxargx = args.vxarg 177 | ipoptionx = args.ipoption 178 | ipargx = args.iparg 179 | config = args.config 180 | 181 | ffpname = '' 182 | if (virustotaloptionx in range(1, 5)): 183 | ffpname = virustotalargx 184 | if (haoptionx in range(1, 6)): 185 | ffpname = haargx 186 | 187 | fprovided = 0 188 | if (os.path.isfile(ffpname)): 189 | fprovided = 1 190 | 191 | INVALID_ARG_CONDITIONS = [ 192 | # (virustotaloptionx in range(1, 5) or haoptionx in range(1, 6)) and fprovided == 0, 193 | args.haoption not in optval10, 194 | args.alienvault not in optval5, 195 | args.hausoption not in optval8, 196 | args.polyoption not in optval6, 197 | args.bazaar not in optval7, 198 | args.malpedia not in optval6, 199 | args.triage not in optval8, 200 | args.inquest not in optval9, 201 | args.backg not in optval, 202 | args.malsharelist not in optval8, 203 | args.virustotaloption not in optval9, 204 | args.vtpubpremium not in optval, 205 | args.vxoption not in optval1, 206 | args.ipoption not in optval4, 207 | args.androidoption not in optval5 208 | ] 209 | 210 | MIN_OPTIONS = [ 211 | virustotaloptionx in range(5, 10) and virustotalargx, 212 | virustotalargx, virustotaloptionx, args.direct, fprovided, 213 | haargx, mallist, args.malsharehash, args.hausoption, polyoptionx, polyargx, 214 | androidoptionx, androidargx, alienx, alienargsx, malpediaargx, 215 | malpediax, bazaarx, bazaarargx, triagex, triageargx, 216 | inquestx, inquestargx, vxoptionx, vxargx, ipoptionx, ipargx 217 | ] 218 | 219 | # Show the help message if: 220 | # 1 - User uses invalid arg values 221 | # 2 - User does not specify any of the minimum options required 222 | if any(INVALID_ARG_CONDITIONS) or not any(MIN_OPTIONS): 223 | parser.print_help() 224 | printr() 225 | exit(0) 226 | 227 | # Module objects 228 | polyswarm = PolyswarmExtractor(POLYAPI) 229 | alien = AlienVaultExtractor(ALIENAPI) 230 | bazaar = BazaarExtractor() 231 | threatfox = ThreatFoxExtractor() 232 | triage = TriageExtractor(TRIAGEAPI) 233 | inquest = InQuestExtractor(INQUESTAPI) 234 | malpedia = MalpediaExtractor(MALPEDIAAPI) 235 | virustotal = VirusTotalExtractor(VTAPI) 236 | hybrid = HybridAnalysisExtractor(HAAPI) 237 | malshare = MalshareExtractor(MALSHAREAPI) 238 | haus = URLHausExtractor(HAUSSUBMITAPI) 239 | android = AndroidExtractor(hybrid, virustotal) 240 | vx = VirusExchangeExtractor(VXAPI) 241 | ipinfo = IPInfoExtractor(IPINFOAPI) 242 | bgpview = BGPViewExtractor() 243 | multipleip = MultipleIPExtractor( 244 | { 245 | #"IPInfo": ipinfo, 246 | #"BGPView": bgpview, 247 | "VirusTotal": virustotal, 248 | "AlienVault": alien, 249 | #"InQuest": inquest, 250 | # "PolySwarm": polyswarm, 251 | } 252 | ) 253 | 254 | # Special parameters for hybrid analysis module 255 | query = haargx 256 | if haoptionx in range(6) and haargx and os.path.isfile(haargx): 257 | query = calchash(haargx) 258 | 259 | def ha_show_and_down(haargx, xx=0): 260 | # hybrid.hashow(haargx, xx=xx) 261 | hybrid.downhash(haargx) 262 | 263 | # Map from flags to actions that they specify 264 | # and parameters to be used with each method call 265 | OPTIONS_MAPS = [ 266 | { 267 | 'flag': polyoptionx, 268 | 'actions': { 269 | 1: (polyswarm.polyhashsearch, [polyargx, 0]), 270 | 2: (polyswarm.polyfile, [polyargx]), 271 | 3: (polyswarm.polyhashsearch, [polyargx, 1]), 272 | 4: (polyswarm.polymetasearch, [polyargx, polyoptionx]), 273 | 5: (polyswarm.polymetasearch, [polyargx, polyoptionx]), 274 | 6: (polyswarm.polymetasearch, [polyargx, polyoptionx]), 275 | 7: (polyswarm.polymetasearch, [polyargx, polyoptionx]), 276 | 8: (polyswarm.polymetasearch, [polyargx, polyoptionx]) 277 | }, 278 | }, 279 | { 280 | 'flag': alienx, 281 | 'actions': { 282 | 1: (alien.alien_subscribed, [alienargsx]), 283 | 2: (alien.alien_ipv4, [alienargsx]), 284 | 3: (alien.alien_domain, [alienargsx]), 285 | 4: (alien.alien_hash, [alienargsx]), 286 | 5: (alien.alien_url, [alienargsx]) 287 | } 288 | }, 289 | { 290 | 'flag': bazaarx, 291 | 'actions': { 292 | 1: (bazaar.bazaar_hash, [bazaarargx]), 293 | 2: (bazaar.bazaar_tag, [bazaarargx]), 294 | 3: (bazaar.bazaar_imphash, [bazaarargx]), 295 | 4: (bazaar.bazaar_lastsamples, [bazaarargx]), 296 | 5: (bazaar.bazaar_download, [bazaarargx]) 297 | } 298 | }, 299 | { 300 | 'flag': bazaarx, 301 | 'actions': { 302 | 6: (threatfox.threatfox_listiocs, [bazaarargx]), 303 | 7: (threatfox.threatfox_searchiocs, [bazaarargx]), 304 | 8: (threatfox.threatfox_searchtags, [bazaarargx]), 305 | 9: (threatfox.threatfox_searchmalware, [bazaarargx]), 306 | 10: (threatfox.threatfox_listmalware, []) 307 | } 308 | }, 309 | { 310 | 'flag': triagex, 311 | 'actions': { 312 | 1: (triage.triage_search, [triageargx]), 313 | 2: (triage.triage_summary, [triageargx]), 314 | 3: (triage.triage_sample_submit, [triageargx]), 315 | 4: (triage.triage_url_sample_submit, [triageargx]), 316 | 5: (triage.triage_download, [triageargx]), 317 | 6: (triage.triage_download_pcap, [triageargx]), 318 | 7: (triage.triage_dynamic, [triageargx]) 319 | } 320 | }, 321 | { 322 | 'flag': inquestx, 323 | 'actions': { 324 | 1: (inquest.inquest_download, [inquestargx]), 325 | 2: (inquest.inquest_hash, [inquestargx]), 326 | 3: (inquest.inquest_hash_md5, [inquestargx]), 327 | 4: (inquest.inquest_list, [inquestargx]), 328 | 5: (inquest.inquest_domain, [inquestargx]), 329 | 6: (inquest.inquest_ip, [inquestargx]), 330 | 7: (inquest.inquest_email, [inquestargx]), 331 | 8: (inquest.inquest_filename, [inquestargx]), 332 | 9: (inquest.inquest_url, [inquestargx]), 333 | 10: (inquest.inquest_ioc_search, [inquestargx]), 334 | 11: (inquest.inquest_ioc_list, [inquestargx]), 335 | 12: (inquest.inquest_rep_search, [inquestargx]), 336 | 13: (inquest.inquest_rep_list, [inquestargx]) 337 | } 338 | }, 339 | { 340 | 'flag': malpediax, 341 | 'actions': { 342 | 1: (malpedia.malpedia_families, []), 343 | 2: (malpedia.malpedia_actors, []), 344 | 3: (malpedia.malpedia_payloads, []), 345 | 4: (malpedia.malpedia_get_actor, [malpediaargx]), 346 | 5: (malpedia.malpedia_families, []), 347 | 6: (malpedia.malpedia_get_family, [malpediaargx]), 348 | 7: (malpedia.malpedia_get_sample, [malpediaargx]), 349 | 8: (malpedia.malpedia_get_yara, [malpediaargx]) 350 | } 351 | }, 352 | { 353 | 'flag': virustotaloptionx, 354 | 'actions': { 355 | 1: (virustotal.filechecking_v3, [virustotalargx, 0, 0, 0]), 356 | 2: (virustotal.filechecking_v3, [virustotalargx, 1, 0, 0]), 357 | 3: (virustotal.filechecking_v3, [virustotalargx, 1, 1, 0]), 358 | 4: (virustotal.filechecking_v3, [virustotalargx, 1, 0, 1]), 359 | 5: (virustotal.vturlwork, [virustotalargx]), 360 | 6: (virustotal.vtipwork, [virustotalargx]), 361 | 7: (virustotal.vtdomainwork, [virustotalargx]), 362 | 8: (virustotal.vthashwork, [virustotalargx, 1]), 363 | 9: (virustotal.vtuploadfile, [virustotalargx]), 364 | 10: (virustotal.vtbatchcheck, [virustotalargx, 1]), 365 | 11: (virustotal.vtbatchcheck, [virustotalargx, 0]), 366 | 12: (virustotal.vtbehavior, [virustotalargx]), 367 | 13: (virustotal.vtlargefile, [virustotalargx]) 368 | } 369 | }, 370 | { 371 | 'flag': repo, 372 | 'actions': (virustotal.vtdirchecking, [repo, vtpubpremiumx]) 373 | }, 374 | { 375 | 'flag': haoptionx, 376 | 'actions': { 377 | 1: (hybrid.hashow, [query], {'xx': 0}), 378 | 2: (hybrid.hashow, [query], {'xx': 1}), 379 | 3: (hybrid.hashow, [query], {'xx': 2}), 380 | 4: (hybrid.hashow, [query], {'xx': 3}), 381 | 5: (hybrid.hashow, [query], {'xx': 4}), 382 | 6: (hybrid.hafilecheck, [haargx], {'xx': 0}), 383 | 7: (hybrid.hafilecheck, [haargx], {'xx': 1}), 384 | 8: (hybrid.hafilecheck, [haargx], {'xx': 2}), 385 | 9: (hybrid.hafilecheck, [haargx], {'xx': 3}), 386 | 10: (hybrid.hafilecheck, [haargx], {'xx': 4}), 387 | 11: (ha_show_and_down, [haargx], {'xx': 0}), 388 | 12: (ha_show_and_down, [haargx], {'xx': 1}), 389 | 13: (ha_show_and_down, [haargx], {'xx': 2}), 390 | 14: (ha_show_and_down, [haargx], {'xx': 3}), 391 | 15: (ha_show_and_down, [haargx], {'xx': 4}) 392 | } 393 | }, 394 | { 395 | 'flag': mallist, 396 | 'actions': { 397 | 1: (malshare.malsharedown, [malhash]), 398 | 2: (malshare.malsharelastlist, [maltype]), 399 | 3: (malshare.malsharelastlist, [maltype]), 400 | 4: (malshare.malsharelastlist, [maltype]), 401 | 5: (malshare.malsharelastlist, [maltype]), 402 | 6: (malshare.malsharelastlist, [maltype]), 403 | 7: (malshare.malsharelastlist, [maltype]) 404 | } 405 | }, 406 | { 407 | 'flag': hausoptionx, 408 | 'actions': { 409 | 1: (haus.haussample, [hausargx]), 410 | 2: (haus.haushashsearch, [hausargx]), 411 | 3: (haus.urlhauscheck, [hausargx]), 412 | 4: (haus.haustagsearchroutine, [hausargx]), 413 | 5: (haus.haussigsearchroutine, [hausargx]), 414 | 6: (haus.hauspayloadslist, []), 415 | 7: (haus.hausgetbatch, []) 416 | } 417 | }, 418 | { 419 | 'flag': androidoptionx, 420 | 'actions': { 421 | 1: (android.checkandroid, [1]), 422 | 2: (android.checkandroid, [2]), 423 | 3: (android.checkandroid, [3]), 424 | 4: (android.sendandroidha, [androidargx]), 425 | 5: (android.sendandroidvt, [androidargx]) 426 | } 427 | }, 428 | { 429 | 'flag': vxoptionx, 430 | 'actions': { 431 | 1: (vx.check_hash, [vxargx]), 432 | 2: (vx.download_sample, [vxargx]) 433 | # 3: (vx.upload_sample, [vxargx]) 434 | } 435 | }, 436 | { 437 | 'flag': ipoptionx, 438 | 'actions': { 439 | 1: (ipinfo.get_ip_details, [ipargx]), 440 | 2: (bgpview.get_ip_details, [ipargx]), 441 | 3: (multipleip.get_multiple_ip_details, [ipargx]) 442 | } 443 | } 444 | ] 445 | 446 | # Dispatch the first selected action with the specified parameters 447 | for option_map in OPTIONS_MAPS: 448 | flag = option_map['flag'] 449 | actions = option_map['actions'] 450 | 451 | if isinstance(actions, dict) and flag in actions: 452 | action_obj = actions[flag] 453 | elif isinstance(actions, tuple) and flag: 454 | action_obj = actions 455 | else: 456 | continue 457 | 458 | # If flag conditions are met, then call the appropriate function with its parameters 459 | if len(action_obj) == 3: 460 | action, action_args, action_kwargs = action_obj 461 | result = action(*action_args, **action_kwargs) 462 | elif len(action_obj) == 2: 463 | action, action_args = action_obj 464 | result = action(*action_args) 465 | elif len(action_obj) == 1: 466 | action = action_obj[0] 467 | result = action() 468 | else: 469 | continue 470 | 471 | printr() 472 | status = 0 473 | if result is False: 474 | status = 1 475 | 476 | exit(status) 477 | 478 | if __name__ == "__main__": 479 | main() 480 | -------------------------------------------------------------------------------- /malwoverview/modules/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/malwoverview/modules/__init__.py -------------------------------------------------------------------------------- /malwoverview/modules/android.py: -------------------------------------------------------------------------------- 1 | import malwoverview.modules.configvars as cv 2 | from malwoverview.utils.colors import mycolors, printr 3 | from malwoverview.utils.hash import sha256hash 4 | from malwoverview.modules.hybrid import HybridAnalysisExtractor 5 | import requests 6 | import subprocess 7 | import threading 8 | import json 9 | import time 10 | import os 11 | 12 | # threadLimiter = threading.BoundedSemaphore(10) 13 | 14 | 15 | class androidVTThread(threading.Thread): 16 | def __init__(self, key, package, extractor): 17 | threading.Thread.__init__(self) 18 | self.key = key 19 | self.package = package 20 | self.extractor = extractor 21 | 22 | def run(self): 23 | # threadLimiter.acquire() 24 | # try: 25 | key1 = self.key 26 | package1 = self.package 27 | 28 | myhash = key1 29 | vtfinal = self.extractor.virustotal.vtcheck(myhash, 0) 30 | 31 | if (cv.bkg == 1): 32 | print((mycolors.foreground.yellow + "%-70s" % package1), end=' ') 33 | print((mycolors.foreground.lightcyan + "%-32s" % key1), end=' ') 34 | print((mycolors.reset + mycolors.foreground.lightcyan + "%8s" % vtfinal + mycolors.reset)) 35 | else: 36 | print((mycolors.foreground.green + "%-70s" % package1), end=' ') 37 | print((mycolors.foreground.cyan + "%-32s" % key1), end=' ') 38 | print((mycolors.reset + mycolors.foreground.red + "%8s" % vtfinal + mycolors.reset)) 39 | # finally: 40 | # threadLimiter.release() 41 | 42 | 43 | class quickHAAndroidThread(threading.Thread): 44 | def __init__(self, key, package, extractor): 45 | threading.Thread.__init__(self) 46 | self.key = key 47 | self.package = package 48 | self.extractor = extractor 49 | 50 | def run(self): 51 | # threadLimiter.acquire() 52 | # try: 53 | key1 = self.key 54 | package1 = self.package 55 | 56 | myhash = key1 57 | result = self.extractor.quickhashowAndroid(myhash) 58 | 59 | (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) = result 60 | 61 | if (cv.bkg == 1): 62 | print((mycolors.foreground.lightcyan + "%-70s" % package1), end=' ') 63 | print((mycolors.foreground.yellow + "%-34s" % key1), end=' ') 64 | print((mycolors.foreground.lightcyan + "%9s" % final), end='') 65 | if (avdetect == 'None'): 66 | print((mycolors.foreground.lightcyan + "%7s" % avdetect), end='') 67 | else: 68 | print((mycolors.foreground.lightcyan + "%6s%%" % avdetect), end='') 69 | print((mycolors.foreground.yellow + "%7s" % totalsignatures), end='') 70 | if (threatscore == 'None'): 71 | print((mycolors.foreground.lightred + "%12s" % threatscore), end='') 72 | else: 73 | print((mycolors.foreground.lightred + "%8s/100" % threatscore), end='') 74 | if (verdict == "malicious"): 75 | print((mycolors.foreground.lightred + "%20s" % verdict), end='\n') 76 | elif (verdict == "suspicious"): 77 | print((mycolors.foreground.yellow + "%20s" % verdict), end='\n') 78 | elif (verdict == "no specific threat"): 79 | print((mycolors.foreground.lightcyan + "%20s" % verdict), end='\n') 80 | else: 81 | verdict = 'not analyzed yet' 82 | print((mycolors.reset + "%20s" % verdict), end='\n') 83 | else: 84 | print((mycolors.foreground.cyan + "%-70s" % package1), end=' ') 85 | print((mycolors.foreground.green + "%-34s" % key1), end=' ') 86 | print((mycolors.foreground.cyan + "%9s" % final), end='') 87 | if (avdetect == 'None'): 88 | print((mycolors.foreground.purple + "%7s" % avdetect), end='') 89 | else: 90 | print((mycolors.foreground.purple + "%6s%%" % avdetect), end='') 91 | print((mycolors.foreground.green + "%7s" % totalsignatures), end='') 92 | if (threatscore == 'None'): 93 | print((mycolors.foreground.red + "%12s" % threatscore), end='') 94 | else: 95 | print((mycolors.foreground.red + "%8s/100" % threatscore), end='') 96 | if (verdict == "malicious"): 97 | print((mycolors.foreground.red + "%20s" % verdict), end='\n') 98 | elif (verdict == "suspicious"): 99 | print((mycolors.foreground.cyan + "%20s" % verdict), end='\n') 100 | elif (verdict == "no specific threat"): 101 | print((mycolors.foreground.green + "%20s" % verdict), end='\n') 102 | else: 103 | verdict = 'not analyzed yet' 104 | print((mycolors.reset + "%20s" % verdict), end='\n') 105 | # finally: 106 | # threadLimiter.release() 107 | 108 | 109 | class AndroidExtractor(): 110 | def __init__(self, hybrid, virustotal): 111 | self.hybrid = hybrid 112 | self.virustotal = virustotal 113 | 114 | def quickhashowAndroid(self, filehash, user_agent='Falcon Sandbox'): 115 | haurl = HybridAnalysisExtractor.haurl 116 | 117 | hatext = '' 118 | haresponse = '' 119 | final = 'Yes' 120 | verdict = '-' 121 | avdetect = '0' 122 | totalsignatures = '-' 123 | threatscore = '-' 124 | totalprocesses = '-' 125 | networkconnections = '-' 126 | 127 | self.hybrid.requestHAAPI() 128 | 129 | try: 130 | resource = filehash 131 | requestsession = requests.Session() 132 | requestsession.headers.update({'user-agent': user_agent}) 133 | requestsession.headers.update({'api-key': self.hybrid.HAAPI}) 134 | requestsession.headers.update({'content-type': 'application/x-www-form-urlencoded'}) 135 | finalurl = '/'.join([haurl, 'report', 'summary']) 136 | resource1 = resource + ":200" 137 | datahash = { 138 | 'hashes[0]': resource1 139 | } 140 | 141 | haresponse = requestsession.post(url=finalurl, data=datahash) 142 | hatext = json.loads(haresponse.text) 143 | 144 | rc = str(hatext) 145 | 146 | if 'message' in rc: 147 | final = 'Not Found' 148 | return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) 149 | 150 | if 'verdict' in hatext[0]: 151 | verdict = str(hatext[0]['verdict']) 152 | else: 153 | verdict = '' 154 | 155 | if 'threat_score' in hatext[0]: 156 | threatscore = str(hatext[0]['threat_score']) 157 | else: 158 | threatscore = '' 159 | 160 | if 'av_detect' in hatext[0]: 161 | avdetect = str(hatext[0]['av_detect']) 162 | else: 163 | avdetect = '' 164 | 165 | if 'total_signatures' in hatext[0]: 166 | totalsignatures = str(hatext[0]['total_signatures']) 167 | else: 168 | totalsignatures = '' 169 | 170 | if 'total_processes' in hatext[0]: 171 | totalprocesses = str(hatext[0]['total_processes']) 172 | else: 173 | totalprocesses = '' 174 | 175 | if 'total_network_connections' in hatext[0]: 176 | networkconnections = str(hatext[0]['total_network_connections']) 177 | else: 178 | networkconnections = '' 179 | 180 | return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) 181 | 182 | except ValueError as e: 183 | print(e) 184 | if (cv.bkg == 1): 185 | print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n")) 186 | else: 187 | print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n")) 188 | printr() 189 | 190 | def checkandroidha(self, key, package): 191 | if len(key) == 0 or len(package) == 0: 192 | return 193 | 194 | if cv.windows: 195 | thread = quickHAAndroidThread(key, package, self) 196 | thread.start() 197 | thread.join() 198 | else: 199 | thread = quickHAAndroidThread(key, package, self) 200 | thread.start() 201 | 202 | def checkandroidvt(self, key, package): 203 | if len(key) == 0 or len(package) == 0: 204 | return 205 | 206 | key1 = key 207 | vtfinal = self.virustotal.vtcheck(key1, 0) 208 | if (cv.bkg == 1): 209 | print((mycolors.foreground.yellow + "%-70s" % package), end=' ') 210 | print((mycolors.foreground.lightcyan + "%-32s" % key1), end=' ') 211 | print((mycolors.foreground.lightred + "%8s" % vtfinal + mycolors.reset)) 212 | else: 213 | print((mycolors.foreground.green + "%-70s" % package), end=' ') 214 | print((mycolors.foreground.cyan + "%-32s" % key1), end=' ') 215 | print((mycolors.reset + mycolors.foreground.red + "%8s" % vtfinal + mycolors.reset)) 216 | 217 | def checkandroidvtx(self, key, package): 218 | if len(key) == 0 or len(package) == 0: 219 | return 220 | 221 | if (cv.windows == 1): 222 | thread = androidVTThread(key, package, self) 223 | thread.start() 224 | thread.join() 225 | else: 226 | thread = androidVTThread(key, package, self) 227 | thread.start() 228 | 229 | def checkandroid(self, engine): 230 | adb_comm = "adb" 231 | results = list() 232 | results2 = list() 233 | final1 = list() 234 | final2 = list() 235 | 236 | tm1 = 0 237 | 238 | myconn = subprocess.run([adb_comm, "shell", "pm", "list", "packages", "-f", "-3"], capture_output=True) 239 | myconn2 = myconn.stdout.decode() 240 | 241 | try: 242 | for i in myconn2.split('\n'): 243 | for j in i.split("base.apk"): 244 | if 'package' in j: 245 | key, value = j.split('package:') 246 | _, value2 = value.split('/data/app/') 247 | results.append(value2[:-3]) 248 | valuetmp = value + "base.apk" 249 | results2.append(valuetmp) 250 | except AttributeError: 251 | pass 252 | 253 | try: 254 | for h in results2: 255 | myconn3 = subprocess.run([adb_comm, "shell", "md5sum", h], text=True, capture_output=True) 256 | x = myconn3.stdout.split(" ")[0] 257 | final1.append(x) 258 | 259 | except AttributeError: 260 | pass 261 | 262 | try: 263 | for n in results: 264 | final2.append(n) 265 | except AttributeError: 266 | pass 267 | 268 | zipAndroid = zip(final2, final1) 269 | dictAndroid = dict(zipAndroid) 270 | 271 | if (engine == 1): 272 | print(mycolors.reset + "\n") 273 | print("Package".center(70) + "Hash".center(34) + "Found?".center(12) + "AVdet".center(10) + "Sigs".center(5) + "Score".center(14) + "Verdict".center(14)) 274 | print((162 * '-').center(81)) 275 | for key, value in dictAndroid.items(): 276 | try: 277 | key1a = (key.split("==/", 1)[1]) 278 | except IndexError: 279 | key1a = key 280 | try: 281 | key1b = (key1a.split("-", 1)[0]) 282 | except IndexError: 283 | key1b = key1a 284 | 285 | self.checkandroidha(value, key1b) 286 | 287 | if (engine == 2): 288 | print(mycolors.reset + "\n") 289 | print("Package".center(70) + "Hash".center(36) + "Virus Total".center(12)) 290 | print((118 * '-').center(59)) 291 | for key, value in dictAndroid.items(): 292 | try: 293 | key1a = (key.split("==/", 1)[1]) 294 | except IndexError: 295 | key1a = key 296 | try: 297 | key1b = (key1a.split("-", 1)[0]) 298 | except IndexError: 299 | key1b = key1a 300 | tm1 = tm1 + 1 301 | if tm1 % 4 == 0: 302 | time.sleep(61) 303 | self.checkandroidvt(value, key1b) 304 | 305 | if (engine == 3): 306 | print(mycolors.reset + "\n") 307 | print("Package".center(70) + "Hash".center(36) + "Virus Total".center(12)) 308 | print((118 * '-').center(59)) 309 | for key, value in dictAndroid.items(): 310 | try: 311 | key1a = (key.split("==/", 1)[1]) 312 | except IndexError: 313 | key1a = key 314 | try: 315 | key1b = (key1a.split("-", 1)[0]) 316 | except IndexError: 317 | key1b = key1a 318 | self.checkandroidvtx(value, key1b) 319 | 320 | def sendandroidha(self, package, xx=3): 321 | adb_comm = "adb" 322 | results = list() 323 | results2 = list() 324 | newname = '' 325 | 326 | myconn = subprocess.run([adb_comm, "shell", "pm", "list", "packages", "-f", "-3"], capture_output=True) 327 | myconn2 = myconn.stdout.decode() 328 | 329 | try: 330 | for i in myconn2.split('\n'): 331 | for j in i.split('base.apk'): 332 | if 'package' in j: 333 | _, value = j.split('package:') 334 | _, value2 = value.split('/data/app/') 335 | results.append(value2) 336 | valuetmp = value + "base.apk" 337 | results2.append(valuetmp) 338 | 339 | except AttributeError: 340 | pass 341 | 342 | try: 343 | for j in results2: 344 | if (package in j): 345 | subprocess.run([adb_comm, "pull", j], capture_output=True) 346 | newname = j[10:] 347 | 348 | except AttributeError: 349 | pass 350 | 351 | try: 352 | targetfile1 = newname.split('==/', 1)[1] 353 | targetfile = targetfile1.split('-', 1)[0] 354 | os.rename('base.apk', targetfile) 355 | self.hybrid.hafilecheck(targetfile, xx=xx) 356 | except FileNotFoundError: 357 | if (cv.bkg == 1): 358 | print((mycolors.foreground.lightred + "\nFile not found on device!\n")) 359 | else: 360 | print((mycolors.foreground.lightred + "\nFile not found on device!\n")) 361 | exit(1) 362 | finally: 363 | if (targetfile != ".apk"): 364 | os.remove(targetfile) 365 | 366 | def sendandroidvt(self, package): 367 | adb_comm = "adb" 368 | results = list() 369 | results2 = list() 370 | newname = '' 371 | 372 | myconn = subprocess.run([adb_comm, "shell", "pm", "list", "packages", "-f", "-3"], capture_output=True) 373 | myconn2 = myconn.stdout.decode() 374 | 375 | try: 376 | for i in myconn2.split('\n'): 377 | for j in i.split('base.apk='): 378 | if 'package' in j: 379 | _, value = j.split('package:') 380 | _, value2 = value.split('/data/app/') 381 | results.append(value2) 382 | valuetmp = value + "base.apk" 383 | results2.append(valuetmp) 384 | 385 | except AttributeError: 386 | pass 387 | 388 | try: 389 | for j in results2: 390 | if (package in j): 391 | subprocess.run([adb_comm, "pull", j], capture_output=True) 392 | newname = j[10:] 393 | 394 | except AttributeError: 395 | pass 396 | 397 | try: 398 | targetfile1 = newname.split('==/', 1)[1] 399 | targetfile = targetfile1.split('-', 1)[0] 400 | os.rename(r'base.apk', targetfile) 401 | myhash = sha256hash(targetfile) 402 | self.virustotal.vtuploadfile(targetfile) 403 | if (cv.bkg == 1): 404 | print(mycolors.foreground.yellow + "\tWaiting for 120 seconds...\n") 405 | if (cv.bkg == 0): 406 | print(mycolors.foreground.purple + "\tWaiting for 120 seconds...\n") 407 | time.sleep(120) 408 | self.virustotal.vthashwork(myhash, 1) 409 | 410 | except FileNotFoundError: 411 | if (cv.bkg == 1): 412 | print((mycolors.foreground.lightred + "\nFile not found on device!\n")) 413 | else: 414 | print((mycolors.foreground.lightred + "\nFile not found on device!\n")) 415 | printr() 416 | exit(1) 417 | 418 | finally: 419 | if (targetfile != ".apk"): 420 | os.remove(targetfile) 421 | -------------------------------------------------------------------------------- /malwoverview/modules/bgpview.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import malwoverview.modules.configvars as cv 3 | from malwoverview.utils.colors import mycolors 4 | 5 | class BGPViewExtractor: 6 | urlbgpview = "https://api.bgpview.io/ip/" 7 | 8 | def _raw_ip_info(self, ip_address): 9 | url = f"{BGPViewExtractor.urlbgpview}{ip_address}" 10 | 11 | try: 12 | response = requests.get(url) 13 | data = response.json() 14 | return data.get('data', {}) if data.get('status') == 'ok' else {} 15 | except: 16 | return {} 17 | 18 | def get_ip_details(self, ip_address): 19 | data = self._raw_ip_info(ip_address) 20 | 21 | try: 22 | print() 23 | print((mycolors.reset + "BGPVIEW.IO REPORT".center(100)), end='') 24 | print((mycolors.reset + "".center(28)), end='') 25 | print("\n" + (100 * '-').center(50)) 26 | 27 | if not data: 28 | print(mycolors.foreground.error(cv.bkg) + "\nNo information available\n" + mycolors.reset) 29 | return 30 | 31 | prefixes = data.get('prefixes', [{}]) 32 | if len(prefixes) == 0: 33 | prefixes = [{}] 34 | 35 | fields = { 36 | 'IP Address': data.get('ip'), 37 | 'PTR Record': data.get('ptr_record'), 38 | 'Prefix': prefixes[0].get('prefix'), 39 | 'ASN': prefixes[0].get('asn', {}).get('asn'), 40 | 'AS Name': prefixes[0].get('asn', {}).get('name'), 41 | 'AS Description': prefixes[0].get('asn', {}).get('description'), 42 | 'Country Code': prefixes[0].get('asn', {}).get('country_code') 43 | } 44 | 45 | COLSIZE = max(len(field) for field in fields.keys()) + 3 46 | 47 | for field, value in fields.items(): 48 | print(mycolors.foreground.info(cv.bkg) + f"{field}: ".ljust(COLSIZE) + mycolors.reset + str(value)) 49 | 50 | except Exception as e: 51 | print(mycolors.foreground.error(cv.bkg) + f"\nError: {str(e)}" + mycolors.reset) 52 | -------------------------------------------------------------------------------- /malwoverview/modules/configvars.py: -------------------------------------------------------------------------------- 1 | bkg = 0 2 | windows = 0 3 | output_dir = '.' -------------------------------------------------------------------------------- /malwoverview/modules/hybrid.py: -------------------------------------------------------------------------------- 1 | import malwoverview.modules.configvars as cv 2 | import requests 3 | from colorama import Fore 4 | import geocoder 5 | from malwoverview.utils.colors import mycolors, printr 6 | from malwoverview.utils.hash import sha256hash 7 | import json 8 | import os 9 | 10 | 11 | class HybridAnalysisExtractor(): 12 | haurl = 'https://www.hybrid-analysis.com/api/v2' 13 | 14 | def __init__(self, HAAPI): 15 | self.HAAPI = HAAPI 16 | 17 | def requestHAAPI(self): 18 | if (self.HAAPI == ''): 19 | print(mycolors.foreground.red + "\nTo be able to get/submit information from/to Hybrid Analysis, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the Hybrid Analysis API according to the format shown on the Github website." + mycolors.reset + "\n") 20 | exit(1) 21 | 22 | def downhash(self, filehash, user_agent='Falcon Sandbox'): 23 | haurl = HybridAnalysisExtractor.haurl 24 | 25 | hatext = '' 26 | haresponse = '' 27 | final = '' 28 | 29 | self.requestHAAPI() 30 | 31 | try: 32 | 33 | resource = filehash 34 | requestsession = requests.Session() 35 | requestsession.headers.update({'user-agent': user_agent}) 36 | requestsession.headers.update({'api-key': self.HAAPI}) 37 | requestsession.headers.update({'accept': 'application/gzip'}) 38 | 39 | finalurl = '/'.join([haurl, 'overview', resource, 'sample']) 40 | 41 | haresponse = requestsession.get(url=finalurl, allow_redirects=True) 42 | 43 | try: 44 | 45 | hatext = haresponse.text 46 | 47 | rc = str(hatext) 48 | if 'message' in rc: 49 | final = 'Malware sample is not available to download.' 50 | if (cv.bkg == 1): 51 | print((mycolors.foreground.lightred + "\n" + final + "\n")) 52 | else: 53 | print((mycolors.foreground.red + "\n" + final + "\n")) 54 | print((mycolors.reset)) 55 | return final 56 | 57 | outputpath = os.path.join(cv.output_dir, f'{resource}.gz') 58 | open(outputpath, 'wb').write(haresponse.content) 59 | final = f'Sample downloaded to: {outputpath}' 60 | 61 | print((mycolors.reset)) 62 | print((final + "\n")) 63 | return final 64 | 65 | except ValueError as e: 66 | print(e) 67 | if (cv.bkg == 1): 68 | print((mycolors.foreground.lightred + "Error while downloading Hybrid-Analysis!\n")) 69 | else: 70 | print((mycolors.foreground.red + "Error while downloading Hybrid-Analysis!\n")) 71 | printr() 72 | 73 | except ValueError as e: 74 | print(e) 75 | if (cv.bkg == 1): 76 | print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n")) 77 | else: 78 | print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n")) 79 | printr() 80 | 81 | def hashow(self, filehash, xx=0, user_agent='Falcon Sandbox'): 82 | haurl = HybridAnalysisExtractor.haurl 83 | 84 | hatext = '' 85 | haresponse = '' 86 | final = '' 87 | 88 | self.requestHAAPI() 89 | 90 | try: 91 | resource = filehash 92 | requestsession = requests.Session() 93 | requestsession.headers.update({'user-agent': user_agent}) 94 | requestsession.headers.update({'api-key': self.HAAPI}) 95 | requestsession.headers.update({'content-type': 'application/json'}) 96 | 97 | if (xx == 0): 98 | finalurl = '/'.join([haurl, 'report', resource + ':100', 'summary']) 99 | elif (xx == 1): 100 | finalurl = '/'.join([haurl, 'report', resource + ':110', 'summary']) 101 | elif (xx == 2): 102 | finalurl = '/'.join([haurl, 'report', resource + ':120', 'summary']) 103 | elif (xx == 3): 104 | finalurl = '/'.join([haurl, 'report', resource + ':200', 'summary']) 105 | else: 106 | finalurl = '/'.join([haurl, 'report', resource + ':300', 'summary']) 107 | 108 | haresponse = requestsession.get(url=finalurl) 109 | hatext = json.loads(haresponse.text) 110 | 111 | rc = str(hatext) 112 | if 'Failed' in rc: 113 | final = 'Malware sample was not found in Hybrid-Analysis repository.' 114 | if (cv.bkg == 1): 115 | print((mycolors.foreground.lightred + "\n" + final + "\n")) 116 | else: 117 | print((mycolors.foreground.red + "\n" + final + "\n")) 118 | return final 119 | 120 | if 'environment_description' in hatext: 121 | envdesc = str(hatext['environment_description']) 122 | else: 123 | envdesc = '' 124 | 125 | if 'type' in hatext: 126 | maltype = str(hatext['type']) 127 | else: 128 | maltype = '' 129 | 130 | if 'verdict' in hatext: 131 | verdict = str(hatext['verdict']) 132 | else: 133 | verdict = '' 134 | 135 | if 'threat_level' in hatext: 136 | threatlevel = str(hatext['threat_level']) 137 | else: 138 | threatlevel = '' 139 | 140 | if 'threat_score' in hatext: 141 | threatscore = str(hatext['threat_score']) 142 | else: 143 | threatscore = '' 144 | 145 | if 'av_detect' in hatext: 146 | avdetect = str(hatext['av_detect']) 147 | else: 148 | avdetect = '' 149 | 150 | if 'total_signatures' in hatext: 151 | totalsignatures = str(hatext['total_signatures']) 152 | else: 153 | totalsignatures = '' 154 | 155 | if 'submit_name' in hatext: 156 | submitname = str(hatext['submit_name']) 157 | else: 158 | submitname = '' 159 | 160 | if 'analysis_start_time' in hatext: 161 | analysistime = str(hatext['analysis_start_time']) 162 | else: 163 | analysistime = '' 164 | 165 | if 'size' in hatext: 166 | malsize = str(hatext['size']) 167 | else: 168 | malsize = '' 169 | 170 | if 'total_processes' in hatext: 171 | totalprocesses = str(hatext['total_processes']) 172 | else: 173 | totalprocesses = '' 174 | 175 | if 'total_network_connections' in hatext: 176 | networkconnections = str(hatext['total_network_connections']) 177 | else: 178 | networkconnections = '' 179 | 180 | if 'domains' in hatext: 181 | domains = (hatext['domains']) 182 | else: 183 | domains = '' 184 | 185 | if 'hosts' in hatext: 186 | hosts = (hatext['hosts']) 187 | else: 188 | hosts = '' 189 | 190 | if 'compromised_hosts' in hatext: 191 | compromised_hosts = (hatext['compromised_hosts']) 192 | else: 193 | compromised_hosts = '' 194 | 195 | if 'vx_family' in hatext: 196 | vxfamily = str(hatext['vx_family']) 197 | else: 198 | vxfamily = '' 199 | 200 | if 'type_short' in (hatext): 201 | typeshort = (hatext['type_short']) 202 | else: 203 | typeshort = '' 204 | 205 | if 'tags' in hatext: 206 | classification = (hatext['tags']) 207 | else: 208 | classification = '' 209 | 210 | if 'certificates' in hatext: 211 | certificates = hatext['certificates'] 212 | else: 213 | certificates = '' 214 | 215 | if 'mitre_attcks' in hatext: 216 | mitre = hatext['mitre_attcks'] 217 | else: 218 | mitre = '' 219 | 220 | printr() 221 | print("\nHybrid-Analysis Summary Report:") 222 | print((70 * '-').ljust(70)) 223 | if (cv.bkg == 1): 224 | print((mycolors.foreground.lightcyan)) 225 | else: 226 | print((mycolors.foreground.red)) 227 | print("Environment:".ljust(20), envdesc) 228 | print("File Type:".ljust(20), maltype) 229 | print("Verdict:".ljust(20), verdict) 230 | print("Threat Level:".ljust(20), threatlevel) 231 | print("Threat Score:".ljust(20), threatscore + '/100') 232 | print("AV Detect".ljust(20), avdetect + '%') 233 | print("Total Signatures:".ljust(20), totalsignatures) 234 | if (cv.bkg == 1): 235 | print((mycolors.foreground.yellow)) 236 | else: 237 | print((mycolors.foreground.cyan)) 238 | print("Submit Name:".ljust(20), submitname) 239 | print("Analysis Time:".ljust(20), analysistime) 240 | print("File Size:".ljust(20), malsize) 241 | print("Total Processes:".ljust(20), totalprocesses) 242 | print("Network Connections:".ljust(20), networkconnections) 243 | 244 | print("\nDomains:") 245 | for i in domains: 246 | print("".ljust(20), i) 247 | 248 | print("\nHosts:") 249 | for i in hosts: 250 | print("".ljust(20), i, "\t", "city: " + (geocoder.ip(i).city)) 251 | 252 | print("\nCompromised Hosts:") 253 | for i in compromised_hosts: 254 | print("".ljust(20), i, "\t", "city: " + (geocoder.ip(i).city)) 255 | 256 | if (cv.bkg == 1): 257 | print((mycolors.foreground.lightred)) 258 | else: 259 | print((mycolors.foreground.cyan)) 260 | 261 | print("Vx Family:".ljust(20), vxfamily) 262 | print("File Type Short: ", end=' ') 263 | for i in typeshort: 264 | print(i, end=' ') 265 | 266 | print("\nClassification Tags:".ljust(20), end=' ') 267 | for i in classification: 268 | print(i, end=' ') 269 | 270 | if (cv.bkg == 1): 271 | print((mycolors.foreground.lightcyan)) 272 | else: 273 | print((mycolors.foreground.purple)) 274 | 275 | print("\nCertificates:\n", end='\n') 276 | for i in certificates: 277 | print("".ljust(20), end=' ') 278 | print(("owner: %s" % i['owner'])) 279 | print("".ljust(20), end=' ') 280 | print(("issuer: %s" % i['issuer'])) 281 | print("".ljust(20), end=' ') 282 | print(("valid_from: %s" % i['valid_from'])) 283 | print("".ljust(20), end=' ') 284 | print(("valid_until: %s\n" % i['valid_until'])) 285 | 286 | if (cv.bkg == 1): 287 | print(mycolors.foreground.lightcyan) 288 | else: 289 | print(mycolors.foreground.purple) 290 | 291 | print("\nMITRE Attacks:\n") 292 | for i in mitre: 293 | print("".ljust(20), end=' ') 294 | print(("tactic: %s" % i['tactic'])) 295 | print("".ljust(20), end=' ') 296 | print(("technique: %s" % i['technique'])) 297 | print("".ljust(20), end=' ') 298 | print(("attck_id: %s" % i['attck_id'])) 299 | print("".ljust(20), end=' ') 300 | print(("attck_id_wiki: %s\n" % i['attck_id_wiki'])) 301 | 302 | rc = (hatext) 303 | if (rc == 0): 304 | final = 'Not Found' 305 | printr() 306 | return final 307 | 308 | except ValueError as e: 309 | print(e) 310 | if (cv.bkg == 1): 311 | print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n")) 312 | else: 313 | print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n")) 314 | printr() 315 | 316 | def hafilecheck(self, filenameha, xx=0, user_agent='Falcon Sandbox'): 317 | if not os.path.isfile(filenameha): 318 | if (cv.bkg == 1): 319 | print(mycolors.foreground.lightred + "\nYou didn't provide a valid file!\n") 320 | else: 321 | print(mycolors.foreground.red + "\nYou didn't provide a valid file!\n") 322 | return False 323 | 324 | haurl = HybridAnalysisExtractor.haurl 325 | 326 | hatext = '' 327 | haresponse = '' 328 | resource = '' 329 | haenv = '100' 330 | job_id = '' 331 | 332 | self.requestHAAPI() 333 | 334 | try: 335 | if (xx == 0): 336 | haenv = '100' 337 | elif (xx == 1): 338 | haenv = '110' 339 | elif (xx == 2): 340 | haenv = '120' 341 | elif (xx == 3): 342 | haenv = '200' 343 | else: 344 | haenv = '300' 345 | 346 | resource = {'file': (os.path.basename(filenameha), open(filenameha, 'rb')), 'environment_id': (None, haenv)} 347 | 348 | mysha256hash = sha256hash(filenameha) 349 | 350 | if (cv.bkg == 1): 351 | print((mycolors.foreground.lightcyan + "\nSubmitted file: %s".ljust(20) % filenameha)) 352 | print(("Submitted hash: %s".ljust(20) % mysha256hash)) 353 | print(("Environment ID: %3s" % haenv)) 354 | print((Fore.WHITE)) 355 | else: 356 | print((mycolors.foreground.purple + "\nSubmitted file: %s".ljust(20) % filenameha)) 357 | print(("Submitted hash: %s".ljust(20) % mysha256hash)) 358 | print(("Environment ID: %3s" % haenv)) 359 | print((Fore.BLACK)) 360 | 361 | requestsession = requests.Session() 362 | requestsession.headers.update({'user-agent': user_agent}) 363 | requestsession.headers.update({'api-key': self.HAAPI}) 364 | requestsession.headers.update({'accept': 'application/json'}) 365 | 366 | finalurl = '/'.join([haurl, 'submit', 'file']) 367 | 368 | haresponse = requestsession.post(url=finalurl, files=resource) 369 | 370 | hatext = json.loads(haresponse.text) 371 | 372 | rc = str(hatext) 373 | 374 | job_id = str(hatext['job_id']) 375 | hash_received = str(hatext['sha256']) 376 | environment_id = str(hatext['environment_id']) 377 | 378 | if (job_id) in rc: 379 | if (cv.bkg == 1): 380 | print((mycolors.foreground.yellow + "The suspicious file has been successfully submitted to Hybrid Analysis.")) 381 | print(("\nThe job ID is: ").ljust(31), end=' ') 382 | print(("%s" % job_id)) 383 | print(("The environment ID is: ").ljust(30), end=' ') 384 | print(("%s" % environment_id)) 385 | print(("The received sha256 hash is: ").ljust(30), end=' ') 386 | print(("%s" % hash_received)) 387 | print((mycolors.reset + "\n")) 388 | else: 389 | print((mycolors.foreground.green + "The suspicious file has been successfully submitted to Hybrid Analysis.")) 390 | print(("\nThe job ID is: ").ljust(31), end=' ') 391 | print(("%s" % job_id)) 392 | print(("The environment ID is: ").ljust(30), end=' ') 393 | print(("%s" % environment_id)) 394 | print(("The received sha256 hash is: ").ljust(30), end=' ') 395 | print(("%s" % hash_received)) 396 | print((mycolors.reset + "\n")) 397 | else: 398 | if (cv.bkg == 1): 399 | print((mycolors.foreground.lightred + "\nAn error occured while sending the file!")) 400 | print((mycolors.reset + "\n")) 401 | else: 402 | print((mycolors.foreground.red + "\nAn error occured while sending the file!")) 403 | print((mycolors.reset + "\n")) 404 | except ValueError as e: 405 | print(e) 406 | if (cv.bkg == 1): 407 | print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n")) 408 | else: 409 | print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n")) 410 | print((mycolors.reset)) 411 | 412 | def quickhashow(self, filehash, xx=0, user_agent='Falcon Sandbox'): 413 | haurl = HybridAnalysisExtractor.haurl 414 | 415 | hatext = '' 416 | haresponse = '' 417 | final = 'Yes' 418 | verdict = '-' 419 | avdetect = '0' 420 | totalsignatures = '-' 421 | threatscore = '-' 422 | totalprocesses = '-' 423 | networkconnections = '-' 424 | 425 | self.requestHAAPI() 426 | 427 | try: 428 | 429 | resource = filehash 430 | requestsession = requests.Session() 431 | requestsession.headers.update({'user-agent': user_agent}) 432 | requestsession.headers.update({'api-key': self.HAAPI}) 433 | requestsession.headers.update({'content-type': 'application/json'}) 434 | 435 | if (xx == 0): 436 | finalurl = '/'.join([haurl, 'report', resource + ':100', 'summary']) 437 | elif (xx == 1): 438 | finalurl = '/'.join([haurl, 'report', resource + ':110', 'summary']) 439 | elif (xx == 2): 440 | finalurl = '/'.join([haurl, 'report', resource + ':120', 'summary']) 441 | elif (xx == 3): 442 | finalurl = '/'.join([haurl, 'report', resource + ':200', 'summary']) 443 | else: 444 | finalurl = '/'.join([haurl, 'report', resource + ':300', 'summary']) 445 | 446 | haresponse = requestsession.get(url=finalurl) 447 | hatext = json.loads(haresponse.text) 448 | 449 | rc = str(hatext) 450 | if 'message' in rc: 451 | final = 'Not Found' 452 | return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) 453 | 454 | rc2 = (hatext) 455 | if (rc2 == 0): 456 | final = 'Not Found' 457 | return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) 458 | 459 | if 'verdict' in hatext: 460 | verdict = str(hatext['verdict']) 461 | else: 462 | verdict = '' 463 | 464 | if 'threat_score' in hatext: 465 | threatscore = str(hatext['threat_score']) 466 | else: 467 | threatscore = '' 468 | 469 | if 'av_detect' in hatext: 470 | avdetect = str(hatext['av_detect']) 471 | else: 472 | avdetect = '' 473 | 474 | if 'total_signatures' in hatext: 475 | totalsignatures = str(hatext['total_signatures']) 476 | else: 477 | totalsignatures = '' 478 | 479 | if 'total_processes' in hatext: 480 | totalprocesses = str(hatext['total_processes']) 481 | else: 482 | totalprocesses = '' 483 | 484 | if 'total_network_connections' in hatext: 485 | networkconnections = str(hatext['total_network_connections']) 486 | else: 487 | networkconnections = '' 488 | 489 | return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) 490 | 491 | except ValueError as e: 492 | print(e) 493 | if (cv.bkg == 1): 494 | print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n")) 495 | else: 496 | print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n")) 497 | printr() 498 | 499 | 500 | """ 501 | class quickHAThread(threading.Thread): 502 | def __init__(self, key): 503 | threading.Thread.__init__(self) 504 | self.key = key 505 | 506 | def run(self): 507 | key1 = self.key 508 | 509 | myhashdir = sha256hash(key1) 510 | (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) = self.hybrid.quickhashow(myhashdir) 511 | 512 | if (cv.bkg == 1): 513 | print((mycolors.foreground.yellow + "%-70s" % key1), end=' ') 514 | print((mycolors.foreground.lightcyan + "%9s" % final), end='') 515 | print((mycolors.foreground.lightred + "%11s" % verdict), end='') 516 | if(avdetect == 'None'): 517 | print((mycolors.foreground.pink + "%7s" % avdetect), end='') 518 | else: 519 | print((mycolors.foreground.pink + "%6s%%" % avdetect), end='') 520 | print((mycolors.foreground.yellow + "%7s" % totalsignatures), end='') 521 | if(threatscore == 'None'): 522 | print((mycolors.foreground.lightred + "%12s" % threatscore), end='') 523 | else: 524 | print((mycolors.foreground.lightred + "%8s/100" % threatscore), end='') 525 | print((mycolors.foreground.lightcyan + "%6s" % totalprocesses), end='') 526 | print((mycolors.foreground.lightcyan + "%6s" % networkconnections + mycolors.reset)) 527 | else: 528 | print((mycolors.foreground.cyan + "%-70s" % key1), end=' ') 529 | print((mycolors.foreground.cyan + "%9s" % final), end='') 530 | print((mycolors.foreground.red + "%11s" % verdict), end='') 531 | if (avdetect == 'None'): 532 | print((mycolors.foreground.purple + "%7s" % avdetect), end='') 533 | else: 534 | print((mycolors.foreground.purple + "%6s%%" % avdetect), end='') 535 | print((mycolors.foreground.green + "%7s" % totalsignatures), end='') 536 | if(threatscore == 'None'): 537 | print((mycolors.foreground.red + "%12s" % threatscore), end='') 538 | else: 539 | print((mycolors.foreground.red + "%8s/100" % threatscore), end='') 540 | print((mycolors.foreground.blue + "%6s" % totalprocesses), end='') 541 | print((mycolors.foreground.blue + "%6s" % networkconnections + mycolors.reset)) 542 | """ 543 | -------------------------------------------------------------------------------- /malwoverview/modules/ipinfo.py: -------------------------------------------------------------------------------- 1 | import malwoverview.modules.configvars as cv 2 | from malwoverview.utils.colors import mycolors, printc 3 | import requests 4 | 5 | class IPInfoExtractor: 6 | def __init__(self, IPINFOAPI): 7 | self.IPINFOAPI = IPINFOAPI 8 | 9 | """ 10 | IPInfo API can be used anonymously up to 1000 requests per day 11 | def requestIPINFOAPI(self): 12 | if self.IPINFOAPI == '': 13 | print(mycolors.foreground.red + "\nTo use IPInfo.io services, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the IPInfo API key according to the format shown on the Github website." + mycolors.reset + "\n") 14 | exit(1) 15 | """ 16 | 17 | def _raw_ip_info(self, ip_address): 18 | url = f"https://ipinfo.io/{ip_address}?token={self.IPINFOAPI}" 19 | 20 | try: 21 | response = requests.get(url) 22 | return response.json() 23 | except Exception as e: 24 | return {'error': e} 25 | 26 | def get_ip_details(self, ip_address): 27 | # self.requestIPINFOAPI() 28 | 29 | data = self._raw_ip_info(ip_address) 30 | 31 | try: 32 | print() 33 | print((mycolors.reset + "IPINFO.IO REPORT".center(100)), end='') 34 | print((mycolors.reset + "".center(28)), end='') 35 | print("\n" + (100 * '-').center(50)) 36 | 37 | if 'error' in data: 38 | printc(f"\n{data['error']['message']}\n", mycolors.foreground.error(cv.bkg)) 39 | return 40 | 41 | fields = ['ip', 'hostname', 'org', 'country', 'region', 'city', 'loc', 'postal', 'timezone'] 42 | 43 | COLSIZE = max(len(field) for field in fields) + 3 44 | 45 | for field in fields: 46 | if field in data: 47 | print(mycolors.foreground.info(cv.bkg) + f"{field.title()}: ".ljust(COLSIZE) + mycolors.reset + str(data[field])) 48 | 49 | except Exception as e: 50 | printc(f"\nError: {str(e)}\n", mycolors.foreground.error(cv.bkg)) 51 | -------------------------------------------------------------------------------- /malwoverview/modules/malpedia.py: -------------------------------------------------------------------------------- 1 | import malwoverview.modules.configvars as cv 2 | from malwoverview.utils.colors import mycolors, printr 3 | import requests 4 | import textwrap 5 | import base64 6 | import json 7 | import os 8 | 9 | class MalpediaExtractor(): 10 | malpediaurl = 'https://malpedia.caad.fkie.fraunhofer.de/api' 11 | 12 | def __init__(self, MALPEDIAAPI): 13 | self.MALPEDIAAPI = MALPEDIAAPI 14 | 15 | def requestMALPEDIAAPI(self): 16 | if (self.MALPEDIAAPI == ''): 17 | print(mycolors.foreground.red + "\nTo be able to get information from Malpedia, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the Malpedia API according to the format shown on the Github website." + mycolors.reset + "\n") 18 | exit(1) 19 | 20 | def malpedia_actors(self): 21 | urlx = MalpediaExtractor.malpediaurl 22 | 23 | hatext = '' 24 | haresponse = '' 25 | 26 | self.requestMALPEDIAAPI() 27 | 28 | try: 29 | 30 | resource = urlx 31 | requestsession = requests.Session() 32 | requestsession.headers.update({'Content-Type': 'application/json'}) 33 | requestsession.headers.update({'Authorization': 'apitoken ' + self.MALPEDIAAPI}) 34 | finalurl = '/'.join([resource, 'list', 'actors']) 35 | haresponse = requestsession.get(url=finalurl) 36 | hatext = json.loads(haresponse.text) 37 | 38 | if ('200' not in str(haresponse)): 39 | print(mycolors.foreground.red + "\nThe search key couldn't be found on Malpedia.\n", mycolors.reset) 40 | exit(1) 41 | 42 | if (cv.bkg == 1): 43 | print(mycolors.foreground.lightcyan + "\nActors:".ljust(13), end='\n'.ljust(11)) 44 | j = 1 45 | for i in hatext: 46 | if (j < 10): 47 | print(mycolors.foreground.lightred + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 48 | if ((j > 9) and (j < 100)): 49 | print(mycolors.foreground.lightred + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 50 | if (j > 99): 51 | print(mycolors.foreground.lightred + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 52 | j = j + 1 53 | 54 | if (cv.bkg == 0): 55 | print(mycolors.foreground.green + "\nActors:".ljust(13), end='\n'.ljust(11)) 56 | j = 1 57 | for i in hatext: 58 | if (j < 10): 59 | print(mycolors.foreground.red + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 60 | if ((j > 9) and (j < 100)): 61 | print(mycolors.foreground.red + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 62 | if (j > 99): 63 | print(mycolors.foreground.red + "Actor_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 64 | j = j + 1 65 | 66 | except ValueError as e: 67 | print(e) 68 | if (cv.bkg == 1): 69 | print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) 70 | else: 71 | print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) 72 | printr() 73 | 74 | def malpedia_payloads(self): 75 | urlx = MalpediaExtractor.malpediaurl 76 | 77 | hatext = '' 78 | haresponse = '' 79 | 80 | self.requestMALPEDIAAPI() 81 | 82 | try: 83 | 84 | resource = urlx 85 | requestsession = requests.Session() 86 | requestsession.headers.update({'Content-Type': 'application/json'}) 87 | requestsession.headers.update({'Authorization': 'apitoken ' + self.MALPEDIAAPI}) 88 | finalurl = '/'.join([resource, 'list', 'samples']) 89 | haresponse = requestsession.get(url=finalurl) 90 | hatext = json.loads(haresponse.text) 91 | 92 | if ('200' not in str(haresponse)): 93 | print(mycolors.foreground.red + "\nThe search key couldn't be found on Malpedia.\n", mycolors.reset) 94 | exit(1) 95 | 96 | if (cv.bkg == 1): 97 | for key, value in hatext.items(): 98 | print(mycolors.foreground.yellow + "Family:".ljust(11) + mycolors.reset + key, end=' ') 99 | for i in value: 100 | for j in i.items(): 101 | for k in i.keys(): 102 | if (k == 'status'): 103 | if (i['status']): 104 | print(mycolors.foreground.lightcyan + "\n\nStatus:".ljust(13) + mycolors.reset + str(i['status']), end='') 105 | if (k == 'sha256'): 106 | if (i['sha256']): 107 | print(mycolors.foreground.lightcyan + "\nHash:".ljust(12) + mycolors.reset + str(i['sha256']), end='') 108 | if (k == 'version'): 109 | if (i['version']): 110 | print(mycolors.foreground.lightcyan + "\nVersion:".ljust(12) + mycolors.reset + str(i['version']), end=' ') 111 | print("\n" + '-' * 75) 112 | 113 | if (cv.bkg == 0): 114 | for key, value in hatext.items(): 115 | print(mycolors.foreground.red + "Family:".ljust(11) + mycolors.reset + key, end=' ') 116 | for i in value: 117 | for j in i.items(): 118 | for k in i.keys(): 119 | if (k == 'status'): 120 | if (i['status']): 121 | print(mycolors.foreground.green + "\n\nStatus:".ljust(13) + mycolors.reset + str(i['status']), end='') 122 | if (k == 'sha256'): 123 | if (i['sha256']): 124 | print(mycolors.foreground.green + "\nHash:".ljust(12) + mycolors.reset + str(i['sha256']), end='') 125 | if (k == 'version'): 126 | if (i['version']): 127 | print(mycolors.foreground.green + "\nVersion:".ljust(12) + mycolors.reset + str(i['version']), end=' ') 128 | print("\n" + '-' * 75) 129 | except ValueError as e: 130 | print(e) 131 | if (cv.bkg == 1): 132 | print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) 133 | else: 134 | print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) 135 | printr() 136 | 137 | def malpedia_get_actor(self, arg1): 138 | urlx = MalpediaExtractor.malpediaurl 139 | 140 | hatext = '' 141 | haresponse = '' 142 | myargs = arg1 143 | wrapper = textwrap.TextWrapper(width=100) 144 | 145 | self.requestMALPEDIAAPI() 146 | 147 | try: 148 | resource = urlx 149 | requestsession = requests.Session() 150 | requestsession.headers.update({'Content-Type': 'application/json'}) 151 | requestsession.headers.update({'Authorization': 'apitoken ' + self.MALPEDIAAPI}) 152 | finalurl = '/'.join([resource, 'get', 'actor', myargs]) 153 | haresponse = requestsession.get(url=finalurl) 154 | hatext = json.loads(haresponse.text) 155 | 156 | if (cv.bkg == 1): 157 | if ('Not found.' in str(hatext)): 158 | print(mycolors.foreground.yellow + "\nInformation about this actor couldn't be found on Malpedia.\n", mycolors.reset) 159 | exit(1) 160 | 161 | if (cv.bkg == 0): 162 | if ('Not found.' in str(hatext)): 163 | print(mycolors.foreground.cyan + "\nInformation about this actor couldn't be found on Malpedia.\n", mycolors.reset) 164 | exit(1) 165 | 166 | if ('200' not in str(haresponse)): 167 | print(mycolors.foreground.red + "\nThe search key couldn't be found on Malpedia.\n", mycolors.reset) 168 | exit(1) 169 | 170 | if (cv.bkg == 1): 171 | if (hatext['value']): 172 | print(mycolors.foreground.yellow + "\nActor:".ljust(11) + mycolors.reset + hatext['value'], end=' ') 173 | if (hatext['description']): 174 | print(mycolors.foreground.yellow + "\n\nOverview: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(textwrap.wrap(str(hatext['description']), width=100)), end=' ') 175 | for key, value in hatext.items(): 176 | if (key == 'meta'): 177 | for key2, value2 in value.items(): 178 | if (key2 == 'country'): 179 | if (value['country']): 180 | print(mycolors.foreground.yellow + "\n\nCountry:".ljust(12) + mycolors.reset + str(value['country']), end='\n') 181 | if (key2 == 'synonyms'): 182 | if (value['synonyms']): 183 | print(mycolors.foreground.lightcyan + "\n\nSynonyms:".ljust(11), end=' ') 184 | for x in value['synonyms']: 185 | print(mycolors.reset + str(x), end=' ') 186 | if (key2 == 'refs'): 187 | if (value['refs']): 188 | for x in value['refs']: 189 | print(mycolors.foreground.lightcyan + "\nREFs:".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(wrapper.wrap(str(x))).ljust(11), end=" ") 190 | if (key == 'families'): 191 | for key3, value3 in value.items(): 192 | print("\n" + '-' * 112, end='') 193 | print(mycolors.foreground.yellow + "\nFamily: ".ljust(11) + mycolors.reset + key3) 194 | if 'updated' in value3.keys(): 195 | if (value3['updated']): 196 | print(mycolors.foreground.lightcyan + "Updated: ".ljust(10) + mycolors.reset + value3['updated']) 197 | if 'attribution' in value3.keys(): 198 | if (len(value3['attribution']) > 0): 199 | print(mycolors.foreground.lightcyan + "Attrib.: ".ljust(9), end=' ') 200 | for y in value3['attribution']: 201 | print(mycolors.reset + y, end=' ') 202 | if 'alt_names' in value3.keys(): 203 | if (len(value3['alt_names']) > 0): 204 | print(mycolors.foreground.lightcyan + "\nAliases: ".ljust(10), end=' ') 205 | for y in value3['alt_names']: 206 | print(mycolors.reset + y, end=' ') 207 | if 'common_name' in value3.keys(): 208 | if (value3['common_name']): 209 | print(mycolors.foreground.lightcyan + "\nCommon: ".ljust(11) + mycolors.reset + value3['common_name'], end=' ') 210 | if 'sources' in value3.keys(): 211 | if (len(value3['sources']) > 0): 212 | print(mycolors.foreground.lightcyan + "\nSources: ".ljust(11), end=' ') 213 | for y in value3['sources']: 214 | print(mycolors.reset + y, end=' ') 215 | if 'description' in value3.keys(): 216 | if value3['description']: 217 | print(mycolors.foreground.lightcyan + "\nDescr.: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(textwrap.wrap(str(value3['description']), width=100)), end=' ') 218 | if 'urls' in value3.keys(): 219 | if (len(value3['urls']) > 0): 220 | for y in value3['urls']: 221 | print(mycolors.foreground.lightcyan + "\nURLs: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(wrapper.wrap(str(y))).ljust(11), end=" ") 222 | 223 | if (cv.bkg == 0): 224 | if (hatext['value']): 225 | print(mycolors.foreground.red + "\nActor:".ljust(11) + mycolors.reset + hatext['value'], end=' ') 226 | if (hatext['description']): 227 | print(mycolors.foreground.red + "\n\nOverview: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(textwrap.wrap(str(hatext['description']), width=100)), end=' ') 228 | for key, value in hatext.items(): 229 | if (key == 'meta'): 230 | for key2, value2 in value.items(): 231 | if (key2 == 'country'): 232 | if (value['country']): 233 | print(mycolors.foreground.red + "\n\nCountry:".ljust(12) + mycolors.reset + str(value['country']), end='\n') 234 | if (key2 == 'synonyms'): 235 | if (value['synonyms']): 236 | print(mycolors.foreground.green + "\n\nSynonyms:".ljust(11), end=' ') 237 | for x in value['synonyms']: 238 | print(mycolors.reset + str(x), end=' ') 239 | if (key2 == 'refs'): 240 | if (value['refs']): 241 | for x in value['refs']: 242 | print(mycolors.foreground.green + "\nREFs:".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(wrapper.wrap(str(x))).ljust(11), end=" ") 243 | if (key == 'families'): 244 | for key3, value3 in value.items(): 245 | print("\n" + '-' * 112, end='') 246 | print(mycolors.foreground.red + "\nFamily: ".ljust(11) + mycolors.reset + key3) 247 | if 'updated' in value3.keys(): 248 | if (value3['updated']): 249 | print(mycolors.foreground.green + "Updated: ".ljust(10) + mycolors.reset + value3['updated']) 250 | if 'attribution' in value3.keys(): 251 | if (len(value3['attribution']) > 0): 252 | print(mycolors.foreground.green + "Attrib.: ".ljust(9), end=' ') 253 | for y in value3['attribution']: 254 | print(mycolors.reset + y, end=' ') 255 | if 'alt_names' in value3.keys(): 256 | if (len(value3['alt_names']) > 0): 257 | print(mycolors.foreground.green + "\nAliases: ".ljust(10), end=' ') 258 | for y in value3['alt_names']: 259 | print(mycolors.reset + y, end=' ') 260 | if 'common_name' in value3.keys(): 261 | if (value3['common_name']): 262 | print(mycolors.foreground.green + "\nCommon: ".ljust(11) + mycolors.reset + value3['common_name'], end=' ') 263 | if 'sources' in value3.keys(): 264 | if (len(value3['sources']) > 0): 265 | print(mycolors.foreground.green + "\nSources: ".ljust(11), end=' ') 266 | for y in value3['sources']: 267 | print(mycolors.reset + y, end=' ') 268 | if 'description' in value3.keys(): 269 | if value3['description']: 270 | print(mycolors.foreground.green + "\nDescr.: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(textwrap.wrap(str(value3['description']), width=100)), end=' ') 271 | if 'urls' in value3.keys(): 272 | if (len(value3['urls']) > 0): 273 | for y in value3['urls']: 274 | print(mycolors.foreground.green + "\nURLs: ".ljust(11) + mycolors.reset + ("\n".ljust(11)).join(wrapper.wrap(str(y))).ljust(11), end=" ") 275 | 276 | except ValueError as e: 277 | print(e) 278 | if (cv.bkg == 1): 279 | print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) 280 | else: 281 | print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) 282 | printr() 283 | 284 | def malpedia_families(self): 285 | urlx = MalpediaExtractor.malpediaurl 286 | 287 | hatext = '' 288 | haresponse = '' 289 | # wrapper = textwrap.TextWrapper(width=100) 290 | 291 | self.requestMALPEDIAAPI() 292 | 293 | try: 294 | resource = urlx 295 | requestsession = requests.Session() 296 | requestsession.headers.update({'Content-Type': 'application/json'}) 297 | requestsession.headers.update({'Authorization': 'apitoken ' + self.MALPEDIAAPI}) 298 | finalurl = '/'.join([resource, 'list', 'families']) 299 | haresponse = requestsession.get(url=finalurl) 300 | hatext = json.loads(haresponse.text) 301 | 302 | if ('200' not in str(haresponse)): 303 | print(mycolors.foreground.red + "\nThe search key couldn't be found on Malpedia.\n", mycolors.reset) 304 | exit(1) 305 | 306 | if (cv.bkg == 1): 307 | print(mycolors.foreground.yellow + "\nFamilies:".ljust(13), end='\n'.ljust(11)) 308 | j = 1 309 | for i in hatext: 310 | if (j < 10): 311 | print(mycolors.foreground.lightcyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 312 | if ((j > 9) and (j < 100)): 313 | print(mycolors.foreground.lightcyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 314 | if ((j > 99) and (j < 1000)): 315 | print(mycolors.foreground.lightcyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 316 | if (j > 999): 317 | print(mycolors.foreground.lightcyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 318 | j = j + 1 319 | 320 | if (cv.bkg == 0): 321 | print(mycolors.foreground.red + "\nFamilies:".ljust(13), end='\n'.ljust(11)) 322 | j = 1 323 | for i in hatext: 324 | if (j < 10): 325 | print(mycolors.foreground.cyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 326 | if ((j > 9) and (j < 100)): 327 | print(mycolors.foreground.cyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 328 | if ((j > 99) and (j < 1000)): 329 | print(mycolors.foreground.cyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 330 | if (j > 999): 331 | print(mycolors.foreground.cyan + "Family_%s: " % j + mycolors.reset + str(i), end='\n'.ljust(11)) 332 | j = j + 1 333 | 334 | except ValueError as e: 335 | print(e) 336 | if (cv.bkg == 1): 337 | print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) 338 | else: 339 | print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) 340 | printr() 341 | 342 | def malpedia_get_family(self, arg1): 343 | urlx = MalpediaExtractor.malpediaurl 344 | 345 | hatext = '' 346 | haresponse = '' 347 | myargs = arg1 348 | # wrapper = textwrap.TextWrapper(width=100) 349 | 350 | self.requestMALPEDIAAPI() 351 | 352 | try: 353 | 354 | resource = urlx 355 | requestsession = requests.Session() 356 | requestsession.headers.update({'Content-Type': 'application/json'}) 357 | requestsession.headers.update({'Authorization': 'apitoken ' + self.MALPEDIAAPI}) 358 | finalurl = '/'.join([resource, 'get', 'family', myargs]) 359 | haresponse = requestsession.get(url=finalurl) 360 | hatext = json.loads(haresponse.text) 361 | 362 | if (cv.bkg == 1): 363 | if ('Not found.' in str(hatext)): 364 | print(mycolors.foreground.yellow + "\nInformation about this family couldn't be found on Malpedia.\n", mycolors.reset) 365 | exit(1) 366 | 367 | if (cv.bkg == 0): 368 | if ('Not found.' in str(hatext)): 369 | print(mycolors.foreground.cyan + "\nInformation about this family couldn't be found on Malpedia.\n", mycolors.reset) 370 | exit(1) 371 | 372 | if ('200' not in str(haresponse)): 373 | print(mycolors.foreground.red + "\nThe search key couldn't be found on Malpedia.\n", mycolors.reset) 374 | exit(1) 375 | 376 | if (cv.bkg == 1): 377 | print(mycolors.foreground.lightcyan + "\nFamily:".ljust(14) + mycolors.reset + myargs) 378 | print(mycolors.foreground.yellow + "\nUpdated:".ljust(14) + mycolors.reset + hatext['updated'], end=' ') 379 | if (hatext['attribution']): 380 | print(mycolors.foreground.yellow + "\nAttribution:".ljust(13), end=' ') 381 | for i in hatext['attribution']: 382 | print(mycolors.reset + str(i), end=' ') 383 | if (hatext['alt_names']): 384 | print(mycolors.foreground.yellow + "\nAliases:".ljust(13), end=' ') 385 | for i in hatext['alt_names']: 386 | print(mycolors.reset + i, end=' ') 387 | if (hatext['common_name']): 388 | print(mycolors.foreground.yellow + "\nCommon Name: ".ljust(13) + mycolors.reset + hatext['common_name'], end=' ') 389 | if (hatext['description']): 390 | print(mycolors.foreground.yellow + "\nDescription: ".ljust(13) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(hatext['description'], width=110)), end='\n') 391 | 392 | if (hatext['urls']): 393 | j = 0 394 | for i in hatext['urls']: 395 | if (j < 10): 396 | print(mycolors.foreground.yellow + "\nURL_%d:".ljust(15) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i, width=110)), end=' ') 397 | if (j > 9 and j < 100): 398 | print(mycolors.foreground.yellow + "\nURL_%d:".ljust(14) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i, width=110)), end=' ') 399 | if (j > 99): 400 | print(mycolors.foreground.yellow + "\nURL_%d:".ljust(13) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i, width=110)), end=' ') 401 | j = j + 1 402 | 403 | if (cv.bkg == 0): 404 | print(mycolors.foreground.purple + "\nFamily:".ljust(14) + mycolors.reset + myargs) 405 | print(mycolors.foreground.cyan + "\nUpdated:".ljust(14) + mycolors.reset + hatext['updated'], end=' ') 406 | if (hatext['attribution']): 407 | print(mycolors.foreground.cyan + "\nAttribution:".ljust(13), end=' ') 408 | for i in hatext['attribution']: 409 | print(mycolors.reset + str(i), end=' ') 410 | if (hatext['alt_names']): 411 | print(mycolors.foreground.cyan + "\nAliases:".ljust(13), end=' ') 412 | for i in hatext['alt_names']: 413 | print(mycolors.reset + i, end=' ') 414 | if (hatext['common_name']): 415 | print(mycolors.foreground.cyan + "\nCommon Name: ".ljust(13) + mycolors.reset + hatext['common_name'], end=' ') 416 | if (hatext['description']): 417 | print(mycolors.foreground.cyan + "\nDescription: ".ljust(13) + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(hatext['description'], width=110)), end='\n') 418 | 419 | if (hatext['urls']): 420 | j = 0 421 | for i in hatext['urls']: 422 | if (j < 10): 423 | print(mycolors.foreground.cyan + "\nURL_%d:".ljust(15) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i, width=110)), end=' ') 424 | if (j > 9 and j < 100): 425 | print(mycolors.foreground.cyan + "\nURL_%d:".ljust(14) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i, width=110)), end=' ') 426 | if (j > 99): 427 | print(mycolors.foreground.cyan + "\nURL_%d:".ljust(13) % j + mycolors.reset + ("\n".ljust(14)).join(textwrap.wrap(i, width=110)), end=' ') 428 | j = j + 1 429 | 430 | except ValueError as e: 431 | print(e) 432 | if (cv.bkg == 1): 433 | print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) 434 | else: 435 | print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) 436 | printr() 437 | 438 | def malpedia_get_sample(self, arg1): 439 | if len(arg1) not in [32, 64]: 440 | return False 441 | 442 | urlx = MalpediaExtractor.malpediaurl 443 | 444 | hatext = '' 445 | haresponse = '' 446 | myargs = arg1 447 | 448 | self.requestMALPEDIAAPI() 449 | 450 | try: 451 | resource = urlx 452 | requestsession = requests.Session() 453 | requestsession.headers.update({'Content-Type': 'application/json'}) 454 | requestsession.headers.update({'Authorization': 'apitoken ' + self.MALPEDIAAPI}) 455 | finalurl = '/'.join([resource, 'get', 'sample', myargs, 'zip']) 456 | haresponse = requestsession.get(url=finalurl) 457 | hatext = json.loads(haresponse.text) 458 | 459 | if (cv.bkg == 1): 460 | if ('Not found.' in str(hatext)): 461 | print(mycolors.foreground.yellow + "\nThis sample couldn't be found on Malpedia.\n", mycolors.reset) 462 | exit(1) 463 | 464 | if (cv.bkg == 0): 465 | if ('Not found.' in str(hatext)): 466 | print(mycolors.foreground.cyan + "\nThis sample couldn't be found on Malpedia.\n", mycolors.reset) 467 | exit(1) 468 | 469 | if ('200' not in str(haresponse)): 470 | print(mycolors.foreground.red + "\nThe search key couldn't be found on Malpedia.\n", mycolors.reset) 471 | exit(1) 472 | 473 | if ('200' in str(haresponse)): 474 | outputpath = os.path.join(cv.output_dir, myargs + ".zip") 475 | open(outputpath, 'wb').write(base64.b64decode(hatext['zipped'])) 476 | if (cv.bkg == 1): 477 | print(mycolors.foreground.lightcyan + f"\nSample downloaded to: {outputpath}\n", mycolors.reset) 478 | else: 479 | print(mycolors.foreground.green + f"\nSample downloaded to: {outputpath}\n", mycolors.reset) 480 | exit(0) 481 | 482 | except ValueError as e: 483 | print(e) 484 | if (cv.bkg == 1): 485 | print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) 486 | else: 487 | print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) 488 | printr() 489 | 490 | def malpedia_get_yara(self, arg1): 491 | urlx = MalpediaExtractor.malpediaurl 492 | 493 | hatext = '' 494 | haresponse = '' 495 | myargs = arg1 496 | 497 | self.requestMALPEDIAAPI() 498 | 499 | try: 500 | resource = urlx 501 | requestsession = requests.Session() 502 | requestsession.headers.update({'Content-Type': 'application/json'}) 503 | requestsession.headers.update({'Authorization': 'apitoken ' + self.MALPEDIAAPI}) 504 | finalurl = '/'.join([resource, 'get', 'yara', myargs, 'zip']) 505 | haresponse = requestsession.get(url=finalurl) 506 | 507 | if (cv.bkg == 1): 508 | if ('Not found.' in str(hatext)): 509 | print(mycolors.foreground.yellow + "\nThe Yara rule for this family couldn't be found on Malpedia.\n", mycolors.reset) 510 | exit(1) 511 | 512 | if (cv.bkg == 0): 513 | if ('Not found.' in str(hatext)): 514 | print(mycolors.foreground.cyan + "\nThe Yara rule for this family couldn't be found on Malpedia.\n", mycolors.reset) 515 | exit(1) 516 | 517 | if ('200' not in str(haresponse)): 518 | print(mycolors.foreground.red + "\nThe search key couldn't be found on Malpedia.\n", mycolors.reset) 519 | exit(1) 520 | 521 | if ('200' in str(haresponse)): 522 | outputpath = os.path.join(cv.output_dir, myargs + ".zip") 523 | if (cv.bkg == 1): 524 | open(outputpath, 'wb').write(haresponse.content) 525 | print(mycolors.foreground.lightcyan + "\nA zip file named %s.zip containing Yara rules has been SUCCESSFULLY downloaded from Malpedia!\n" % myargs, mycolors.reset) 526 | else: 527 | open(outputpath, 'wb').write(haresponse.content) 528 | print(mycolors.foreground.green + "\nA zip file named %s.zip containing Yara rules has been SUCCESSFULLY downloaded from Malpedia!\n" % myargs, mycolors.reset) 529 | exit(0) 530 | except ValueError as e: 531 | print(e) 532 | if (cv.bkg == 1): 533 | print((mycolors.foreground.lightred + "Error while connecting to Malpedia!\n")) 534 | else: 535 | print((mycolors.foreground.red + "Error while connecting to Malpedia!\n")) 536 | printr() 537 | -------------------------------------------------------------------------------- /malwoverview/modules/malshare.py: -------------------------------------------------------------------------------- 1 | import malwoverview.modules.configvars as cv 2 | from malwoverview.utils.colors import mycolors, printr 3 | import json 4 | import requests 5 | import sys 6 | import os 7 | 8 | 9 | class MalshareExtractor(): 10 | urlmalshare = 'https://malshare.com/api.php?api_key=' 11 | 12 | def __init__(self, MALSHAREAPI): 13 | self.MALSHAREAPI = MALSHAREAPI 14 | 15 | def requestMALSHAREAPI(self): 16 | if (self.MALSHAREAPI == ''): 17 | print(mycolors.foreground.red + "\nTo be able to get/submit information from/to Malshare, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the Malshare API according to the format shown on the Github website." + mycolors.reset + "\n") 18 | exit(1) 19 | 20 | def malsharedown(self, filehash): 21 | if len(filehash) not in [32, 40, 64]: 22 | return False 23 | 24 | urlmalshare = MalshareExtractor.urlmalshare 25 | malresponse3 = '' 26 | resource = '' 27 | 28 | self.requestMALSHAREAPI() 29 | 30 | try: 31 | resource = filehash 32 | requestsession3 = requests.Session() 33 | finalurl3 = ''.join([ 34 | urlmalshare, self.MALSHAREAPI, 35 | '&action=getfile&hash=', resource 36 | ]) 37 | 38 | malresponse3 = requestsession3.get( 39 | url=finalurl3, 40 | allow_redirects=True 41 | ) 42 | 43 | if (b'Sample not found by hash' in malresponse3.content): 44 | if (cv.bkg == 1): 45 | print((mycolors.foreground.lightred + "\nSample not found by the provided hash.\n")) 46 | else: 47 | print((mycolors.foreground.red + "\nSample not found by the provided hash.\n")) 48 | print(mycolors.reset) 49 | exit(1) 50 | else: 51 | outputpath = os.path.join(cv.output_dir, resource) 52 | open(outputpath, 'wb').write(malresponse3.content) 53 | 54 | print("\n") 55 | print((mycolors.reset + f"Sample downloaded to: {outputpath}")) 56 | printr() 57 | except (BrokenPipeError, IOError): 58 | print(mycolors.reset, file=sys.stderr) 59 | exit(2) 60 | except ValueError as e: 61 | print(e) 62 | if (cv.bkg == 1): 63 | print((mycolors.foreground.lightred + "Error while connecting to Malshare.com!\n")) 64 | else: 65 | print((mycolors.foreground.red + "Error while connecting to Malshare.com!\n")) 66 | printr() 67 | 68 | def malsharelastlist(self, typex): 69 | urlmalshare = MalshareExtractor.urlmalshare 70 | maltext = '' 71 | malresponse = '' 72 | filetype = '' 73 | maltype = typex 74 | 75 | self.requestMALSHAREAPI() 76 | 77 | if (maltype == 2): 78 | filetype = 'PE32' 79 | elif (maltype == 3): 80 | filetype = 'ELF' 81 | elif (maltype == 4): 82 | filetype = 'Java' 83 | elif (maltype == 5 or maltype == 6): 84 | filetype = 'PDF' 85 | else: 86 | filetype = 'all' 87 | 88 | try: 89 | if (filetype != "all"): 90 | print("\n") 91 | print((mycolors.reset + "SHA256 hash".center(75)), end='') 92 | print((mycolors.reset + "MD5 hash".center(38)), end='') 93 | print((mycolors.reset + "File type".center(8)), end='') 94 | print("\n" + (126 * '-').center(59)) 95 | print((mycolors.reset)) 96 | 97 | requestsession = requests.Session() 98 | requestsession.headers.update({'accept': 'application/json'}) 99 | finalurl = ''.join([ 100 | urlmalshare, self.MALSHAREAPI, 101 | '&action=type&type=', filetype 102 | ]) 103 | malresponse = requestsession.get(url=finalurl) 104 | maltext = json.loads(malresponse.text) 105 | else: 106 | print("\n") 107 | print((mycolors.reset + "SHA256 hash".center(75)), end='') 108 | print((mycolors.reset + "MD5 hash".center(38)), end='') 109 | print("\n" + (112 * '-').center(56)) 110 | print((mycolors.reset)) 111 | 112 | requestsession = requests.Session( ) 113 | requestsession.headers.update({'accept': 'application/json'}) 114 | finalurl = ''.join([urlmalshare, self.MALSHAREAPI, '&action=getlist']) 115 | malresponse = requestsession.get(url=finalurl) 116 | maltext = json.loads(malresponse.text) 117 | 118 | if maltext: 119 | try: 120 | for i in range(0, len(maltext)): 121 | if (maltext[i].get('sha256')): 122 | if (cv.bkg == 1): 123 | if filetype != "all": 124 | print((mycolors.reset + "sha256: " + mycolors.foreground.yellow + "%s" % maltext[i]['sha256'] + mycolors.reset + " md5: " + mycolors.foreground.lightcyan + "%s" % maltext[i]['md5'] + mycolors.reset + " type: " + mycolors.foreground.lightred + "%s" % filetype)) 125 | else: 126 | print((mycolors.reset + "sha256: " + mycolors.foreground.yellow + "%s" % maltext[i]['sha256'] + mycolors.reset + " md5: " + mycolors.foreground.lightcyan + "%s" % maltext[i]['md5'] + mycolors.reset)) 127 | else: 128 | if filetype != "all": 129 | print((mycolors.reset + "sha256: " + mycolors.foreground.red + "%s" % maltext[i]['sha256'] + mycolors.reset + " md5: " + mycolors.foreground.blue + "%s" % maltext[i]['md5'] + mycolors.reset + " type: " + mycolors.foreground.purple + "%s" % filetype)) 130 | else: 131 | print((mycolors.reset + "sha256: " + mycolors.foreground.red + "%s" % maltext[i]['sha256'] + mycolors.reset + " md5: " + mycolors.foreground.blue + "%s" % maltext[i]['md5'] + mycolors.reset)) 132 | except KeyError: 133 | pass 134 | except (BrokenPipeError, IOError): 135 | print(mycolors.reset, file=sys.stderr) 136 | return False 137 | except ValueError as e: 138 | print(e) 139 | if (cv.bkg == 1): 140 | print((mycolors.foreground.lightred + "Error while connecting to Malshare.com!\n")) 141 | else: 142 | print((mycolors.foreground.red + "Error while connecting to Malshare.com!\n")) 143 | printr() 144 | return False 145 | 146 | return True 147 | -------------------------------------------------------------------------------- /malwoverview/modules/multipleip.py: -------------------------------------------------------------------------------- 1 | from malwoverview.utils.colors import mycolors, printr, printc 2 | import malwoverview.modules.configvars as cv 3 | 4 | class MultipleIPExtractor: 5 | def __init__(self, extractors): 6 | self.extractors = extractors 7 | 8 | def get_multiple_ip_details(self, ip_address): 9 | if ip_address is None: 10 | printc("A valid IP address is required.", mycolors.foreground.error(cv.bkg)) 11 | return 12 | 13 | for extractor in self.extractors: 14 | extractor_obj = self.extractors[extractor] 15 | if extractor == "IPInfo": 16 | extractor_obj.get_ip_details(ip_address) 17 | elif extractor == "BGPView": 18 | extractor_obj.get_ip_details(ip_address) 19 | elif extractor == "VirusTotal": 20 | data = extractor_obj._raw_ip_info(ip_address) 21 | self._get_info_virustotal(data.json()) 22 | elif extractor == "AlienVault": 23 | data = extractor_obj._raw_ip_info(ip_address) 24 | self._get_info_alienvault(data.json()) 25 | #elif extractor == "InQuest": 26 | # data = extractor_obj._raw_ip_info(ip_address) 27 | # self._get_info_inquest(data.json()) 28 | # elif extractor == "PolySwarm": 29 | # data = extractor_obj._raw_ip_info(ip_address) 30 | # self._get_info_polyswarm(data) 31 | 32 | def _get_info_virustotal(self, data): 33 | try: 34 | attributes = data.get('data', {}).get('attributes', {}) 35 | 36 | print() 37 | print((mycolors.reset + "VIRUSTOTAL IP REPORT".center(100)), end='') 38 | #print((mycolors.reset + "".center(28)), end='') 39 | print("\n" + (100 * '-').center(50)) 40 | 41 | fields = { 42 | 'Reputation': attributes.get('reputation'), 43 | 'RIR': attributes.get('regional_internet_registry'), 44 | 'Network': attributes.get('network'), 45 | 'ASN': attributes.get('asn'), 46 | 'AS Owner': attributes.get('as_owner'), 47 | 'Country Code': attributes.get('country'), 48 | 'Continent': attributes.get('continent') 49 | } 50 | 51 | COLSIZE = max(len(field) for field in fields.keys()) + 3 52 | 53 | for field, value in fields.items(): 54 | print(mycolors.foreground.info(cv.bkg) + f"{field}:".ljust(COLSIZE) + "\t" + mycolors.reset + str(value)) 55 | 56 | print("\nAnalysis Stats:") 57 | stats = attributes.get('last_analysis_stats', {}) 58 | for stat, count in stats.items(): 59 | print(mycolors.foreground.error(cv.bkg) + f"{stat.title()}:".ljust(COLSIZE) + "\t" + mycolors.reset + str(count)) 60 | 61 | print("\nCommunity Votes:") 62 | votes = attributes.get('total_votes', {}) 63 | for vote, count in votes.items(): 64 | print(mycolors.foreground.error(cv.bkg) + f"{vote.title()}:".ljust(COLSIZE) + "\t" + mycolors.reset + str(count)) 65 | 66 | except Exception as e: 67 | print(mycolors.foreground.error(cv.bkg) + f"\nError: {str(e)}\n" + mycolors.reset) 68 | 69 | print() 70 | print("(For the full VirusTotal report use the -v and -V options)") 71 | 72 | def _get_info_alienvault(self, data): 73 | try: 74 | print() 75 | print((mycolors.reset + "ALIENVAULT IP REPORT".center(100)), end='') 76 | # print((mycolors.reset + "".center(28)), end='') 77 | print("\n" + (100 * '-').center(50)) 78 | 79 | COLSIZE = 13 80 | 81 | infocolor = mycolors.foreground.info(cv.bkg) 82 | print(infocolor + f"ASN:".ljust(COLSIZE) + "\t" + mycolors.reset + str(data.get('asn'))) 83 | print(infocolor + f"Country:".ljust(COLSIZE) + "\t" + mycolors.reset + str(data.get('country_name'))) 84 | print(infocolor + f"Region:".ljust(COLSIZE) + "\t" + mycolors.reset + str(data.get('region'))) 85 | print(infocolor + f"City:".ljust(COLSIZE) + "\t" + mycolors.reset + str(data.get('city'))) 86 | print(infocolor + f"Continent:".ljust(COLSIZE) + "\t" + mycolors.reset + str(data.get('continent_code'))) 87 | print(infocolor + f"Latitude:".ljust(COLSIZE) + "\t" + mycolors.reset + str(data.get('latitude'))) 88 | print(infocolor + f"Longitude:".ljust(COLSIZE) + "\t" + mycolors.reset + str(data.get('longitude'))) 89 | print(infocolor + f"Sections:".ljust(COLSIZE) + "\t" + mycolors.reset + ', '.join(data.get('sections', []))) 90 | print(mycolors.foreground.error(cv.bkg) + f"Pulses Found:".ljust(COLSIZE) + "\t" + mycolors.reset + str(data.get('pulse_info', {}).get('count'))) 91 | 92 | except Exception as e: 93 | printc(f"\nError: {str(e)}\n", mycolors.foreground.error(cv.bkg)) 94 | 95 | print() 96 | print("(For the full AlienVault report use the -n and -N options)") 97 | 98 | """ 99 | def _get_info_inquest(self, data): 100 | try: 101 | print("\n") 102 | print((mycolors.reset + "INQUEST IP REPORT".center(100)), end='') 103 | print((mycolors.reset + "".center(28)), end='') 104 | print("\n" + (100 * '-').center(50)) 105 | 106 | print(data) 107 | 108 | except Exception as e: 109 | if (cv.bkg == 1): 110 | print(mycolors.foreground.lightred + f"\nError: {str(e)}\n" + mycolors.reset) 111 | else: 112 | print(mycolors.foreground.red + f"\nError: {str(e)}\n" + mycolors.reset) 113 | 114 | print() 115 | print("(For the full InQuest report use the -i and -I options)") 116 | 117 | def _get_info_polyswarm(self, data): 118 | print("\n") 119 | print((mycolors.reset + "POLYSWARM IP REPORT".center(100)), end='') 120 | print((mycolors.reset + "".center(28)), end='') 121 | print("\n" + (100 * '-').center(50)) 122 | 123 | print(data) 124 | 125 | print() 126 | print("(For the full PolySwarm report use the -p and -P options)") 127 | """ -------------------------------------------------------------------------------- /malwoverview/modules/polyswarm.py: -------------------------------------------------------------------------------- 1 | import malwoverview.modules.configvars as cv 2 | from polyswarm_api.api import PolyswarmAPI 3 | from malwoverview.utils.colors import mycolors, printr 4 | from malwoverview.utils.hash import sha256hash 5 | from malwoverview.utils.peinfo import ftype 6 | import pefile 7 | from requests.exceptions import RetryError 8 | import re 9 | import os 10 | 11 | 12 | class PolyswarmExtractor(): 13 | def __init__(self, POLYAPI): 14 | self.POLYAPI = POLYAPI 15 | 16 | def requestPOLYAPI(self): 17 | if self.POLYAPI == '': 18 | print(mycolors.foreground.red + "\nTo be able to get/submit information from/to Polyswarm, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the Polyswarm API according to the format shown on the Github website." + mycolors.reset + "\n") 19 | exit(1) 20 | 21 | def polymetasearch(self, poly, metainfo): 22 | self.requestPOLYAPI() 23 | polyswarm = PolyswarmAPI(key=self.POLYAPI) 24 | 25 | if (metainfo == 4): 26 | targetfile = poly 27 | dname = str(os.path.dirname(targetfile)) 28 | if not os.path.abspath(dname): 29 | dname = os.path.abspath('.') + "/" + dname 30 | magictype = ftype(targetfile) 31 | 32 | try: 33 | if re.match(r'^PE[0-9]{2}|^MS-DOS', magictype): 34 | fmype = pefile.PE(targetfile) 35 | fimph = fmype.get_imphash() 36 | else: 37 | if (cv.bkg == 1): 38 | print(mycolors.foreground.lightred + "\nYou didn\'t provided a PE file") 39 | else: 40 | print(mycolors.foreground.red + "\nYou didn\'t provided a PE file") 41 | printr() 42 | exit(1) 43 | except (AttributeError, NameError): 44 | if (cv.bkg == 1): 45 | print((mycolors.foreground.lightred + "\nThe file %s doesn't respect some PE format rules. Exiting...\n" % targetfile)) 46 | else: 47 | print((mycolors.foreground.red + "\nThe file %s doesn't respect some PE format rules. Exiting...\n" % targetfile)) 48 | printr() 49 | exit(1) 50 | 51 | printr() 52 | print("POLYSWARM.NETWORK RESULTS") 53 | print('-' * 25, end="\n\n") 54 | 55 | try: 56 | if (metainfo == 4): 57 | metaresults = polyswarm.search_by_metadata("pefile.imphash:" + fimph) 58 | for x in metaresults: 59 | if (cv.bkg == 1): 60 | if (x.sha256): 61 | print(mycolors.reset + "\nSHA256: " + mycolors.foreground.lightred + "%s" % x.sha256, end=' ') 62 | else: 63 | print(mycolors.reset + "\nSHA256: " + mycolors.foreground.lightred + "%s" + "None", end=' ') 64 | if (x.md5): 65 | print(mycolors.reset + "MD5: " + mycolors.foreground.lightcyan + "%s" % x.md5, end=' ') 66 | else: 67 | print(mycolors.reset + "MD5: " + mycolors.foreground.lightcyan + "%s" + "None", end=' ') 68 | else: 69 | if (x.sha256): 70 | print(mycolors.reset + "\nSHA256: " + mycolors.foreground.red + "%s" % x.sha256, end=' ') 71 | else: 72 | print(mycolors.reset + "\nSHA256: " + mycolors.foreground.red + "%s" + "None", end=' ') 73 | if (x.md5): 74 | print(mycolors.reset + "MD5: " + mycolors.foreground.green + "%s" % x.md5, end=' ') 75 | else: 76 | print(mycolors.reset + "MD5: " + mycolors.foreground.green + "%s" + "None", end=' ') 77 | print(mycolors.reset + "\n") 78 | exit(0) 79 | 80 | try: 81 | if (metainfo == 5): 82 | metaresults = polyswarm.search_by_metadata("strings.ipv4:" + poly) 83 | if (metainfo == 6): 84 | metaresults = polyswarm.search_by_metadata("strings.domains:" + poly) 85 | if (metainfo == 7): 86 | poly = (r'"' + poly + r'"') 87 | metaresults = polyswarm.search_by_metadata("strings.urls:" + poly) 88 | if (metainfo == 8): 89 | poly = ('scan.latest_scan.\*.metadata.malware_family:' + poly) 90 | metaresults = polyswarm.search_by_metadata(poly) 91 | except Exception: 92 | if (cv.bkg == 1): 93 | print((mycolors.foreground.lightred + "\nInformation not found on Polyswarm.\n")) 94 | else: 95 | print((mycolors.foreground.red + "\nInformation not found on Polyswarm.\n")) 96 | print(mycolors.reset) 97 | exit(0) 98 | 99 | for y in metaresults: 100 | if (cv.bkg == 1): 101 | if (y.sha256): 102 | print(mycolors.reset + "\nSHA256: " + mycolors.foreground.lightcyan + "%s" % y.sha256, end=' ') 103 | else: 104 | print(mycolors.reset + "Result: " + mycolors.foreground.yellow + "Sample not found!", end=' ') 105 | exit(0) 106 | 107 | try: 108 | score = next(polyswarm.search(y.sha256)) 109 | except Exception: 110 | score.polyscore = "None" 111 | pass 112 | 113 | print(mycolors.reset + "Polyscore: " + mycolors.foreground.yellow + "%20s" % score.polyscore, end=' ') 114 | if (str(y.scan.get('detections', {}).get('malicious'))) != 'None': 115 | print(mycolors.reset + "scan: " + mycolors.foreground.yellow + "%s" % y.scan.get('detections', {}).get('malicious'), end=' ') 116 | print("/ " + "%2s malicious" % y.scan.get('detections', {}).get('total'), end=' ') 117 | else: 118 | print(mycolors.reset + "scan: " + mycolors.foreground.pink + "not scanned yet", end=' ') 119 | else: 120 | if (y.sha256): 121 | print(mycolors.reset + "\nSHA256: " + mycolors.foreground.green + "%s" % y.sha256, end=' ') 122 | else: 123 | print(mycolors.reset + "scan: " + mycolors.foreground.purple + "Sample not found!", end=' ') 124 | exit(0) 125 | 126 | try: 127 | score = next(polyswarm.search(y.sha256)) 128 | except Exception: 129 | score.polyscore = "None" 130 | pass 131 | 132 | print(mycolors.reset + "Polyscore: " + mycolors.foreground.red + "%20s" % score.polyscore, end=' ') 133 | if (str(y.scan.get('detections', {}).get('malicious'))) != 'None': 134 | print(mycolors.reset + "scan: " + mycolors.foreground.red + "%s" % y.scan.get('detections', {}).get('malicious'), end=' ') 135 | print("/ " + "%2s malicious" % y.scan.get('detections', {}).get('total'), end=' ') 136 | else: 137 | print(mycolors.reset + "Result: " + mycolors.foreground.purple + "not scanned yet", end=' ') 138 | 139 | printr() 140 | except RetryError: 141 | if (cv.bkg == 1): 142 | print((mycolors.foreground.lightred + "\nAn error has ocurred during Polyswarm processing. Exiting...\n")) 143 | else: 144 | print((mycolors.foreground.red + "\nAn error has ocurred during Polyswarm processing. Exiting...\n")) 145 | printr() 146 | exit(1) 147 | except Exception as e: 148 | if (cv.bkg == 1): 149 | print((mycolors.foreground.lightred + "\nAn error has ocurred while connecting to Polyswarm.\n")) 150 | else: 151 | print((mycolors.foreground.red + "\nAn error has ocurred while connecting to Polyswarm.\n")) 152 | print(e) 153 | printr() 154 | exit(1) 155 | 156 | def polyfile(self, poly): 157 | if not (os.path.isfile(poly)): 158 | if (cv.bkg == 0): 159 | print(mycolors.foreground.red + "\nYou didn't provide a valid file.\n") 160 | printr() 161 | exit(1) 162 | else: 163 | print(mycolors.foreground.yellow + "\nYou didn't provide a valid file.\n") 164 | printr() 165 | exit(1) 166 | 167 | sha256 = '' 168 | filetype = '' 169 | extended = '' 170 | firstseen = '' 171 | score = 0 172 | 173 | self.requestPOLYAPI() 174 | 175 | polyswarm = PolyswarmAPI(key=self.POLYAPI) 176 | 177 | try: 178 | myhash = sha256hash(poly) 179 | instance = polyswarm.submit(poly) 180 | result = polyswarm.wait_for(instance) 181 | printr() 182 | print("POLYSWARM.NETWORK RESULTS") 183 | print('-' * 25, end="\n\n") 184 | for assertion in result.assertions: 185 | if (cv.bkg == 1): 186 | print(mycolors.reset + "Engine: " + mycolors.foreground.lightcyan + "%-25s" % assertion.author_name, end='') 187 | print(mycolors.reset + "\tVerdict:" + mycolors.foreground.lightred + " ", "Malicious" if assertion.verdict else "Clean") 188 | else: 189 | print(mycolors.reset + "Engine: " + mycolors.foreground.green + "%-25s" % assertion.author_name, end='') 190 | print(mycolors.reset + "\tVerdict:" + mycolors.foreground.red + " ", "Malicious" if assertion.verdict else "Clean") 191 | 192 | results = polyswarm.search(myhash) 193 | printr() 194 | for myhashes in results: 195 | if (myhashes.sha256): 196 | sha256 = myhashes.sha256 197 | if (myhashes.mimetype): 198 | filetype = myhashes.mimetype 199 | if (myhashes.extended_type): 200 | extended = myhashes.extended_type 201 | if (myhashes.first_seen): 202 | firstseen = myhashes.first_seen 203 | if (myhashes.polyscore): 204 | score = myhashes.polyscore 205 | 206 | if (cv.bkg == 1): 207 | if (sha256): 208 | print(mycolors.foreground.lightred + "\nSHA256: \t%s" % sha256) 209 | if (filetype): 210 | print(mycolors.foreground.lightred + "File Type: \t%s" % filetype) 211 | if (extended): 212 | print(mycolors.foreground.lightred + "Extended Info: \t%s" % extended) 213 | if (firstseen): 214 | print(mycolors.foreground.lightred + "First seen: \t%s" % firstseen) 215 | if (score is not None): 216 | print(mycolors.foreground.yellow + "\nPolyscore: \t%f" % score) 217 | else: 218 | if (sha256): 219 | print(mycolors.foreground.cyan + "\nSHA256: \t%s" % sha256) 220 | if (filetype): 221 | print(mycolors.foreground.cyan + "File Type: \t%s" % filetype) 222 | if (extended): 223 | print(mycolors.foreground.cyan + "Extended Info: \t%s" % extended) 224 | if (firstseen): 225 | print(mycolors.foreground.cyan + "First seen: \t%s" % firstseen) 226 | if (score is not None): 227 | print(mycolors.foreground.red + "\nPolyscore: \t%f" % score) 228 | printr() 229 | except Exception: 230 | if (cv.bkg == 1): 231 | print((mycolors.foreground.lightred + "\nAn error has ocurred while connecting to Polyswarm.\n")) 232 | else: 233 | print((mycolors.foreground.red + "\nAn error has ocurred while connecting to Polyswarm.\n")) 234 | printr() 235 | exit(1) 236 | 237 | def polyhashsearch(self, poly, download): 238 | if len(poly) not in [32, 40, 64]: 239 | return False 240 | 241 | sha256 = '' 242 | filetype = '' 243 | extended = '' 244 | firstseen = '' 245 | score = 0 246 | down = download 247 | DOWN_DIR = cv.output_dir 248 | 249 | self.requestPOLYAPI() 250 | polyswarm = PolyswarmAPI(key=self.POLYAPI) 251 | 252 | try: 253 | results = polyswarm.search(poly) 254 | 255 | printr() 256 | print("POLYSWARM.NETWORK RESULTS") 257 | print('-' * 25, end="\n\n") 258 | printr() 259 | 260 | for myhashes in results: 261 | if not myhashes.assertions: 262 | if (cv.bkg == 1): 263 | print(mycolors.foreground.lightred + "This sample has not been scanned on Polyswarm yet!\n" + mycolors.reset) 264 | exit(1) 265 | else: 266 | print(mycolors.foreground.red + "This sample has not been scanned on Polyswarmi yet!\n" + mycolors.reset) 267 | exit(1) 268 | if (myhashes.sha256): 269 | sha256 = myhashes.sha256 270 | if (myhashes.mimetype): 271 | filetype = myhashes.mimetype 272 | if (myhashes.extended_type): 273 | extended = myhashes.extended_type 274 | if (myhashes.first_seen): 275 | firstseen = myhashes.first_seen 276 | if (myhashes.polyscore): 277 | score = myhashes.polyscore 278 | results = myhashes.assertions 279 | for i in results: 280 | if (cv.bkg == 1): 281 | print(mycolors.foreground.lightcyan + "%s" % i) 282 | else: 283 | print(mycolors.foreground.green + "%s" % i) 284 | 285 | if (cv.bkg == 1): 286 | if (sha256): 287 | print(mycolors.foreground.lightred + "\nSHA256: \t%s" % sha256) 288 | if (filetype): 289 | print(mycolors.foreground.lightred + "File Type: \t%s" % filetype) 290 | if (extended): 291 | print(mycolors.foreground.lightred + "Extended Info: \t%s" % extended) 292 | if (firstseen): 293 | print(mycolors.foreground.lightred + "First seen: \t%s" % firstseen) 294 | if (score is not None): 295 | print(mycolors.foreground.yellow + "\nPolyscore: \t%f" % score) 296 | if (down == 1): 297 | polyswarm.download(DOWN_DIR, sha256) 298 | print(mycolors.reset + f"\n\nSample downloaded to: {DOWN_DIR}") 299 | else: 300 | if (sha256): 301 | print(mycolors.foreground.cyan + "\nSHA256: \t%s" % sha256) 302 | if (filetype): 303 | print(mycolors.foreground.cyan + "File Type: \t%s" % filetype) 304 | if (extended): 305 | print(mycolors.foreground.cyan + "Extended Info: \t%s" % extended) 306 | if (firstseen): 307 | print(mycolors.foreground.cyan + "First seen: \t%s" % firstseen) 308 | if (score is not None): 309 | print(mycolors.foreground.red + "\nPolyscore: \t%f" % score) 310 | if (down == 1): 311 | polyswarm.download(DOWN_DIR, sha256) 312 | print(mycolors.reset + f"\n\nSample downloaded to: {DOWN_DIR}") 313 | printr() 314 | except Exception: 315 | if (cv.bkg == 1): 316 | print((mycolors.foreground.yellow + "\nThis hash couldn't be found on Polyswarm.\n")) 317 | else: 318 | print((mycolors.foreground.red + "\nThis hash couldn't be found Polyswarm.\n")) 319 | printr() 320 | exit(1) 321 | -------------------------------------------------------------------------------- /malwoverview/modules/virusexchange.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import os 3 | import malwoverview.modules.configvars as cv 4 | from malwoverview.utils.colors import mycolors, printc 5 | 6 | class VirusExchangeExtractor: 7 | def __init__(self, api_key): 8 | self.VXAPI = api_key 9 | self.base_url = "https://virus.exchange/api" 10 | 11 | def _requireVXAPI(self): 12 | if (self.VXAPI == ''): 13 | printc("\nTo be able to get/submit information from/to Virus Exchange, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the Virus Exchange API according to the format shown on the Github website.", mycolors.foreground.error(cv.bkg)) 14 | exit(1) 15 | 16 | def _get_hash_metadata(self, sha256): 17 | url = f'{self.base_url}/samples/{sha256}' 18 | response = requests.get(url, headers={'Authorization': f'Bearer {self.VXAPI}'}) 19 | return response 20 | 21 | def check_hash(self, sha256): 22 | self._requireVXAPI() 23 | 24 | metadata_to_show = [ 25 | {"key": "md5", "name": "MD5", "colors": (mycolors.foreground.cyan, mycolors.foreground.lightcyan), "pad": 12}, 26 | {"key": "sha1", "name": "SHA1", "colors": (mycolors.foreground.cyan, mycolors.foreground.lightcyan), "pad": 12}, 27 | {"key": "sha256", "name": "SHA256", "colors": (mycolors.foreground.cyan, mycolors.foreground.lightcyan), "pad": 12}, 28 | {"key": "size", "name": "Size", "colors": (mycolors.foreground.purple, mycolors.foreground.yellow), "pad": 12}, 29 | { 30 | "key": "tags", "name": "Tags", 31 | "colors": (mycolors.foreground.purple, mycolors.foreground.yellow), "pad": 12, 32 | "fn": lambda x: ', '.join(x) if hasattr(x, '__iter__') else "" 33 | }, 34 | {"key": "type", "name": "Type", "colors": (mycolors.foreground.purple, mycolors.foreground.yellow), "pad": 12}, 35 | {"key": "first_seen", "name": "First Seen", "colors": (mycolors.foreground.purple, mycolors.foreground.yellow), "pad": 12} 36 | ] 37 | 38 | try: 39 | response = self._get_hash_metadata(sha256) 40 | except Exception as e: 41 | printc(f"[-] Error checking hash metadata: {str(e)}", mycolors.foreground.error(cv.bkg)) 42 | return 43 | 44 | metadata = response.json() 45 | 46 | print() 47 | for val in metadata_to_show: 48 | key = val['key'] 49 | color = val["colors"][cv.bkg] 50 | name = val['name'] 51 | pad = val['pad'] 52 | fn = val.get('fn', None) 53 | 54 | if key in metadata: 55 | printc(f'{name}:'.ljust(pad), color, end='') 56 | 57 | val_to_print = metadata[key] 58 | if fn is not None: 59 | val_to_print = fn(metadata[key]) 60 | 61 | print(f'{val_to_print}') 62 | 63 | def download_sample(self, sha256): 64 | self._requireVXAPI() 65 | 66 | try: 67 | response = self._get_hash_metadata(sha256) 68 | metadata = response.json() 69 | 70 | if response.status_code == 200: 71 | download_link = metadata.get('download_link') 72 | if download_link: 73 | # Download the actual sample 74 | sample_response = requests.get(download_link) 75 | if sample_response.status_code == 200: 76 | output_path = os.path.join(cv.output_dir, sha256) 77 | with open(output_path, 'wb') as f: 78 | f.write(sample_response.content) 79 | printc(f"Sample downloaded to: {output_path}", mycolors.foreground.success(cv.bkg)) 80 | else: 81 | printc(f"Failed to download sample: {sample_response.status_code}", mycolors.foreground.error(cv.bkg)) 82 | else: 83 | printc("No download link available in metadata", mycolors.foreground.error(cv.bkg)) 84 | else: 85 | error_detail = metadata.get('errors', {}).get('detail', 'Unknown error') 86 | printc(f"Failed to fetch sample metadata: {error_detail}", mycolors.foreground.error(cv.bkg)) 87 | except Exception as e: 88 | printc(f"Error downloading sample: {str(e)}", mycolors.foreground.error(cv.bkg)) 89 | 90 | # This method is currently shown in the docs, but it's always returning 401 91 | # so it was removed from the official options. 92 | def upload_sample(self, file_path): 93 | self._requireVXAPI() 94 | 95 | url = f'{self.base_url}/samples/new' 96 | 97 | try: 98 | with open(file_path, 'rb') as f: 99 | files = {'file': f} 100 | response = requests.post(url, headers={'Authorization': f'Bearer {self.VXAPI}'}, files=files) 101 | 102 | if response.status_code == 200: 103 | printc("Sample uploaded successfully", mycolors.foreground.success(cv.bkg)) 104 | else: 105 | printc(f"Failed to upload sample: {response.status_code}", mycolors.foreground.error(cv.bkg)) 106 | except Exception as e: 107 | printc(f"Error uploading sample: {str(e)}", mycolors.foreground.error(cv.bkg)) -------------------------------------------------------------------------------- /malwoverview/utils/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/malwoverview/utils/__init__.py -------------------------------------------------------------------------------- /malwoverview/utils/colors.py: -------------------------------------------------------------------------------- 1 | class mycolors: 2 | reset = '\033[0m' 3 | reverse = '\033[07m' 4 | bold = '\033[01m' 5 | 6 | class foreground: 7 | orange = '\033[33m' 8 | blue = '\033[34m' 9 | purple = '\033[35m' 10 | lightgreen = '\033[92m' 11 | lightblue = '\033[94m' 12 | pink = '\033[95m' 13 | lightcyan = '\033[96m' 14 | red = '\033[31m' 15 | green = '\033[32m' 16 | cyan = '\033[36m' 17 | lightgrey = '\033[37m' 18 | darkgrey = '\033[90m' 19 | lightred = '\033[91m' 20 | yellow = '\033[93m' 21 | 22 | @staticmethod 23 | def error(bkg): 24 | if bkg == 1: 25 | return mycolors.foreground.lightred 26 | else: 27 | return mycolors.foreground.red 28 | 29 | @staticmethod 30 | def info(bkg): 31 | if bkg == 1: 32 | return mycolors.foreground.lightcyan 33 | else: 34 | return mycolors.foreground.cyan 35 | 36 | @staticmethod 37 | def success(bkg): 38 | if bkg == 1: 39 | return mycolors.foreground.yellow 40 | else: 41 | return mycolors.foreground.blue 42 | 43 | class background: 44 | black = '\033[40m' 45 | blue = '\033[44m' 46 | cyan = '\033[46m' 47 | lightgrey = '\033[47m' 48 | purple = '\033[45m' 49 | green = '\033[42m' 50 | orange = '\033[43m' 51 | red = '\033[41m' 52 | 53 | 54 | def printc(text, color, *args, **kwargs): 55 | print(f'{color}{text}{mycolors.reset}', *args, **kwargs) 56 | 57 | 58 | def printr(): 59 | print(mycolors.reset) 60 | -------------------------------------------------------------------------------- /malwoverview/utils/hash.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | import os 3 | from malwoverview.utils.colors import mycolors, printr 4 | import malwoverview.modules.configvars as cv 5 | 6 | 7 | def sha256hash(fname): 8 | BSIZE = 65536 9 | hnd = open(fname, 'rb') 10 | hash256 = hashlib.sha256() 11 | while True: 12 | info = hnd.read(BSIZE) 13 | if not info: 14 | break 15 | hash256.update(info) 16 | return hash256.hexdigest() 17 | 18 | 19 | def md5hash(fname): 20 | BSIZE = 65536 21 | hnd = open(fname, 'rb') 22 | hashmd5 = hashlib.md5() 23 | while True: 24 | info = hnd.read(BSIZE) 25 | if not info: 26 | break 27 | hashmd5.update(info) 28 | return hashmd5.hexdigest() 29 | 30 | 31 | def calchash(ffpname2): 32 | targetfile = ffpname2 33 | mysha256hash = '' 34 | dname = str(os.path.dirname(targetfile)) 35 | if not os.path.abspath(dname): 36 | dname = os.path.abspath('.') + "/" + dname 37 | 38 | print(mycolors.reset, end=' ') 39 | 40 | try: 41 | mysha256hash = sha256hash(targetfile) 42 | return mysha256hash 43 | except Exception: 44 | if (cv.bkg == 1): 45 | print((mycolors.foreground.lightred + "Error while calculing the hash!\n")) 46 | else: 47 | print((mycolors.foreground.red + "Error while calculating the hash\n")) 48 | printr() 49 | -------------------------------------------------------------------------------- /malwoverview/utils/peinfo.py: -------------------------------------------------------------------------------- 1 | import pefile 2 | from malwoverview.utils.colors import mycolors, printr 3 | import malwoverview.modules.configvars as cv 4 | import magic 5 | import os 6 | 7 | 8 | def ftype(filename): 9 | type = magic.from_file(filename) 10 | return type 11 | 12 | 13 | def isoverlay(file_item): 14 | mype2 = pefile.PE(file_item) 15 | over = mype2.get_overlay_data_start_offset() 16 | if over is None: 17 | ovr = "NO" 18 | else: 19 | ovr = "YES" 20 | return ovr 21 | 22 | 23 | def overextract(fname): 24 | with open(fname, "rb") as o: 25 | r = o.read() 26 | pe = pefile.PE(fname) 27 | offset = pe.get_overlay_data_start_offset() 28 | if offset is None: 29 | exit(0) 30 | 31 | outputpath = os.path.join(cv.output_dir, fname + '.overlay') 32 | with open(outputpath, "wb") as t: 33 | t.write(r[offset:]) 34 | if (cv.bkg == 1): 35 | print((mycolors.foreground.yellow + "\n\nOverlay extracted: " + mycolors.reset + outputpath)) 36 | else: 37 | print((mycolors.foreground.green + "\n\nOverlay extracted: " + mycolors.reset + outputpath)) 38 | printr() 39 | 40 | 41 | def listexports(fname): 42 | exps = [] 43 | 44 | mype2 = pefile.PE(fname, fast_load=True) 45 | if mype2.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']].VirtualAddress != 0: 46 | mype2.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']]) 47 | for exptab in mype2.DIRECTORY_ENTRY_EXPORT.symbols: 48 | x = hex(mype2.OPTIONAL_HEADER.ImageBase + exptab.address), exptab.name 49 | exps.append(x) 50 | 51 | return exps 52 | 53 | 54 | def listimports(fname): 55 | imps = [] 56 | 57 | mype2 = pefile.PE(fname, fast_load=True) 58 | if mype2.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress != 0: 59 | mype2.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']]) 60 | if mype2.DIRECTORY_ENTRY_IMPORT is not None: 61 | for entry in mype2.DIRECTORY_ENTRY_IMPORT: 62 | for imptab in entry.imports: 63 | if imptab.name is None: 64 | imptab.name = "None" 65 | if imptab.address is None: 66 | imptab.address = int(0) 67 | x = hex(int(imptab.address)), imptab.name 68 | imps.append(x) 69 | return imps 70 | 71 | 72 | def list_imports_exports(targetfile): 73 | printr() 74 | 75 | print(("\nImported Functions".ljust(40))) 76 | print((110 * '-').ljust(110)) 77 | IR = [] 78 | IR = sorted(listimports(targetfile)) 79 | dic = {} 80 | dic = dict(IR) 81 | d = iter(list(dic.items())) 82 | IX = [] 83 | for key, value in sorted(d): 84 | IX.append(str(value)) 85 | Y = iter(IX) 86 | 87 | for i in Y: 88 | if i is None: 89 | break 90 | 91 | while (i == 'None'): 92 | i = next(Y, None) 93 | 94 | if i is None: 95 | break 96 | if (cv.bkg == 1): 97 | print((mycolors.foreground.pink + "%-40s" % (i)[2:-1]), end=' ') 98 | else: 99 | print((mycolors.foreground.cyan + "%-40s" % (i)[2:-1]), end=' ') 100 | w = next(Y, None) 101 | if w is None: 102 | break 103 | if (w == 'None'): 104 | w = next(Y, None) 105 | if w is None: 106 | break 107 | if (cv.bkg == 1): 108 | print((mycolors.foreground.lightcyan + "%-40s" % (w)[2:-1]), end=' ') 109 | else: 110 | print((mycolors.foreground.green + "%-40s" % (w)[2:-1]), end=' ') 111 | t = next(Y, None) 112 | if t is None: 113 | break 114 | if (t == 'None'): 115 | t = next(Y, None) 116 | if t is None: 117 | break 118 | if (cv.bkg == 1): 119 | print((mycolors.foreground.yellow + "%-40s" % (t)[2:-1])) 120 | else: 121 | print((mycolors.foreground.purple + "%-40s" % (t)[2:-1])) 122 | 123 | printr() 124 | 125 | print(("\n\nExported Functions".ljust(40))) 126 | print((110 * '-').ljust(110)) 127 | ER = [] 128 | ER = sorted(listexports(targetfile)) 129 | dic2 = {} 130 | dic2 = dict(ER) 131 | d2 = iter(list(dic2.items())) 132 | EX = [] 133 | for key, value in sorted(d2): 134 | EX.append(str(value)) 135 | Y2 = iter(EX) 136 | for i in Y2: 137 | if i is None: 138 | break 139 | while (i == 'None'): 140 | i = next(Y2, None) 141 | if i is None: 142 | break 143 | if (cv.bkg == 1): 144 | print((mycolors.foreground.yellow + "%-40s" % (i)[2:-1]), end=' ') 145 | else: 146 | print((mycolors.foreground.purple + "%-40s" % (i)[2:-1]), end=' ') 147 | w = next(Y2, None) 148 | if w is None: 149 | break 150 | if (w == 'None'): 151 | w = next(Y2, None) 152 | if w is None: 153 | break 154 | if (cv.bkg == 1): 155 | print((mycolors.foreground.lightcyan + "%-40s" % (w)[2:-1]), end=' ') 156 | else: 157 | print((mycolors.foreground.green + "%-40s" % (w)[2:-1]), end=' ') 158 | 159 | t = next(Y2, None) 160 | if t is None: 161 | break 162 | if (t == 'None'): 163 | t = next(Y2, None) 164 | if t is None: 165 | break 166 | if (cv.bkg == 1): 167 | print((mycolors.foreground.lightcyan + "%-40s" % (t)[2:-1])) 168 | else: 169 | print((mycolors.foreground.cyan + "%-40s" % (t)[2:-1])) 170 | 171 | printr() 172 | -------------------------------------------------------------------------------- /malwoverview/utils/utils.py: -------------------------------------------------------------------------------- 1 | from urllib.parse import urlparse 2 | import geocoder 3 | import socket 4 | 5 | 6 | def urltoip(urltarget): 7 | geoloc = '' 8 | target = '' 9 | finalip = '' 10 | result = '' 11 | 12 | try: 13 | target = urlparse(urltarget) 14 | result = target.netloc 15 | finalip = socket.gethostbyname(result) 16 | if finalip is not None: 17 | geoloc = geocoder.ip(finalip) 18 | if (geoloc is not None): 19 | return geoloc.city 20 | else: 21 | result = '' 22 | return result 23 | else: 24 | result = "Not Found" 25 | return result 26 | except Exception: 27 | result = "Not Found" 28 | return result 29 | -------------------------------------------------------------------------------- /pictures/picture_1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_1.jpg -------------------------------------------------------------------------------- /pictures/picture_10.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_10.jpg -------------------------------------------------------------------------------- /pictures/picture_11.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_11.jpg -------------------------------------------------------------------------------- /pictures/picture_12.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_12.jpg -------------------------------------------------------------------------------- /pictures/picture_13.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_13.jpg -------------------------------------------------------------------------------- /pictures/picture_14.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_14.jpg -------------------------------------------------------------------------------- /pictures/picture_15.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_15.jpg -------------------------------------------------------------------------------- /pictures/picture_16.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_16.jpg -------------------------------------------------------------------------------- /pictures/picture_17.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_17.jpg -------------------------------------------------------------------------------- /pictures/picture_18.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_18.jpg -------------------------------------------------------------------------------- /pictures/picture_19.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_19.jpg -------------------------------------------------------------------------------- /pictures/picture_2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_2.jpg -------------------------------------------------------------------------------- /pictures/picture_20.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_20.jpg -------------------------------------------------------------------------------- /pictures/picture_21.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_21.jpg -------------------------------------------------------------------------------- /pictures/picture_22.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_22.jpg -------------------------------------------------------------------------------- /pictures/picture_23.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_23.jpg -------------------------------------------------------------------------------- /pictures/picture_24.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_24.jpg -------------------------------------------------------------------------------- /pictures/picture_25.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_25.jpg -------------------------------------------------------------------------------- /pictures/picture_26.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_26.jpg -------------------------------------------------------------------------------- /pictures/picture_27.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_27.jpg -------------------------------------------------------------------------------- /pictures/picture_28.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_28.jpg -------------------------------------------------------------------------------- /pictures/picture_29.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_29.jpg -------------------------------------------------------------------------------- /pictures/picture_3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_3.jpg -------------------------------------------------------------------------------- /pictures/picture_30.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_30.jpg -------------------------------------------------------------------------------- /pictures/picture_31.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_31.jpg -------------------------------------------------------------------------------- /pictures/picture_32.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_32.jpg -------------------------------------------------------------------------------- /pictures/picture_33.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_33.jpg -------------------------------------------------------------------------------- /pictures/picture_34.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_34.jpg -------------------------------------------------------------------------------- /pictures/picture_35.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_35.jpg -------------------------------------------------------------------------------- /pictures/picture_36.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_36.jpg -------------------------------------------------------------------------------- /pictures/picture_37.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_37.jpg -------------------------------------------------------------------------------- /pictures/picture_38.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_38.jpg -------------------------------------------------------------------------------- /pictures/picture_39.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_39.jpg -------------------------------------------------------------------------------- /pictures/picture_4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_4.jpg -------------------------------------------------------------------------------- /pictures/picture_40.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_40.jpg -------------------------------------------------------------------------------- /pictures/picture_41.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_41.jpg -------------------------------------------------------------------------------- /pictures/picture_42.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_42.jpg -------------------------------------------------------------------------------- /pictures/picture_43.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_43.jpg -------------------------------------------------------------------------------- /pictures/picture_44.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_44.jpg -------------------------------------------------------------------------------- /pictures/picture_45.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_45.jpg -------------------------------------------------------------------------------- /pictures/picture_46.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_46.jpg -------------------------------------------------------------------------------- /pictures/picture_47.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_47.jpg -------------------------------------------------------------------------------- /pictures/picture_48.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_48.jpg -------------------------------------------------------------------------------- /pictures/picture_49.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_49.jpg -------------------------------------------------------------------------------- /pictures/picture_5.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_5.jpg -------------------------------------------------------------------------------- /pictures/picture_50.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_50.jpg -------------------------------------------------------------------------------- /pictures/picture_6.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_6.jpg -------------------------------------------------------------------------------- /pictures/picture_7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_7.jpg -------------------------------------------------------------------------------- /pictures/picture_8.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_8.jpg -------------------------------------------------------------------------------- /pictures/picture_9.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexandreborges/malwoverview/d5fc570750951dfcf1608525282b6cb01a753a41/pictures/picture_9.jpg -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | pefile>=2021.9.3 2 | python-magic>=0.4.25 3 | colorama>=0.4.4 4 | simplejson>=3.17.6 5 | requests>=2.26.0 6 | validators>=0.18.2 7 | geocoder>=1.38.1 8 | polyswarm-api>=2.9.2 9 | pathlib>=1.0.1 10 | configparser>=5.2.0 11 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | from setuptools import setup, find_packages 4 | from pathlib import Path 5 | import platform 6 | 7 | USER_HOME_DIR = str(Path.home()) + os.sep 8 | 9 | with open("README.md", encoding='utf8') as readme: 10 | long_description = readme.read() 11 | 12 | setup( 13 | name="malwoverview", 14 | version="6.1.1", 15 | author="Alexandre Borges", 16 | author_email="reverseexploit@proton.me", 17 | license="GNU GPL v3.0", 18 | url="https://github.com/alexandreborges/malwoverview", 19 | description=("Malwoverview is a first response tool for threat hunting."), 20 | long_description=long_description, 21 | long_description_content_type="text/markdown", 22 | packages=find_packages(), 23 | classifiers=[ 24 | 'Operating System :: OS Independent', 25 | 'License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)', 26 | 'Programming Language :: Python :: 3', 27 | ], 28 | install_requires=[ 29 | "pefile", 30 | "colorama", 31 | "python-magic; platform_system == 'Linux' or platform_system == 'Darwin'", 32 | "simplejson", 33 | "requests", 34 | "validators", 35 | "geocoder", 36 | "polyswarm-api", 37 | "pathlib", 38 | "configparser", 39 | "python-magic-bin; platform_system == 'Windows'" 40 | ], 41 | entry_points = { 42 | "console_scripts": [ 43 | "malwoverview = malwoverview.malwoverview:main", 44 | ] 45 | }, 46 | package_data={'': ['README.md, LICENSE, .malwapi.conf']}, 47 | data_files=[(USER_HOME_DIR, ['.malwapi.conf'])], 48 | ) 49 | --------------------------------------------------------------------------------