├── BSF.png
├── LICENSE
├── Mal-Hash.ps1
├── README.md
└── VTHashSub.ps1


/BSF.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dwmetz/Mal-Hash/516e33354747475bb8ec40e9b4c6953714b05e61/BSF.png


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 Doug Metz
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Mal-Hash.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | Mal-Hash.ps1 v1.5
  3 | https://github.com/dwmetz/Mal-Hash
  4 | Author: @dwmetz
  5 | Function: This script will generate hashes (MD5, SHA1, SHA256) for a specified file, 
  6 |         run strings against the file,
  7 |         submit the MD5 to Virus Total, 
  8 |         produce a report with the results.
  9 |         * Now works on Windows, Mac & Linux!
 10 | Prerequisites:
 11 |         Internet access is required for VT lookup.
 12 |         Virus Total API key saved in vt-api.txt
 13 | 23-January-2023 ascii art update
 14 | 6-December-2022 simplified hash output; 
 15 |                 strings (+8); 
 16 |                 UTC timestamp in report
 17 |                 report name change
 18 | 5-July-2023 Changed default hash value submission to SHA256
 19 | 13-July $report updates
 20 | #>
 21 | Clear-Host
 22 | Write-Host ""
 23 | Write-Host ""
 24 | Write-Host ""
 25 | Write-host -Fore DarkCyan "
 26 |     .',;::cccccc:;.                         ...'''''''..'.  
 27 |    .;ccclllloooddxc.                   .';clooddoolcc::;:;. 
 28 |    .:ccclllloooddxo.               .,coxxxxxdl:,'..         
 29 |    'ccccclllooodddd'            .,,'lxkxxxo:'.              
 30 |    'ccccclllooodddd'        .,:lxOkl,;oxo,.                 
 31 |    ':cccclllooodddo.      .:dkOOOOkkd;''.                   
 32 |    .:cccclllooooddo.  ..;lxkOOOOOkkkd;                      
 33 |    .;ccccllloooodddc:coxkkkkOOOOOOx:.                       
 34 |     'cccclllooooddddxxxxkkkkOOOOx:.                         
 35 |      ,ccclllooooddddxxxxxkkkxlc,.                           
 36 |       ':llllooooddddxxxxxoc;.                               
 37 |        .';:clooddddolc:,..                                  
 38 |            ''''''''''                                                                                                                 
 39 | "                
 40 | Write-Host -Fore DarkCyan "                    Mal-Hash v1.6" 
 41 | Write-Host -Fore Gray "          https://github.com/dwmetz/Mal-Hash"
 42 | Write-Host -Fore Gray "          @dwmetz | bakerstreetforensics.com"
 43 | Write-Host ""
 44 | Write-Host ""
 45 | write-host " "
 46 | $tstamp = (Get-Date -Format "yyyyMMddHHmm")
 47 | $script:file = Read-Host -Prompt 'enter path and filename'
 48 | write-host " "
 49 | $sourcefile = [system.IO.Path]::GetFileName("$script:file")
 50 | $report = "malhash" + "-" + $sourcefile + "-" + $tstamp + ".txt" 
 51 | "SOURCE: $sourcefile" | Out-File -FilePath $report -Append
 52 | " " | Out-File -FilePath $report -Append
 53 | $datetime = Get-Date
 54 | $date = $datetime.ToUniversalTime()
 55 | "DATE/TIME UTC: $date" | Out-File -FilePath $report -Append
 56 | " " | Out-File -FilePath $report -Append
 57 | $apiKey = (Get-Content vt-api.txt)
 58 | $MD5hash = (Get-FileHash $file -Algorithm MD5).Hash 
 59 | $SHA1hash = (Get-FileHash $file -Algorithm SHA1).Hash
 60 | $SHA256hash = (Get-FileHash $file -Algorithm SHA256).Hash
 61 | "** HASHES: **" | Out-File -FilePath $report -Append
 62 | "MD5: $MD5hash" | Out-File -FilePath $report -Append
 63 | "SHA1: $SHA1hash" | Out-File -FilePath $report -Append
 64 | "SHA256: $SHA256hash" | Out-File -FilePath $report -Append
 65 | " " | Out-File -FilePath $report -Append
 66 | "** VIRUS TOTAL RESULTS: **" | Out-File -FilePath $report -Append
 67 | $fileHash = (Get-FileHash $file -Algorithm SHA256).Hash
 68 | write-host "Submitting SHA256 hash $fileHash to Virus Total" -Fore Cyan
 69 | Write-host ""
 70 | $uri = "https://www.virustotal.com/vtapi/v2/file/report?apikey=$apiKey&resource=$fileHash"
 71 | write-host "VIRUS TOTAL RESULTS:" -Fore Cyan
 72 | Invoke-RestMethod -Uri $uri
 73 | $vtResults = Invoke-RestMethod -Uri $uri
 74 | Invoke-RestMethod -Uri $uri | Out-File -FilePath $report -Append
 75 | $vtresults
 76 | $vtResults.scans 
 77 | $vtResults.scans | Out-File -FilePath $report -Append
 78 | Write-host " "
 79 | "** STRINGS: ** " | Out-File -FilePath $report -Append
 80 | strings -n 8 $script:file | Out-File -FilePath $report -Append
 81 | write-host "STRINGS:" -Fore Cyan
 82 | strings -n 8 $script:file
 83 | " " | Out-File -FilePath $report -Append
 84 | Write-host " "
 85 | Write-host $vtResults.positives of $vtResults.total vendors detected this sample.
 86 | Write-host " "
 87 | Write-host -Fore Green "VT Results Permalink:" | Out-File -FilePath $report -Append
 88 | Write-host $vtResults.Permalink | Out-File -FilePath $report -Append
 89 | Write-host " " | Out-File -FilePath $report -Append
 90 | " " | Out-File -FilePath $report -Append
 91 | #
 92 | $report = "malhash" + "-" + $sourcefile + "-" + $tstamp + ".txt" 
 93 | "** MALWARE BAZAAR RESULTS: **" | Out-File -FilePath $report -Append
 94 | " " | Out-File -FilePath $report -Append
 95 | Write-host -Fore Green "Malware Bazaar Results:
 96 | " 
 97 | $url = "https://mb-api.abuse.ch/api/v1/"
 98 | $data = @{
 99 |     query = "get_info"
100 |     hash = $SHA256hash
101 | }
102 | $mb = Invoke-RestMethod -Uri $url -Method POST -Body $data
103 | $mb.data
104 | $mb.data | Out-File -FilePath $report -Append
105 | "** END REPORT **" | Out-File -FilePath $report -Append
106 | Write-host "Mal-Hash complete. Report saved as $report" -Fore Cyan


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | <div align="center">
 2 |  <img style="padding:0;vertical-align:bottom;" height="158" width="311" src="BSF.png"/>
 3 |  <p>
 4 |   <h1>
 5 |    Mal-Hash
 6 |   </h1>
 7 |  </p>
 8 | 
 9 | </div>
10 | 
11 | ## Mal-Hash.ps1
12 | - The script takes the input of a file, calculates the hashes (MD5, SHA1, SHA256), and then submits the SHA256 hash to Virus Total for analysis. 
13 | - The script will also run Strings against the sample.
14 | - The script will check Malware Bazaar to see if a sample matching the hash is available.
15 | - The hashes, strings, Virus Total and Malware Bazaar results are both displayed on screen and saved to a text report. 
16 | - Timestamp of the analysis is recorded in UTC. 
17 | 
18 | ## VTHashSub.ps1
19 | - The script takes a hash value as input and submits the hash to Virus Total for analysis.
20 | - The script will check Malware Bazaar to see if a sample matching the hash is available.
21 | - The hashes, Virus Total and Malware Bazaar results are both displayed on screen and saved to a text report. 
22 | - Timestamp of the analysis is recorded in UTC. 
23 | 
24 | Mal-Hash.ps1 and VTHashSub.ps1 will operate (via PowerShell) on Windows, Mac & Linux.
25 | 
26 | ## Latest updates: 
27 | - n of x vendors detected
28 | - VT permalink
29 | - Malware Bazaar results
30 | 


--------------------------------------------------------------------------------
/VTHashSub.ps1:
--------------------------------------------------------------------------------
 1 | <#
 2 | VTSubHash.ps1 
 3 | #>
 4 | Clear-Host
 5 | Write-Host ""
 6 | Write-Host ""
 7 | Write-Host ""
 8 | Write-host -Fore Cyan "
 9 |     .',;::cccccc:;.                         ...'''''''..'.  
10 |    .;ccclllloooddxc.                   .';clooddoolcc::;:;. 
11 |    .:ccclllloooddxo.               .,coxxxxxdl:,'..         
12 |    'ccccclllooodddd'            .,,'lxkxxxo:'.              
13 |    'ccccclllooodddd'        .,:lxOkl,;oxo,.                 
14 |    ':cccclllooodddo.      .:dkOOOOkkd;''.                   
15 |    .:cccclllooooddo.  ..;lxkOOOOOkkkd;                      
16 |    .;ccccllloooodddc:coxkkkkOOOOOOx:.                       
17 |     'cccclllooooddddxxxxkkkkOOOOx:.                         
18 |      ,ccclllooooddddxxxxxkkkxlc,.                           
19 |       ':llllooooddddxxxxxoc;.                               
20 |        .';:clooddddolc:,..                                  
21 |            ''''''''''                                                                                                                 
22 | "                
23 | Write-Host -Fore Cyan "               VTHashSub v1.2" 
24 | Write-Host -Fore Gray "     @dwmetz | bakerstreetforensics.com"
25 | Write-Host ""
26 | Write-Host ""
27 | Write-Host -Fore DarkCyan "   It submits the hash to VirusTotal or it"
28 | Write-Host -Fore DarkCyan "   gets the hose again."
29 | write-host " "
30 | $tstamp = (Get-Date -Format "yyyyMMddHHmm")
31 | $script:hash = Read-Host -Prompt 'enter the malware hash value'
32 | $report = "malhash" + "-" + $script:hash + "-" + $tstamp + ".txt" 
33 | write-host " "
34 | "HASH: $script:hash" | Out-File -FilePath $report -Append
35 | " " | Out-File -FilePath $report -Append
36 | $datetime = Get-Date
37 | $date = $datetime.ToUniversalTime()
38 | "DATE/TIME UTC: $date" | Out-File -FilePath $report -Append
39 | " " | Out-File -FilePath $report -Append
40 | $apiKey = (Get-Content vt-api.txt)
41 | "** VIRUS TOTAL RESULTS: **" | Out-File -FilePath $report -Append
42 | write-host "Submitting the hash $script:hash to Virus Total" -Fore DarkCyan
43 | Write-host ""
44 | $uri = "https://www.virustotal.com/vtapi/v2/file/report?apikey=$apiKey&resource=$script:hash"
45 | write-host "VIRUS TOTAL RESULTS:" -Fore Cyan
46 | Invoke-RestMethod -Uri $uri
47 | $vtResults = Invoke-RestMethod -Uri $uri
48 | Invoke-RestMethod -Uri $uri | Out-File -FilePath $report -Append
49 | $vtresults
50 | $vtResults.scans 
51 | $vtResults.scans | Out-File -FilePath $report -Append
52 | " " | Out-File -FilePath $report -Append
53 | Write-host " "
54 | Write-host $vtResults.positives of $vtResults.total vendors detected this sample.
55 | Write-host " "
56 | Write-host -Fore Green "VT Results Permalink:"
57 | Write-host $vtResults.Permalink
58 | Write-host " "
59 | #
60 | $report = "malhash" + "-" + $script:hash + "-" + $tstamp + ".txt" 
61 | "** MALWARE BAZAAR RESULTS: **" | Out-File -FilePath $report -Append
62 | Write-host -Fore Green "Malware Bazaar Results:
63 | " 
64 | $url = "https://mb-api.abuse.ch/api/v1/"
65 | $data = @{
66 |     query = "get_info"
67 |     hash = $script:hash
68 | }
69 | $mb = Invoke-RestMethod -Uri $url -Method POST -Body $data
70 | $mb.data
71 | $mb.data | Out-File -FilePath $report -Append
72 | "** END REPORT **" | Out-File -FilePath $report -Append
73 | Write-host "VTHashSub complete. Report saved as $report" -Fore Cyan


--------------------------------------------------------------------------------