#!/usr/bin/python
# Copyright (C) 2018-2020 Alexandre Borges <alexandreborges@blackstormsecurity.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# See GNU Public License on <http://www.gnu.org/licenses/>.
# Malwoverview.py: version 3.0.0
import os
import sys
import re
import pefile
import peutils
import magic
import argparse
import requests
import hashlib
import json
import time
import validators
import geocoder
import threading
import socket
import urllib3
import subprocess
from polyswarm_api.api import PolyswarmAPI
from configmalw import *
from urllib.parse import urlparse
from colorama import init, Fore, Back, Style
from datetime import datetime
from urllib.parse import urlencode, quote_plus
from urllib.parse import quote
from requests.exceptions import RetryError
# On Windows systems, it is necessary to install python-magic-bin: pip install python-magic-bin
__author__ = "Alexandre Borges"
__copyright__ = "Copyright 2018-2020, Alexandre Borges"
__license__ = "GNU General Public License v3.0"
__version__ = "3.0.0"
__email__ = "alexandreborges at blackstormsecurity.com"
haurl = 'https://www.hybrid-analysis.com/api/v2'
url = 'https://www.virustotal.com/vtapi/v2/file/report'
param = 'params'
user_agent = 'Falcon Sandbox'
urlvt = 'https://www.virustotal.com/vtapi/v2/url/scan'
ipvt = 'https://www.virustotal.com/vtapi/v2/ip-address/report'
urlvtreport = 'https://www.virustotal.com/vtapi/v2/url/report'
urlvtdomain = 'https://www.virustotal.com/vtapi/v2/domain/report'
urlfilevtcheck = 'https://www.virustotal.com/vtapi/v2/file/scan'
urlmalshare = 'https://malshare.com/api.php?api_key='
hauss = 'https://urlhaus.abuse.ch/api/'
hausq = 'https://urlhaus-api.abuse.ch/v1/url/'
hausb = 'https://urlhaus-api.abuse.ch/v1/urls/recent/'
hausp = 'https://urlhaus-api.abuse.ch/v1/payloads/recent/'
hausph = 'https://urlhaus-api.abuse.ch/v1/payload/'
hausd = 'https://urlhaus-api.abuse.ch/v1/download/'
haust = 'https://urlhaus-api.abuse.ch/v1/tag/'
haussig = 'https://urlhaus-api.abuse.ch/v1/signature/'
F = []
H = []
final=''
ffpname2 = ''
repo2 = ''
class mycolors:
reset='\033[0m'
reverse='\033[07m'
bold='\033[01m'
class foreground:
orange='\033[33m'
blue='\033[34m'
purple='\033[35m'
lightgreen='\033[92m'
lightblue='\033[94m'
pink='\033[95m'
lightcyan='\033[96m'
red='\033[31m'
green='\033[32m'
cyan='\033[36m'
lightgrey='\033[37m'
darkgrey='\033[90m'
lightred='\033[91m'
yellow='\033[93m'
class background:
black='\033[40m'
blue='\033[44m'
cyan='\033[46m'
lightgrey='\033[47m'
purple='\033[45m'
green='\033[42m'
orange='\033[43m'
red='\033[41m'
if ((not VTAPI) and (not HAAPI)):
print(mycolors.foreground.lightred + "\nBefore using Malwoverview, you must add the Virus Total and Hybrid-Analysis APIs, at least, in the configmalw.py file:\n\n\t* Linux:'/usr/local/lib/python3.x/dist-packages/malwoverview/conf' \n\n\t** Windows:'C:\<Python directory>\Lib\site-packages\malwoverviewwin\conf' \n\nNonetheless, it is also recommended to register Malshare, URLhaus and Polyswarm APIs for having access to all available options.Additionally, if you are running Malwoverview in Windows systems, so you should not forget to delete the magic.py file from the same Windows directory.\n" + mycolors.reset)
exit(1)
if (POLYAPI):
polyswarm = PolyswarmAPI(key=POLYAPI)
def ftype(filename):
type = magic.from_file(filename)
return type
def packed(pe):
try:
n = 0
for sect in pe.sections:
if sect.SizeOfRawData == 0:
n = n + 1
if (sect.get_entropy() < 1 and sect.get_entropy() > 0) or sect.get_entropy() > 7:
n = n + 2
if n > 2:
return True
if (n > 0 and n < 3):
return "probably packed"
else:
return False
except:
return None
def sha256hash(fname):
BSIZE = 65536
hnd = open(fname, 'rb')
hash256 = hashlib.sha256()
while True:
info = hnd.read(BSIZE)
if not info:
break
hash256.update(info)
return hash256.hexdigest()
def md5hash(fname):
BSIZE = 65536
hnd = open(fname, 'rb')
hashmd5 = hashlib.md5()
while True:
info = hnd.read(BSIZE)
if not info:
break
hashmd5.update(info)
return hashmd5.hexdigest()
def listexports(fname):
E = []
mype2=pefile.PE(fname,fast_load=True)
if mype2.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']].VirtualAddress != 0:
mype2.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']])
for exptab in mype2.DIRECTORY_ENTRY_EXPORT.symbols:
x = hex(mype2.OPTIONAL_HEADER.ImageBase + exptab.address), exptab.name
E.append(x)
return E
def listimports(fname):
I = []
mype2=pefile.PE(fname,fast_load=True)
if mype2.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress != 0:
mype2.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])
if mype2.DIRECTORY_ENTRY_IMPORT is not None:
for entry in mype2.DIRECTORY_ENTRY_IMPORT:
for imptab in entry.imports:
if imptab.name is None:
imptab.name = "None"
if imptab.address is None :
imptab.address = int(0)
x = hex(int(imptab.address)), imptab.name
I.append(x)
return I
def listsections(fname):
pe=pefile.PE(fname)
if(windows == 1):
print("Sections: ", end='')
print("\t\tEntropy\n")
for sect in pe.sections:
print("%17s" % (sect.Name).decode('utf-8'), end='')
print(("\t%5.2f" % sect.get_entropy()))
else:
print("Sections: ", end='')
print("\t\tEntropy\n")
for sect in pe.sections:
print("%17s" % (sect.Name).decode('utf-8'), end='')
print(("\t\t%5.2f" % sect.get_entropy()))
def impext(targetfile):
print(mycolors.reset)
print(("\nImported Functions".ljust(40)))
print((110*'-').ljust(110))
IR = []
IR = sorted(listimports(targetfile))
dic={ }
dic = dict(IR)
d = iter(list(dic.items()))
IX = []
for key,value in sorted(d):
IX.append(str(value))
Y = iter(IX)
for i in Y:
if i is None:
break
while (i == 'None'):
i = next(Y, None)
if i is None:
break
if (bkg == 1):
print((mycolors.foreground.lightcyan + "%-40s" % (i)[2:-1]), end=' ')
else:
print((mycolors.foreground.cyan + "%-40s" % (i)[2:-1]), end=' ')
w = next(Y, None)
if w is None:
break
if (w == 'None'):
w = next(Y, None)
if w is None:
break
if (bkg == 1):
print((mycolors.foreground.lightgreen + "%-40s" % (w)[2:-1]), end=' ')
else:
print((mycolors.foreground.green + "%-40s" % (w)[2:-1]), end=' ')
t = next(Y, None)
if t is None:
break
if (t == 'None'):
t = next(Y, None)
if t is None:
break
if (bkg == 1):
print((mycolors.foreground.yellow + "%-40s" % (t)[2:-1]))
else:
print((mycolors.foreground.purple + "%-40s" % (t)[2:-1]))
print(mycolors.reset)
print(("\n\nExported Functions".ljust(40)))
print((110*'-').ljust(110))
ER = []
ER = sorted(listexports(targetfile))
dic2={ }
dic2 = dict(ER)
d2 = iter(list(dic2.items()))
EX = []
for key, value in sorted(d2):
EX.append(str(value))
Y2 = iter(EX)
for i in Y2:
if i is None:
break
while (i == 'None'):
i = next(Y2, None)
if i is None:
break
if (bkg == 1):
print((mycolors.foreground.yellow + "%-40s" % (i)[2:-1]), end=' ')
else:
print((mycolors.foreground.purple + "%-40s" % (i)[2:-1]), end=' ')
w = next(Y2, None)
if w is None:
break
if (w == 'None'):
w = next(Y2, None)
if w is None:
break
if (bkg == 1):
print((mycolors.foreground.lightgreen + "%-40s" % (w)[2:-1]), end=' ')
else:
print((mycolors.foreground.green + "%-40s" % (w)[2:-1]), end=' ')
t = next(Y2, None)
if t is None:
break
if (t == 'None'):
t = next(Y2, None)
if t is None:
break
if (bkg == 1):
print((mycolors.foreground.lightblue + "%-40s" % (t)[2:-1]))
else:
print((mycolors.foreground.cyan + "%-40s" % (t)[2:-1]))
print(mycolors.reset)
def vtcheck(filehash, url, param):
pos = ''
total = ''
vttext = ''
response = ''
try:
resource = filehash
params = {'apikey': VTAPI , 'resource': resource}
response = requests.get(url, params=params)
vttext = json.loads(response.text)
rc = (vttext['response_code'])
if (rc == 0):
final = ' Not Found'
return final
while (rc != 1):
time.sleep(20)
response = requests.get(url, params=params)
vttext = json.loads(response.text)
rc = (vttext['response_code'])
pos = str(vttext['positives'])
total = str(vttext['total'])
final = (pos + "/" + total)
rc = str(vttext['response_code'])
return final
except ValueError:
final = ' '
return final
def vturlcheck(myurl, param):
pos = ''
total = ''
vttext = ''
response = ''
resource = ''
try:
resource = myurl
params = {'apikey': VTAPI , 'url': resource, 'allinfo': True}
response = requests.post(urlvt, params=params)
vttext = json.loads(response.text)
rc = (vttext['response_code'])
if (rc == 0):
final = 'Error during URL checking'
if (bkg == 1):
print(mycolors.foreground.lightred + final)
else:
print(mycolors.foreground.red + final)
exit(1)
if (rc == 1):
print(mycolors.reset + "\nURL SUMMARY REPORT")
print("-"*20,"\n")
if (bkg == 0):
print(mycolors.foreground.blue + "Status: ".ljust(17),vttext['verbose_msg'])
print(mycolors.foreground.blue + "Scan date: ".ljust(17),vttext['scan_date'])
print(mycolors.foreground.blue + "Scan ID: ".ljust(17),vttext['scan_id'])
print(mycolors.foreground.purple + "URL: ".ljust(17),vttext['url'])
print(mycolors.foreground.cyan + "Permanent Link: ".ljust(17),vttext['permalink'])
print(mycolors.foreground.red + "Result VT: ".ljust(17), end=' ')
else:
print(mycolors.foreground.lightgreen + "Status: ".ljust(17),vttext['verbose_msg'])
print(mycolors.foreground.lightgreen + "Scan date: ".ljust(17),vttext['scan_date'])
print(mycolors.foreground.lightgreen + "Scan ID: ".ljust(17),vttext['scan_id'])
print(mycolors.foreground.yellow + "URL: ".ljust(17),vttext['url'])
print(mycolors.foreground.lightcyan + "Permanent Link: ".ljust(17),vttext['permalink'])
print(mycolors.foreground.lightred + "Result VT: ".ljust(17), end=' ')
time.sleep(10)
try:
resource=vttext['url']
params = {'apikey': VTAPI , 'resource': resource}
response = requests.get(urlvtreport, params=params)
vttext = json.loads(response.text)
rc = (vttext['response_code'])
if (rc == 0):
final = 'Error gathering the Report.'
if (bkg == 1):
print(mycolors.foreground.lightred + final)
else:
print(mycolors.foreground.red + final)
exit(1)
pos = str(vttext['positives'])
total = str(vttext['total'])
final = (pos + "/" + total)
print(final + "\n")
if (bkg == 1):
print(Fore.WHITE + "URL DETAILED REPORT")
print("-"*20,"\n")
if('AlienVault' in vttext['scans']):
print(mycolors.foreground.lightcyan + "AlienVault: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['AlienVault']['result'])
if('Avira' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Avira: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Avira']['result'])
if('BitDefender' in vttext['scans']):
print(mycolors.foreground.lightcyan + "BitDefender: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['BitDefender']['result'])
if('Certego' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Certego: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Certego']['result'])
if('Comodo Valkyrie Verdict' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Comodo: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Comodo Valkyrie Verdict']['result'])
if('CRDF' in vttext['scans']):
print(mycolors.foreground.lightcyan + "CRDF: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['CRDF']['result'])
if('CyRadar' in vttext['scans']):
print(mycolors.foreground.lightcyan + "CyRadar: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['CyRadar']['result'])
if('Emsisoft' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Emsisoft: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Emsisoft']['result'])
if('ESET' in vttext['scans']):
print(mycolors.foreground.lightcyan + "ESET: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['ESET']['result'])
if('Forcepoint ThreatSeeker' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Forcepoint: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Forcepoint ThreatSeeker']['result'])
if('Fortinet' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Fortinet: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Fortinet']['result'])
if('G-Data' in vttext['scans']):
print(mycolors.foreground.lightcyan + "G-Data: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['G-Data']['result'])
if('Google Safebrowsing' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Google: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Google Safebrowsing']['result'])
if('Kaspersky' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Kaspersky: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Kaspersky']['result'])
if('malwares.com URL checker' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Malwares.com: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['malwares.com URL checker']['result'])
if('Malc0de Database' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Malc0de: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Malc0de Database']['result'])
if('MalwarePatrol' in vttext['scans']):
print(mycolors.foreground.lightcyan + "MalwarePatrol: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['MalwarePatrol']['result'])
if('OpenPhish' in vttext['scans']):
print(mycolors.foreground.lightcyan + "OpenPhish: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['OpenPhish']['result'])
if('PhishLabs' in vttext['scans']):
print(mycolors.foreground.lightcyan + "PhishLabs: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['PhishLabs']['result'])
if('Phishtank' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Phishtank: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Phishtank']['result'])
if('Spamhaus' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Spamhaus: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Spamhaus']['result'])
if('Sophos' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Sophos: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Sophos']['result'])
if('Trustwave' in vttext['scans']):
print(mycolors.foreground.lightcyan + "Trustwave: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['Trustwave']['result'])
if('VX Vault' in vttext['scans']):
print(mycolors.foreground.lightcyan + "VX Vault: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['VX Vault']['result'])
if('ZeroCERT' in vttext['scans']):
print(mycolors.foreground.lightcyan + "ZeroCERT: ".ljust(17),mycolors.foreground.yellow + vttext['scans']['ZeroCERT']['result'])
print(mycolors.reset + "\n")
exit(0)
else:
print(Fore.BLACK + "URL DETAILED REPORT")
print("-"*20,"\n")
if('AlienVault' in vttext['scans']):
print(mycolors.foreground.cyan + "AlienVault: ".ljust(17),mycolors.foreground.red + vttext['scans']['AlienVault']['result'])
if('Avira' in vttext['scans']):
print(mycolors.foreground.cyan + "Avira: ".ljust(17),mycolors.foreground.red + vttext['scans']['Avira']['result'])
if('BitDefender' in vttext['scans']):
print(mycolors.foreground.cyan + "BitDefender: ".ljust(17),mycolors.foreground.red + vttext['scans']['BitDefender']['result'])
if('Certgo' in vttext['scans']):
print(mycolors.foreground.cyan + "Certego: ".ljust(17),mycolors.foreground.red + vttext['scans']['Certego']['result'])
if('Comodo Valkyrie Verdict' in vttext['scans']):
print(mycolors.foreground.cyan + "Comodo: ".ljust(17),mycolors.foreground.red + vttext['scans']['Comodo Valkyrie Verdict']['result'])
if('CRDF' in vttext['scans']):
print(mycolors.foreground.cyan + "CRDF: ".ljust(17),mycolors.foreground.red + vttext['scans']['CRDF']['result'])
if('CyRadar' in vttext['scans']):
print(mycolors.foreground.cyan + "CyRadar: ".ljust(17),mycolors.foreground.red + vttext['scans']['CyRadar']['result'])
if('Emsisoft' in vttext['scans']):
print(mycolors.foreground.cyan + "Emsisoft: ".ljust(17),mycolors.foreground.red + vttext['scans']['Emsisoft']['result'])
if('ESET' in vttext['scans']):
print(mycolors.foreground.cyan + "ESET: ".ljust(17),mycolors.foreground.red + vttext['scans']['ESET']['result'])
if('Forcepoint ThreatSeeker' in vttext['scans']):
print(mycolors.foreground.cyan + "Forcepoint: ".ljust(17),mycolors.foreground.red + vttext['scans']['Forcepoint ThreatSeeker']['result'])
if('Fortinet' in vttext['scans']):
print(mycolors.foreground.cyan + "Fortinet: ".ljust(17),mycolors.foreground.red + vttext['scans']['Fortinet']['result'])
if('G-Data' in vttext['scans']):
print(mycolors.foreground.cyan + "G-Data: ".ljust(17),mycolors.foreground.red + vttext['scans']['G-Data']['result'])
if('Google Safebrowsing' in vttext['scans']):
print(mycolors.foreground.cyan + "Google: ".ljust(17),mycolors.foreground.red + vttext['scans']['Google Safebrowsing']['result'])
if('Kaspersky' in vttext['scans']):
print(mycolors.foreground.cyan + "Kaspersky: ".ljust(17),mycolors.foreground.red + vttext['scans']['Kaspersky']['result'])
if('malwares.com URL checker' in vttext['scans']):
print(mycolors.foreground.cyan + "Malwares.com: ".ljust(17),mycolors.foreground.red + vttext['scans']['malwares.com URL checker']['result'])
if('Malc0de Database' in vttext['scans']):
print(mycolors.foreground.cyan + "Malc0de: ".ljust(17),mycolors.foreground.red + vttext['scans']['Malc0de Database']['result'])
if('MalwarePatrol' in vttext['scans']):
print(mycolors.foreground.cyan + "MalwarePatrol: ".ljust(17),mycolors.foreground.red + vttext['scans']['MalwarePatrol']['result'])
if('OpenPhish' in vttext['scans']):
print(mycolors.foreground.cyan + "OpenPhish: ".ljust(17),mycolors.foreground.red + vttext['scans']['OpenPhish']['result'])
if('PhishLabs' in vttext['scans']):
print(mycolors.foreground.cyan + "PhishLabs: ".ljust(17),mycolors.foreground.red + vttext['scans']['PhishLabs']['result'])
if('Phishtank' in vttext['scans']):
print(mycolors.foreground.cyan + "Phishtank: ".ljust(17),mycolors.foreground.red + vttext['scans']['Phishtank']['result'])
if('Spamhaus' in vttext['scans']):
print(mycolors.foreground.cyan + "Spamhaus: ".ljust(17),mycolors.foreground.red + vttext['scans']['Spamhaus']['result'])
if('Sophos' in vttext['scans']):
print(mycolors.foreground.cyan + "Sophos: ".ljust(17),mycolors.foreground.red + vttext['scans']['Sophos']['result'])
if('Truswave' in vttext['scans']):
print(mycolors.foreground.cyan + "Trustwave: ".ljust(17),mycolors.foreground.red + vttext['scans']['Trustwave']['result'])
if('VX Vault' in vttext['scans']):
print(mycolors.foreground.cyan + "VX Vault: ".ljust(17),mycolors.foreground.red + vttext['scans']['VX Vault']['result'])
if('ZeroCERT' in vttext['scans']):
print(mycolors.foreground.cyan + "ZeroCERT: ".ljust(17),mycolors.foreground.red + vttext['scans']['ZeroCERT']['result'])
print(mycolors.reset + "\n")
exit(0)
except ValueError:
if (bkg == 1):
print(mycolors.foreground.lightred + "Error while connecting to Virus Total!\n")
else:
print(mycolors.foreground.red + "Error while connecting to Virus Total!\n")
print(mycolors.reset)
exit(2)
except ValueError:
if (bkg == 1):
print(mycolors.foreground.lightred + "Error while connecting to Virus Total!\n")
else:
print(mycolors.foreground.red + "Error while connecting to Virus Total!\n")
print(mycolors.reset)
exit(3)
def vtdomaincheck(mydomain, param):
pos = ''
total = ''
vttext = ''
response = ''
resource = ''
rc = ''
vxtext = ''
try:
resource = mydomain
params = {'apikey': VTAPI , 'domain': resource}
response = requests.get(urlvtdomain, params=params)
vttext = json.loads(response.text)
rc = (vttext['response_code'])
if (rc == 0):
final = 'Domain not found.'
if (bkg == 1):
print(mycolors.foreground.lightred + final)
else:
print(mycolors.foreground.red + final)
print(mycolors.reset)
exit(1)
if (rc == 1):
print(mycolors.reset)
print("\nDOMAIN SUMMARY REPORT")
print("-"*20,"\n")
if (bkg == 0):
print(mycolors.foreground.green + "Undetected Referrer Samples: ".ljust(17))
else:
print(mycolors.foreground.lightcyan + "Undetected Referrer Samples: ".ljust(17))
if 'undetected_referrer_samples' in vttext:
if (bool(vttext['undetected_referrer_samples'])):
try:
for i in range(0, len(vttext['undetected_referrer_samples'])):
if (vttext['undetected_referrer_samples'][i].get('date')):
print("".ljust(28), end=' ')
print(("date: %s" % vttext['undetected_referrer_samples'][i]['date']))
if (vttext['undetected_referrer_samples'][i].get('positives')):
print("".ljust(28), end=' ')
print(("positives: %s" % vttext['undetected_referrer_samples'][i]['positives']))
if (vttext['undetected_referrer_samples'][i].get('total')):
print("".ljust(28), end=' ')
print(("total: %s" % vttext['undetected_referrer_samples'][i]['total']))
if (vttext['undetected_referrer_samples'][i].get('sha256')):
print("".ljust(28), end=' ')
print(("sha256: %s" % vttext['undetected_referrer_samples'][i]['sha256']), end=' ')
print("\n")
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.blue + "Detected Referrer Samples: ".ljust(17))
else:
print(mycolors.foreground.pink + "Detected Referrer Samples: ".ljust(17))
if 'detected_referrer_samples' in vttext:
if (bool(vttext['detected_referrer_samples'])):
try:
for i in range(len(vttext['detected_referrer_samples'])):
if (vttext['detected_referrer_samples'][i].get('date')):
print("".ljust(28), end=' ')
print(("date: %s" % vttext['detected_referrer_samples'][i]['date']))
if (vttext['detected_referrer_samples'][i].get('positives')):
print("".ljust(28), end=' ')
print(("positives: %s" % vttext['detected_referrer_samples'][i]['positives']))
if (vttext['detected_referrer_samples'][i].get('total')):
print("".ljust(28), end=' ')
print(("total: %s" % vttext['detected_referrer_samples'][i]['total']))
if (vttext['detected_referrer_samples'][i].get('sha256')):
print("".ljust(28), end=' ')
print(("sha256: %s" % vttext['detected_referrer_samples'][i]['sha256']), end=' ')
print("\n")
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.red + "\nWhois Timestamp: ".ljust(17))
else:
print(mycolors.foreground.yellow + "\nWhois Timestamp: ".ljust(17))
if 'whois_timestamp' in vttext:
if (bool(vttext['whois_timestamp'])):
try:
print("".ljust(28), end=' ')
ts = vttext['whois_timestamp']
print((datetime.utcfromtimestamp(ts).strftime('%Y-%m-%d %H:%M:%S')))
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.purple + "\nUndetected Downld. Samples: ".ljust(17))
else:
print(mycolors.foreground.lightgreen + "\nUndetected Downld. Samples: ".ljust(17))
if 'undetected_downloaded_samples' in vttext:
if (bool(vttext['undetected_downloaded_samples'])):
try:
for i in range(len(vttext['undetected_downloaded_samples'])):
if (vttext['undetected_downloaded_samples'][i].get('date')):
print("".ljust(28), end=' ')
print(("date: %s" % vttext['undetected_downloaded_samples'][i]['date']))
if (vttext['undetected_downloaded_samples'][i].get('positives')):
print("".ljust(28), end=' ')
print(("positives: %s" % vttext['undetected_downloaded_samples'][i]['positives']))
if (vttext['undetected_downloaded_samples'][i].get('total')):
print("".ljust(28), end=' ')
print(("total: %s" % vttext['undetected_downloaded_samples'][i]['total']))
if (vttext['undetected_downloaded_samples'][i].get('sha256')):
print("".ljust(28), end=' ')
print(("sha256: %s" % vttext['undetected_downloaded_samples'][i]['sha256']), end=' ')
print("\n")
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.purple + "\nDetected Downloaded Samples: ".ljust(17))
else:
print(mycolors.foreground.orange + "\nDetected Downloaded Samples: ".ljust(17))
if 'detected_downloaded_samples' in vttext:
if (bool(vttext['detected_downloaded_samples'])):
try:
for i in range(len(vttext['detected_downloaded_samples'])):
if (vttext['detected_downloaded_samples'][i].get('date')):
print("".ljust(28), end=' ')
print(("date: %s" % vttext['detected_downloaded_samples'][i]['date']))
if (vttext['detected_downloaded_samples'][i].get('positives')):
print("".ljust(28), end=' ')
print(("positives: %s" % vttext['detected_downloaded_samples'][i]['positives']))
if (vttext['detected_downloaded_samples'][i].get('total')):
print("".ljust(28), end=' ')
print(("total: %s" % vttext['detected_downloaded_samples'][i]['total']))
if (vttext['detected_downloaded_samples'][i].get('sha256')):
print("".ljust(28), end=' ')
print(("sha256: %s" % vttext['detected_downloaded_samples'][i]['sha256']), end=' ')
print("\n")
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.red + "Resolutions: ".ljust(17))
else:
print(mycolors.foreground.lightred + "Resolutions: ".ljust(17))
if 'resolutions' in vttext:
if (bool(vttext['resolutions'])):
try:
for i in range(len(vttext['resolutions'])):
if (vttext['resolutions'][i].get('last_resolved')):
print("".ljust(28), end=' ')
print(("last resolved: %s" % vttext['resolutions'][i]['last_resolved']))
if (vttext['resolutions'][i].get('ip_address')):
print("".ljust(28), end=' ')
print(("ip address: %-18s" % vttext['resolutions'][i]['ip_address']), end=' ')
print("\t(City:%s)" % (geocoder.ip(vttext['resolutions'][i]['ip_address'])).city)
print("\n")
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.green + "\nSubdomains: ".ljust(17))
else:
print(mycolors.foreground.lightgreen + "\nSubdomains: ".ljust(17))
if 'subdomains' in vttext:
if (bool(vttext['subdomains'])):
try:
for i in range(len(vttext['subdomains'])):
print("".ljust(28), end=' ')
print((vttext['subdomains'][i]))
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.cyan + "\nCategories: ".ljust(17))
else:
print(mycolors.foreground.lightcyan + "\nCategories: ".ljust(17))
if 'categories' in vttext:
if (bool(vttext['categories'])):
try:
for i in range(len(vttext['categories'])):
print("".ljust(28), end=' ')
print((vttext['categories'][i]))
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.cyan + "\nDomain Siblings: ".ljust(17))
else:
print(mycolors.foreground.lightcyan + "\nDomain Siblings: ".ljust(17))
if 'domain_sublings' in vttext:
if (bool(vttext['domain_sublings'])):
try:
for i in range(len(vttext['domain_siblings'])):
print("".ljust(28), end=' ')
print((vttext['domain_siblings'][i]), end=' ')
print("\n")
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.red + "\nDetected URLs: ".ljust(17))
else:
print(mycolors.foreground.yellow + "\nDetected URLs: ".ljust(17))
if 'detected_urls' in vttext:
if (bool(vttext['detected_urls'])):
try:
for i in range(len(vttext['detected_urls'])):
if (vttext['detected_urls'][i].get('url')):
print("".ljust(28), end=' ')
print(("url: %s" % vttext['detected_urls'][i]['url']))
if (vttext['detected_urls'][i].get('positives')):
print("".ljust(28), end=' ')
print(("positives: %s" % vttext['detected_urls'][i]['positives']))
if (vttext['detected_urls'][i].get('total')):
print("".ljust(28), end=' ')
print(("total: %s" % vttext['detected_urls'][i]['total']))
if (vttext['detected_urls'][i].get('scan_date')):
print("".ljust(28), end=' ')
print(("scan_date: %s" % vttext['detected_urls'][i]['scan_date']), end=' ')
print("\n")
except KeyError as e:
pass
if (bkg == 0):
print(mycolors.foreground.red + "\nUndetected URLs: ".ljust(17))
else:
print(mycolors.foreground.lightred + "\nUndetected URLs: ".ljust(17))
if 'undetected_urls' in vttext:
if (bool(vttext['undetected_urls'])):
try:
for i in range(len(vttext['undetected_urls'])):
if (bkg == 0):
print((mycolors.foreground.red + "".ljust(28)), end=' ')
print(("data %s\n" % i))
else:
print((mycolors.foreground.lightred + "".ljust(28)), end=' ')
print(("data %s\n" % i))
for y in range(len(vttext['undetected_urls'][i])):
if (bkg == 0):
print((mycolors.foreground.cyan + "".ljust(28)), end=' ')
if (y == 0):
print(("url: "), end=' ')
if (y == 1):
print(("sha256: "), end=' ')
if (y == 2):
print(("positives: "), end=' ')
if (y == 3):
print(("total: "), end=' ')
if (y == 4):
print(("date: "), end=' ')
print(("%s" % (vttext['undetected_urls'][i][y])))
else:
print((mycolors.foreground.lightgreen + "".ljust(28)), end=' ')
if (y == 0):
print(("url: "), end=' ')
if (y == 1):
print(("sha256: "), end=' ')
if (y == 2):
print(("positives: "), end=' ')
if (y == 3):
print(("total: "), end=' ')
if (y == 4):
print(("date: "), end=' ')
print(("%s" % (vttext['undetected_urls'][i][y])))
print("\n")
except KeyError as e:
pass
except ValueError:
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Virus Total!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Virus Total!\n"))
print(mycolors.reset)
exit(3)
def ipvtcheck(ipaddress, urlvtip):
pos = ''
total = ''
vttext = ''
response = ''
resource = ''
rc = ''
vxtext = ''
try:
resource = ipaddress
params = {'apikey': VTAPI , 'ip': resource}
response = requests.get(urlvtip, params=params)
vttext = json.loads(response.text)
rc = (vttext['response_code'])
if (rc == 0):
final = 'Domain not found.'
if (bkg == 1):
print(mycolors.foreground.lightred + final)
else:
print(mycolors.foreground.red + final)
print(mycolors.reset)
exit(1)
if (rc == 1):
print(mycolors.reset)
print("\nIP ADDRESS SUMMARY REPORT")
print("-"*25,"\n")
if 'country' in vttext:
if (bkg == 0):
print(mycolors.foreground.red + "Country:\t" + vttext['country'] + mycolors.reset, end='\n')
else:
print(mycolors.foreground.orange + "Country:\t" + vttext['country'] + mycolors.reset, end='\n')
else:
if (bkg == 0):
print(mycolors.foreground.red + "Country:\t" + "Not specified" + mycolors.reset, end='\n')
else:
print(mycolors.foreground.orange + "Country:\t" + "Not specified" + mycolors.reset, end='\n')
if 'asn' in vttext:
if (bkg == 0):
print(mycolors.foreground.red + "ASN:\t\t%d" % vttext['asn'] + mycolors.reset, end='\n\n')
else:
print(mycolors.foreground.orange + "ASN:\t\t%d" % vttext['asn'] + mycolors.reset, end='\n\n')
else:
if (bkg == 0):
print(mycolors.foreground.red + "ASN:\t\t" + "Not specified" + mycolors.reset, end='\n\n')
else:
print(mycolors.foreground.orange + "ASN:\t\t" + "Not specified" + mycolors.reset, end='\n\n')
print(mycolors.reset + "\nResolutions")
print("-" * 11)
if 'resolutions' in vttext:
if (vttext['resolutions']):
for i in vttext['resolutions']:
if (bkg == 0):
print(mycolors.foreground.green + "\nLast Resolved:\t" + i['last_resolved'] + mycolors.reset)
print(mycolors.foreground.green + "Hostname:\t" + i['hostname'] + mycolors.reset)
else:
print(mycolors.foreground.lightgreen + "\nLast Resolved:\t" + i['last_resolved'] + mycolors.reset)
print(mycolors.foreground.lightgreen + "Hostname:\t" + i['hostname'] + mycolors.reset)
print(mycolors.reset + "\nDetected URLs")
print("-" * 13)
if 'detected_urls' in vttext:
for j in vttext['detected_urls']:
if (bkg == 0):
print(mycolors.foreground.cyan + "\nURL:\t\t%s" % j['url'] + mycolors.reset)
print(mycolors.foreground.cyan + "Scan Date:\t%s" % j['scan_date'] + mycolors.reset)
print(mycolors.foreground.cyan + "Positives:\t%d" % j['positives'] + mycolors.reset)
print(mycolors.foreground.cyan + "Total:\t\t%d" % j['total'] + mycolors.reset)
else:
print(mycolors.foreground.lightred + "\nURL:\t\t%s" % j['url'] + mycolors.reset)
print(mycolors.foreground.lightred + "Scan date:\t%s" % j['scan_date'] + mycolors.reset)
print(mycolors.foreground.lightred + "Positives:\t%d" % j['positives'] + mycolors.reset)
print(mycolors.foreground.lightred + "Total:\t\t%d" % j['total'] + mycolors.reset)
print(mycolors.reset + "\nDetected Downloaded Samples")
print("-" * 27)
if 'detected_downloaded_samples' in vttext:
for k in vttext['detected_downloaded_samples']:
if (bkg == 0):
print(mycolors.foreground.red + "\nSHA256:\t\t%s" % k['sha256'] + mycolors.reset)
print(mycolors.foreground.red + "Date:\t\t%s" % k['date'] + mycolors.reset)
print(mycolors.foreground.red + "Positives:\t%d" % k['positives'] + mycolors.reset)
print(mycolors.foreground.red + "Total:\t\t%d" % k['total'] + mycolors.reset)
else:
print(mycolors.foreground.yellow + "\nSHA256:\t\t%s" % k['sha256'] + mycolors.reset)
print(mycolors.foreground.yellow + "Date:\t\t%s" % k['date'] + mycolors.reset)
print(mycolors.foreground.yellow + "Positives:\t%d" % k['positives'] + mycolors.reset)
print(mycolors.foreground.yellow + "Total:\t\t%d" % k['total'] + mycolors.reset)
print(mycolors.reset + "\nUndetected Downloaded Samples")
print("-" * 27)
if 'undetected_downloaded_samples' in vttext:
for m in vttext['undetected_downloaded_samples']:
if (bkg == 0):
print(mycolors.foreground.green + "\nSHA256:\t\t%s" % m['sha256'] + mycolors.reset)
print(mycolors.foreground.green + "Date:\t\t%s" % m['date'] + mycolors.reset)
print(mycolors.foreground.green + "Positives:\t%d" % m['positives'] + mycolors.reset)
print(mycolors.foreground.green + "Total:\t\t%d" % m['total'] + mycolors.reset)
else:
print(mycolors.foreground.lightcyan + "\nSHA256:\t\t%s" % m['sha256'] + mycolors.reset)
print(mycolors.foreground.lightcyan + "Date:\t\t%s" % m['date'] + mycolors.reset)
print(mycolors.foreground.lightcyan + "Positives:\t%d" % m['positives'] + mycolors.reset)
print(mycolors.foreground.lightcyan + "Total:\t\t%d" % m['total'] + mycolors.reset)
except ValueError:
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Virus Total!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Virus Total!\n"))
print(mycolors.reset)
exit(3)
def vtfilecheck(filename, urlfilevtcheck, param):
pos = ''
total = ''
vttext = ''
response = ''
resource = ''
dname = ''
fname = ''
try:
resource = {'file': (filename, open(filename,'rb'))}
mysha256hash = sha256hash(filename)
params = {'apikey': VTAPI}
response = requests.post(urlfilevtcheck, files = resource, params=params)
vttext = json.loads(response.text)
rc = (vttext['response_code'])
if (rc == 0):
final = 'Error during file checking on Virus Total'
if(bkg == 1):
print(mycolors.foreground.lightred + final)
else:
print(mycolors.foreground.red + final)
exit(1)
if (rc == 1):
print(mycolors.reset)
print("\nFILE SUMMARY VT REPORT")
print("-"*25,"\n")
if (bkg == 0):
print(mycolors.foreground.green + "Filename: ".ljust(17),os.path.basename(filename))
print(mycolors.foreground.blue + "Status: ".ljust(17),vttext['verbose_msg'])
print(mycolors.foreground.blue + "Resource: ".ljust(17),vttext['resource'])
print(mycolors.foreground.blue + "Scan ID: ".ljust(17),vttext['scan_id'])
print(mycolors.foreground.purple + "SHA256: ".ljust(17),vttext['sha256'])
print(mycolors.foreground.cyan + "Permanent Link: ".ljust(17),vttext['permalink'])
print(mycolors.foreground.red + "Result VT: ".ljust(17), end=' ')
else:
print(mycolors.foreground.yellow + "Filename: ".ljust(17),os.path.basename(filename))
print(mycolors.foreground.lightgreen + "Status: ".ljust(17),vttext['verbose_msg'])
print(mycolors.foreground.lightgreen + "Resource: ".ljust(17),vttext['resource'])
print(mycolors.foreground.lightgreen + "Scan ID: ".ljust(17),vttext['scan_id'])
print(mycolors.foreground.yellow + "SHA256: ".ljust(17),vttext['sha256'])
print(mycolors.foreground.lightcyan + "Permanent Link: ".ljust(17),vttext['permalink'])
print(mycolors.foreground.lightred + "Result VT: ".ljust(17), end=' ')
time.sleep(90)
try:
finalstatus = vtcheck(vttext['scan_id'], url, param)
print(finalstatus)
print ("\n")
print(mycolors.reset)
print("VIRUS TOTAL DETAILED REPORT")
print("-"*28,"\n")
time.sleep(5)
vtshow(vttext['scan_id'], url, param)
print(mycolors.reset + "\n")
exit(0)
except ValueError:
if(bkg == 1):
print(mycolors.foreground.lightred + "Error while connecting to Virus Total!\n")
else:
print(mycolors.foreground.red + "Error while connecting to Virus Total!\n")
print(mycolors.reset)
exit(2)
except ValueError:
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Virus Total!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Virus Total!\n"))
print(mycolors.reset)
exit(3)
def vtshow(filehash, url, param):
vttext = ''
response = ''
try:
resource=filehash
params = {'apikey': VTAPI , 'resource': resource}
response = requests.get(url, params=params)
vttext = json.loads(response.text)
rc = (vttext['response_code'])
if (rc == 0):
final = 'Not Found'
return final
if (bkg == 0):
print(mycolors.foreground.cyan + "Scan date: ".ljust(13),vttext['scan_date'] + "\n")
else:
print(mycolors.foreground.yellow + "Scan date: ".ljust(13),vttext['scan_date'] + "\n")
if (bkg == 1):
print(mycolors.foreground.lightred)
else:
print(mycolors.foreground.red)
if ('Avast' in vttext['scans']):
print("Avast:".ljust(13),vttext['scans']['Avast']['result'])
if ('Avira' in vttext['scans']):
print("Avira:".ljust(13),vttext['scans']['Avira']['result'])
if ('BitDefender' in vttext['scans']):
print("BitDefender:".ljust(13),vttext['scans']['BitDefender']['result'])
if ('ESET-NOD32' in vttext['scans']):
print("ESET-NOD32:".ljust(13),vttext['scans']['ESET-NOD32']['result'])
if ('F-Secure' in vttext['scans']):
print("F-Secure:".ljust(13),vttext['scans']['F-Secure']['result'])
if ('Fortinet' in vttext['scans']):
print("Fortinet:".ljust(13),vttext['scans']['Fortinet']['result'])
if ("Kaspersky" in vttext['scans']):
print("Kaspersky:".ljust(13),vttext['scans']['Kaspersky']['result'])
if ("MalwareBytes" in vttext['scans']):
print("MalwareBytes:".ljust(13),vttext['scans']['MalwareBytes']['result'])
if ("McAfee" in vttext['scans']):
print("McAfee:".ljust(13),vttext['scans']['McAfee']['result'])
if ("Microsoft" in vttext['scans']):
print("Microsoft:".ljust(13),vttext['scans']['Microsoft']['result'])
if ("Panda" in vttext['scans']):
print("Panda:".ljust(13),vttext['scans']['Panda']['result'])
if ("Sophos" in vttext['scans']):
print("Sophos:".ljust(13),vttext['scans']['Sophos']['result'])
if ("Symantec" in vttext['scans']):
print("Symantec:".ljust(13),vttext['scans']['Symantec']['result'])
if ("TrendMicro" in vttext['scans']):
print("TrendMicro:".ljust(13),vttext['scans']['TrendMicro']['result'])
if ("Zone-Alarm" in vttext['scans']):
print("Zone-Alarm:".ljust(13),vttext['scans']['Zone-Alarm']['result'])
except ValueError:
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Virus Total!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Virus Total!\n"))
print(mycolors.reset)
def hashow(filehash):
hatext = ''
haresponse = ''
final = ''
try:
resource = filehash
requestsession = requests.Session( )
requestsession.headers.update({'user-agent': user_agent})
requestsession.headers.update({'api-key': HAAPI})
requestsession.headers.update({'content-type': 'application/json'})
if (xx == 0):
finalurl = '/'.join([haurl,'report', resource + ':100', 'summary'])
elif (xx == 1):
finalurl = '/'.join([haurl,'report', resource + ':110', 'summary'])
elif (xx == 2):
finalurl = '/'.join([haurl,'report', resource + ':120', 'summary'])
elif (xx == 3):
finalurl = '/'.join([haurl,'report', resource + ':200', 'summary'])
else:
finalurl = '/'.join([haurl,'report', resource + ':300', 'summary'])
haresponse = requestsession.get(url=finalurl)
hatext = json.loads(haresponse.text)
rc = str(hatext)
if 'message' in rc:
final = 'Malware sample was not found in Hybrid-Analysis repository.'
if (bkg == 1):
print((mycolors.foreground.lightred + "\n" + final + "\n"))
else:
print((mycolors.foreground.red + "\n" + final + "\n"))
return final
if 'environment_description' in hatext:
envdesc = str(hatext['environment_description'])
else:
envdesc = ''
if 'type' in hatext:
maltype = str(hatext['type'])
else:
maltype = ''
if 'verdict' in hatext:
verdict = str(hatext['verdict'])
else:
verdict = ''
if 'threat_level' in hatext:
threatlevel = str(hatext['threat_level'])
else:
threatlevel = ''
if 'threat_score' in hatext:
threatscore = str(hatext['threat_score'])
else:
threatscore = ''
if 'av_detect' in hatext:
avdetect = str(hatext['av_detect'])
else:
avdetect = ''
if 'total_signatures' in hatext:
totalsignatures = str(hatext['total_signatures'])
else:
totalsignatures = ''
if 'submit_name' in hatext:
submitname = str(hatext['submit_name'])
else:
submitname = ''
if 'analysis_start_time' in hatext:
analysistime = str(hatext['analysis_start_time'])
else:
analysistime = ''
if 'size' in hatext:
malsize = str(hatext['size'])
else:
malsize = ''
if 'total_processes' in hatext:
totalprocesses = str(hatext['total_processes'])
else:
totalprocesses = ''
if 'total_network_connections' in hatext:
networkconnections = str(hatext['total_network_connections'])
else:
networkconnections = ''
if 'domains' in hatext:
domains = (hatext['domains'])
else:
domains = ''
if 'hosts' in hatext:
hosts = (hatext['hosts'])
else:
hosts = ''
if 'compromised_hosts' in hatext:
compromised_hosts = (hatext['compromised_hosts'])
else:
compromised_hosts = ''
if 'vx_family' in hatext:
vxfamily = str(hatext['vx_family'])
else:
vxfamily = ''
if 'type_short' in (hatext):
typeshort = (hatext['type_short'])
else:
typeshort = ''
if 'tags' in hatext:
classification = (hatext['tags'])
else:
classification = ''
if 'certificates' in hatext:
certificates = hatext['certificates']
else:
certificates = ''
if 'mitre_attcks' in hatext:
mitre = hatext['mitre_attcks']
else:
mitre = ''
print(mycolors.reset)
print ("\nHybrid-Analysis Summary Report:")
print((70*'-').ljust(70))
if (bkg == 1):
print((mycolors.foreground.lightcyan))
else:
print((mycolors.foreground.red))
print("Environment:".ljust(20),envdesc)
print("File Type:".ljust(20),maltype)
print("Verdict:".ljust(20),verdict)
print("Threat Level:".ljust(20),threatlevel)
print("Threat Score:".ljust(20),threatscore + '/100')
print("AV Detect".ljust(20),avdetect + '%')
print("Total Signatures:".ljust(20),totalsignatures)
if (bkg == 1):
print((mycolors.foreground.yellow))
else:
print((mycolors.foreground.cyan))
print("Submit Name:".ljust(20),submitname)
print("Analysis Time:".ljust(20),analysistime)
print("File Size:".ljust(20),malsize)
print("Total Processes:".ljust(20),totalprocesses)
print("Network Connections:".ljust(20),networkconnections)
print("\nDomains:")
for i in domains:
print("".ljust(20), i)
print("\nHosts:")
for i in hosts:
print("".ljust(20), i, "\t", "city: " + (geocoder.ip(i).city))
print("\nCompromised Hosts:")
for i in compromised_hosts:
print("".ljust(20), i, "\t", "city: " + (geocoder.ip(i).city))
if (bkg == 1):
print((mycolors.foreground.lightred))
else:
print((mycolors.foreground.cyan))
print("Vx Family:".ljust(20),vxfamily)
print("File Type Short: ", end=' ')
for i in typeshort:
print(i, end=' ')
print("\nClassification Tags:".ljust(20), end=' ')
for i in classification:
print(i, end=' ')
if (bkg == 1):
print((mycolors.foreground.lightcyan))
else:
print((mycolors.foreground.blue))
print("\nCertificates:\n", end=' ')
for i in certificates:
print("".ljust(20), end=' ')
print(("owner: %s" % i['owner']))
print("".ljust(20), end=' ')
print(("issuer: %s" % i['issuer']))
print("".ljust(20), end=' ')
print(("valid_from: %s" % i['valid_from']))
print("".ljust(20), end=' ')
print(("valid_until: %s\n" % i['valid_until']))
if (bkg == 1):
print(mycolors.foreground.lightgreen)
else:
print(mycolors.foreground.purple)
print("\nMITRE Attacks:\n")
for i in mitre:
print("".ljust(20), end=' ')
print(("tactic: %s" % i['tactic']))
print("".ljust(20), end=' ')
print(("technique: %s" % i['technique']))
print("".ljust(20), end=' ')
print(("attck_id: %s" % i['attck_id']))
print("".ljust(20), end=' ')
print(("attck_id_wiki: %s\n" % i['attck_id_wiki']))
rc = (hatext)
if (rc == 0):
final = 'Not Found'
print(mycolors.reset)
return final
except ValueError as e:
print(e)
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n"))
print(mycolors.reset)
def polymetasearch(poly, metainfo):
if (metainfo == 0):
targetfile = poly
mysha256hash=''
dname = str(os.path.dirname(targetfile))
if os.path.abspath(dname) == False:
dname = os.path.abspath('.') + "/" + dname
fname = os.path.basename(targetfile)
magictype = ftype(targetfile)
try:
if re.match(r'^PE[0-9]{2}|^MS-DOS', magictype):
fmype = pefile.PE(targetfile)
mymd5hash = md5hash(targetfile)
mysha256hash = sha256hash(targetfile)
GS = generalstatus(targetfile)
fimph = fmype.get_imphash()
else:
if (bkg == 1):
print(mycolors.foreground.lightred + "\nYou didn\'t provided a PE file")
else:
print(mycolors.foreground.red + "\nYou didn\'t provided a PE file")
print(mycolors.reset)
exit(1)
except (AttributeError, NameError) as e:
if (bkg == 1):
print((mycolors.foreground.lightred + "\nThe file %s doesn't respect some PE format rules. Exiting...\n" % targetfile))
else:
print((mycolors.foreground.red + "\nThe file %s doesn't respect some PE format rules. Exiting...\n" % targetfile))
print(mycolors.reset)
exit(1)
print(mycolors.reset)
print("POLYSWARM.IO RESULTS")
print('-' * 20, end="\n\n")
try:
if (metainfo == 0):
metaresults = polyswarm.search_by_metadata("pefile.imphash:" + fimph)
for meta in metaresults:
for x in meta:
if (bkg == 1):
print(mycolors.reset + "\nSHA256: " + mycolors.foreground.lightred + "%s" % x.sha256, end=' ')
print(mycolors.reset + "firstseen: " + mycolors.foreground.lightgreen + "%s" % x.first_seen, end=' ')
if len(x.detections) > 0:
print(mycolors.reset + "scan: " + mycolors.foreground.yellow + "%s" % len(x.detections) + "/" + "%s malicious" % len(x.last_scan.assertions), end=' ')
else:
print(mycolors.reset + "scan: " + mycolors.foreground.pink + "not scanned yet", end=' ')
else:
print(mycolors.reset + "\nSHA256: " + mycolors.foreground.red + "%s" % x.sha256, end=' ')
print(mycolors.reset + "firstseen: " + mycolors.foreground.blue + "%s" % x.first_seen, end=' ')
if len(x.detections) > 0:
print(mycolors.reset + "scan: " + mycolors.foreground.green + "%s" % len(x.detections) + "/" + "%s malicious" % len(x.last_scan.assertions), end=' ')
else:
print(mycolors.reset + "scan: " + mycolors.foreground.purple + "not scanned yet", end=' ')
print(mycolors.reset)
exit(0)
if (metainfo == 1):
metaresults = polyswarm.search_by_metadata("strings.ipv4:" + poly)
if (metainfo == 2):
metaresults = polyswarm.search_by_metadata("strings.domains:" + poly)
if (metainfo == 3):
poly = (r'"' + poly + r'"')
metaresults = polyswarm.search_by_metadata("strings.urls:" + poly)
for meta in metaresults:
for y in meta:
if (bkg == 1):
print(mycolors.reset + "\nSHA256: " + mycolors.foreground.lightgreen + "%s" % y.sha256, end=' ')
print(mycolors.reset + "firstseen: " + mycolors.foreground.lightcyan + "%s" % y.first_seen, end=' ')
if len(y.detections) > 0:
print(mycolors.reset + "scan: " + mycolors.foreground.yellow + "%s" % len(y.detections) + "/" + "%s malicious" % len(y.last_scan.assertions), end=' ')
else:
print(mycolors.reset + "scan: " + mycolors.foreground.pink + "not scanned yet", end=' ')
else:
print(mycolors.reset + "\nSHA256: " + mycolors.foreground.green + "%s" % y.sha256, end=' ')
print(mycolors.reset + "firstseen: " + mycolors.foreground.cyan + "%s" % y.first_seen, end=' ')
if len(y.detections) > 0:
print(mycolors.reset + "scan: " + mycolors.foreground.red + "%s" % len(y.detections) + "/" + "%s malicious" % len(y.last_scan.assertions), end=' ')
else:
print(mycolors.reset + "scan: " + mycolors.foreground.purple + "not scanned yet", end=' ')
print(mycolors.reset)
except (RetryError) as e:
if (bkg == 1):
print((mycolors.foreground.lightred + "\nAn error has ocurred during Polyswarm processing. Exiting...\n"))
else:
print((mycolors.foreground.red + "\nAn error has ocurred during Polyswarm processing. Exiting...\n"))
print(mycolors.reset)
exit(1)
except:
if (bkg == 1):
print((mycolors.foreground.lightred + "\nAn error has ocurred while connecting to Polyswarm.\n"))
else:
print((mycolors.foreground.red + "\nAn error has ocurred while connecting to Polyswarm.\n"))
print(mycolors.reset)
exit(1)
def polyfile(poly):
sha256 = ''
filetype = ''
extended = ''
m = ''
firstseen = ''
score = 0
results = polyswarm.scan(poly)
myhash = sha256hash(poly)
print(mycolors.reset)
print("POLYSWARM.IO RESULTS")
print('-' * 20, end="\n\n")
for fileresults in results:
if fileresults.result:
for myfiles in fileresults.result.files:
score = myfiles.polyscore
for assertion in myfiles.assertions:
if (bkg == 1):
print(mycolors.reset + "Engine: " + mycolors.foreground.lightgreen + "%-12s" % assertion.author_name, end='')
print(mycolors.reset + "\tVerdict:" + mycolors.foreground.lightred + " ", "Malicious" if assertion.verdict else "Clean")
else:
print(mycolors.reset + "Engine: " + mycolors.foreground.green + "%-12s" % assertion.author_name, end='')
print(mycolors.reset + "\tVerdict:" + mycolors.foreground.red + " ", "Malicious" if assertion.verdict else "Clean")
results = polyswarm.search(myhash)
print(mycolors.reset)
for hashresults in results:
if hashresults.result:
for myhashes in hashresults.result:
sha256 = myhashes.sha256
filetype = myhashes.mimetype
extended = myhashes.extended_type
firstseen = myhashes.first_seen
filenames = myhashes.filenames
if (myhashes.countries):
countries = myhashes.countries
if (bkg == 1):
for j in filenames:
print(mycolors.foreground.lightcyan + "\nFilenames: \t%s" % j, end=' ')
print(mycolors.foreground.lightcyan + "\nSHA256: \t%s" % sha256)
print(mycolors.foreground.lightred + "File Type: \t%s" % filetype)
print(mycolors.foreground.lightred + "Extended Info: \t%s" % extended)
print(mycolors.foreground.pink + "First seen: \t%s" % firstseen)
for m in countries:
print(mycolors.foreground.pink + "Countries: \t%s" % m, end=' ')
if (score is not None):
print(mycolors.foreground.yellow + "\nPolyscore: \t%f" % score)
else:
for j in filenames:
print(mycolors.foreground.cyan + "\nFilenames: \t%s" % j, end=' ')
print(mycolors.foreground.cyan + "\nSHA256: \t%s" % sha256)
print(mycolors.foreground.purple + "File Type: \t%s" % filetype)
print(mycolors.foreground.purple + "Extended Info: \t%s" % extended)
print(mycolors.foreground.blue + "First seen: \t%s" % firstseen)
for m in countries:
print(mycolors.foreground.blue + "Countries: \t%s" % m, end=' ')
if (score is not None):
print(mycolors.foreground.red + "\nPolyscore: \t%f" % score)
print(mycolors.reset)
def polyurlcheck(poly):
results = polyswarm.scan_urls(poly)
print(mycolors.reset)
print("POLYSWARM.IO RESULTS")
print('-' * 20, end="\n\n")
for urlresults in results:
if urlresults.result:
for myurls in urlresults.result.files:
for assertion in myurls.assertions:
if (bkg == 1):
print(mycolors.reset + "Engine: " + mycolors.foreground.lightblue + "%-12s" % assertion.author_name, end='')
print(mycolors.reset + "\tVerdict:" + mycolors.foreground.lightred + " ", "Malicious" if assertion.verdict else "Clean")
else:
print(mycolors.reset + "Engine: " + mycolors.foreground.blue + "%-12s" % assertion.author_name, end='')
print(mycolors.reset + "\tVerdict: " + mycolors.foreground.red + " ", "Malicious" if assertion.verdict else "Clean")
print(mycolors.reset)
def polyhashsearch(poly):
filenames = ''
sha256 = ''
results = polyswarm.search(poly)
print(mycolors.reset)
print("POLYSWARM.IO RESULTS")
print('-' * 20, end="\n\n")
for hashresults in results:
if hashresults.result:
for myhashes in hashresults.result:
score = myhashes.last_scan.polyscore
sha256 = myhashes.sha256
filetype = myhashes.mimetype
extended = myhashes.extended_type
firstseen = myhashes.first_seen
filenames = myhashes.filenames
countries = myhashes.countries
results = myhashes.last_scan.assertions
for i in results:
if (bkg == 1):
print(mycolors.foreground.lightcyan + "%s" % i)
else:
print(mycolors.foreground.cyan + "%s" % i)
if (bkg == 1):
if (filenames == ''):
if (sha256 == ''):
if(bkg == 1):
print(mycolors.foreground.lightred + "This sample could not be found on Polyswarm!\n" + mycolors.reset)
exit(1)
else:
print(mycolors.foreground.red + "This sample could not be found on Polyswarm!\n" + mycolors.reset)
exit(1)
for j in filenames:
print(mycolors.foreground.lightgreen + "\nFilenames: \t%s" % j, end=' ')
print(mycolors.foreground.lightgreen + "\nSHA256: \t%s" % sha256)
print(mycolors.foreground.lightred + "File Type: \t%s" % filetype)
print(mycolors.foreground.lightred + "Extended Info: \t%s" % extended)
print(mycolors.foreground.pink + "First seen: \t%s" % firstseen)
for m in countries:
print(mycolors.foreground.pink + "Countries: \t%s" % m, end=' ')
if (score is not None):
print(mycolors.foreground.yellow + "\nPolyscore: \t%f" % score)
else:
for j in filenames:
print(mycolors.foreground.green + "\nFilenames: \t%s" % j, end=' ')
print(mycolors.foreground.green + "\nSHA256: \t%s" % sha256)
print(mycolors.foreground.purple + "File Type: \t%s" % filetype)
print(mycolors.foreground.purple + "Extended Info: \t%s" % extended)
print(mycolors.foreground.blue + "First seen: \t%s" % firstseen)
for m in countries:
print(mycolors.foreground.blue + "Countries: \t%s" % m, end=' ')
if (score is not None):
print(mycolors.foreground.red + "\nPolyscore: \t%f" % score)
print(mycolors.reset)
def hafilecheck(filenameha):
hatext = ''
haresponse = ''
resource = ''
haenv = '100'
job_id = ''
try:
if (xx == 0):
haenv = '100'
elif (xx == 1):
haenv = '110'
elif (xx == 2):
haenv = '120'
elif (xx == 3):
haenv = '200'
else:
haenv = '300'
resource = {'file': (os.path.basename(filenameha), open(filenameha, 'rb')), 'environment_id': (None, haenv)}
mysha256hash = sha256hash(filenameha)
if (bkg == 1):
print((mycolors.foreground.lightcyan + "\nSubmitted file: %s".ljust(20) % filenameha))
print(("Submitted hash: %s".ljust(20) % mysha256hash))
print(("Environment ID: %3s" % haenv))
print((Fore.WHITE))
else:
print((mycolors.foreground.purple + "\nSubmitted file: %s".ljust(20) % filenameha))
print(("Submitted hash: %s".ljust(20) % mysha256hash))
print(("Environment ID: %3s" % haenv))
print((Fore.BLACK))
requestsession = requests.Session( )
requestsession.headers.update({'user-agent': user_agent})
requestsession.headers.update({'api-key': HAAPI})
requestsession.headers.update({'accept': 'application/json'})
finalurl = '/'.join([haurl,'submit', 'file'])
haresponse = requestsession.post(url=finalurl, files=resource)
hatext = json.loads(haresponse.text)
rc = str(hatext)
job_id = str(hatext['job_id'])
hash_received = str(hatext['sha256'])
environment_id = str(hatext['environment_id'])
if (job_id) in rc:
if (bkg == 1):
print((mycolors.foreground.yellow + "The suspicious file has been successfully submitted to Hybrid Analysis."))
print(("\nThe job ID is: ").ljust(31), end=' ')
print(("%s" % job_id))
print(("The environment ID is: ").ljust(30), end=' ')
print(("%s" % environment_id))
print(("The received sha256 hash is: ").ljust(30), end=' ')
print(("%s" % hash_received))
print((mycolors.reset + "\n"))
else:
print((mycolors.foreground.green + "The suspicious file has been successfully submitted to Hybrid Analysis."))
print(("\nThe job ID is: ").ljust(31), end=' ')
print(("%s" % job_id))
print(("The environment ID is: ").ljust(30), end=' ')
print(("%s" % environment_id))
print(("The received sha256 hash is: ").ljust(30), end=' ')
print(("%s" % hash_received))
print((mycolors.reset + "\n"))
else:
if (bkg == 1):
print((mycolors.foreground.lightred + "\nAn error occured while sending the file!"))
print((mycolors.reset + "\n"))
else:
print((mycolors.foreground.red + "\nAn error occured while sending the file!"))
print((mycolors.reset + "\n"))
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n"))
print((mycolors.reset))
def checkreportha(jobid):
hatext = ''
haresponse = ''
try:
resource = jobid
requestsession = requests.Session( )
requestsession.headers.update({'user-agent': user_agent})
requestsession.headers.update({'api-key': HAAPI})
requestsession.headers.update({'content-type': 'application/json'})
finalurl = '/'.join([haurl,'report', resource , 'state'])
haresponse = requestsession.get(url=finalurl)
hatext = json.loads(haresponse.text)
job_id = jobid
if ("state" in haresponse.text):
if (bkg == 1):
print((mycolors.foreground.yellow + "\nThe report status related to the provided job ID follows below:"))
print(("\nThe job ID is: ").ljust(31), end=' ')
print(("%s" % job_id))
print(("The report status is: ").ljust(30), end=' ')
print(("%s" % str(hatext['state'])))
print((mycolors.reset + "\n"))
else:
print((mycolors.foreground.purple + "\nThe report status related to the provided job ID follows below:"))
print(("\nThe job ID is: ").ljust(31), end=' ')
print(("%s" % job_id))
print(("The report status is: ").ljust(30), end=' ')
print(("%s" % str(hatext['state'])))
print((mycolors.reset + "\n"))
else:
if (bkg == 1):
print((mycolors.foreground.lightred + "\nThere isn't any report associated to this job ID, unfortunately."))
print((mycolors.reset + "\n"))
else:
print((mycolors.foreground.red + "\nThere isn't any report associated to ths job ID, unfortunately"))
print((mycolors.reset + "\n"))
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n"))
print((mycolors.reset))
def downhash(filehash):
hatext = ''
haresponse = ''
final = ''
try:
resource = filehash
requestsession = requests.Session( )
requestsession.headers.update({'user-agent': user_agent})
requestsession.headers.update({'api-key': HAAPI})
requestsession.headers.update({'accept': 'application/gzip'})
finalurl = '/'.join([haurl,'overview', resource , 'sample'])
haresponse = requestsession.get(url=finalurl, allow_redirects=True)
try:
hatext = haresponse.text
rc = str(hatext)
if 'message' in rc:
final = 'Malware sample is not available to download.'
if (bkg == 1):
print((mycolors.foreground.lightred + "\n" + final + "\n"))
else:
print((mycolors.foreground.red + "\n" + final + "\n"))
print((mycolors.reset))
return final
open(resource + '.gz', 'wb').write(haresponse.content)
final = 'SAMPLE SAVED!'
print((mycolors.reset))
print((final + "\n"))
return final
except ValueError as e:
print(e)
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while downloading Hybrid-Analysis!\n"))
else:
print((mycolors.foreground.red + "Error while downloading Hybrid-Analysis!\n"))
print(mycolors.reset)
except ValueError as e:
print(e)
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n"))
print(mycolors.reset)
def overextract(fname):
with open(fname, "rb") as o:
r = o.read()
pe = pefile.PE(fname)
offset = pe.get_overlay_data_start_offset( )
if offset == None:
exit(0)
with open(fname + ".overlay", "wb") as t:
t.write(r[offset:])
if (bkg == 1):
print((mycolors.foreground.lightgreen + "\nOverlay extracted: %s.overlay\n" % fname))
else:
print((mycolors.foreground.red + "\nOverlay extracted: %s.overlay\n" % fname))
print(mycolors.reset)
def keysort(item):
return item[1]
def generalstatus(key):
vtfinal = ''
result = ' '
ovr = ''
entr = ''
G = []
if (vt==1):
myfilehash = sha256hash(key)
vtfinal = vtcheck(myfilehash, url, param)
G.append(vtfinal)
mype2 = pefile.PE(key)
over = mype2.get_overlay_data_start_offset()
if over == None:
ovr = ""
else:
ovr = "OVERLAY"
G.append(ovr)
rf = mype2.write()
entr = mype2.sections[0].entropy_H(rf)
G.append(entr)
pack = packed(mype2)
if pack == False:
result = "no "
elif pack == True:
result = "PACKED"
else:
result = "Likely"
G.append(result)
return G
def hashchecking( ):
print ("\n")
print(mycolors.reset)
print("Main Antivirus Reports")
print("-" * 25 + "\n")
vtresult = vtshow(hashtemp,url,param)
if vtresult == 'Not Found':
if(bkg == 1):
print(mycolors.foreground.lightred + "Malware sample was not found in Virus Total.")
else:
print(mycolors.foreground.red + "Malware sample was not found in Virus Total.")
print(mycolors.reset)
hashow(hashtemp)
if (down == 1):
downhash(hashtemp)
print(mycolors.reset)
exit(0)
def filechecking(ffpname2):
GS = []
targetfile = ffpname2
mymd5hash=''
mysha256hash=''
dname = str(os.path.dirname(targetfile))
if os.path.abspath(dname) == False:
dname = os.path.abspath('.') + "/" + dname
fname = os.path.basename(targetfile)
magictype = ftype(targetfile)
print(mycolors.reset, end=' ')
try:
if re.match(r'^PE[0-9]{2}|^MS-DOS', magictype):
fmype = pefile.PE(targetfile)
mymd5hash = md5hash(targetfile)
mysha256hash = sha256hash(targetfile)
GS = generalstatus(targetfile)
fimph = fmype.get_imphash()
S = []
if (bkg == 1):
print((mycolors.foreground.lightcyan), end = '')
else:
print((mycolors.foreground.blue), end = '')
print(("\nFile Name: %s" % targetfile))
print(("File Type: %s\n" % magictype))
print(("MD5: %s" % mymd5hash))
print(("SHA256: %s" % mysha256hash))
print(("Imphash: %s\n" % fimph))
if (bkg == 1):
print((mycolors.foreground.lightred + "entropy: %8.2f" % GS[2]))
else:
print((mycolors.foreground.red + "entropy: %8.2f" % GS[2]))
print(("Packed?: %10s" % GS[3]))
print(("Overlay?: %10s" % GS[1]))
print(("VirusTotal: %6s" % GS[0]))
print(mycolors.reset)
if(bkg == 1):
print((mycolors.foreground.yellow + ""))
else:
print((mycolors.foreground.green + ""))
listsections(targetfile)
if (showreport == 1):
print(mycolors.reset)
print("\nMain Antivirus Reports:")
print((40*'-').ljust(40))
vtshow(mysha256hash,url,param)
if (ha == 1):
hashow(mysha256hash)
if (ie == 1):
impext(targetfile)
print(mycolors.reset)
if (ovrly == 1):
status_over = overextract(targetfile)
print(mycolors.reset)
exit(0)
else:
vtfinal = ''
mymd5hash = md5hash(targetfile)
mysha256hash = sha256hash(targetfile)
if (bkg == 1):
print((mycolors.foreground.yellow + "\nFile Name: %s" % targetfile))
else:
print((mycolors.foreground.purple + "\nFile Name: %s" % targetfile))
print(("File Type: %s" % magictype))
if (bkg == 1):
print((mycolors.foreground.lightcyan + "MD5: %s" % mymd5hash))
print(("SHA256: %s" % mysha256hash))
else:
print((mycolors.foreground.cyan + "MD5: %s" % mymd5hash))
print(("SHA256: %s" % mysha256hash))
print(mycolors.reset)
if (vt==1):
vtfinal = vtcheck(mysha256hash, url, param)
if(bkg == 1):
print((mycolors.foreground.lightred + "VirusTotal: %6s\n" % vtfinal))
else:
print((mycolors.foreground.red + "VirusTotal: %6s\n" % vtfinal))
if (showreport == 1):
print(mycolors.reset)
print("\nMain Antivirus Reports:")
print((40*'-').ljust(40))
vtshow(mysha256hash,url,param)
if (ha == 1):
hashow(mysha256hash)
print(mycolors.reset)
exit(0)
except (AttributeError, NameError) as e:
if (bkg == 1):
print((mycolors.foreground.lightred + "\nThe file %s doesn't respect some PE format rules. Skipping this file...\n" % targetfile))
else:
print((mycolors.foreground.red + "\nThe file %s doesn't respect some PE format rules. Skipping this file...\n" % targetfile))
print(mycolors.reset)
exit(1)
def quickhashow(filehash):
hatext = ''
haresponse = ''
final = 'Yes'
verdict = '-'
avdetect = '0'
totalsignatures = '-'
threatscore = '-'
totalprocesses = '-'
networkconnections = '-'
try:
resource = filehash
requestsession = requests.Session( )
requestsession.headers.update({'user-agent': user_agent})
requestsession.headers.update({'api-key': HAAPI})
requestsession.headers.update({'content-type': 'application/json'})
if (xx == 0):
finalurl = '/'.join([haurl,'report', resource + ':100', 'summary'])
elif (xx == 1):
finalurl = '/'.join([haurl,'report', resource + ':110', 'summary'])
elif (xx == 2):
finalurl = '/'.join([haurl,'report', resource + ':120', 'summary'])
elif (xx == 3):
finalurl = '/'.join([haurl,'report', resource + ':200', 'summary'])
else:
finalurl = '/'.join([haurl,'report', resource + ':300', 'summary'])
haresponse = requestsession.get(url=finalurl)
hatext = json.loads(haresponse.text)
rc = str(hatext)
if 'message' in rc:
final = 'Not Found'
return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections)
rc2 = (hatext)
if (rc2 == 0):
final = 'Not Found'
return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections)
if 'verdict' in hatext:
verdict = str(hatext['verdict'])
else:
verdict = ''
if 'threat_score' in hatext:
threatscore = str(hatext['threat_score'])
else:
threatscore = ''
if 'av_detect' in hatext:
avdetect = str(hatext['av_detect'])
else:
avdetect = ''
if 'total_signatures' in hatext:
totalsignatures = str(hatext['total_signatures'])
else:
totalsignatures = ''
if 'total_processes' in hatext:
totalprocesses = str(hatext['total_processes'])
else:
totalprocesses = ''
if 'total_network_connections' in hatext:
networkconnections = str(hatext['total_network_connections'])
else:
networkconnections = ''
return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n"))
print(mycolors.reset)
def nothreadworks(key, value, tm, n, result, prev1, prev2):
key1 = key
value1 = value
tm1 = tm
n1 = n
result1 = result
prev1a = prev1
prev2a = prev2
if (vt==1):
if (gt == 1):
tm1 = tm1 + 1
if tm1 % 4 == 0:
time.sleep(61)
myhashdir = sha256hash(key1)
vtfinal = vtcheck(myhashdir, url, param)
else:
myhashdir = sha256hash(key1)
vtfinal = vtcheck(myhashdir, url, param)
myfiletype = magic.from_file(key1)
if myfiletype is None:
ovr = '-'
result1 = '-'
entr = 0.00
elif (('PE32' or 'PE32+') in myfiletype):
mype2 = pefile.PE(key1)
over = mype2.get_overlay_data_start_offset()
if over == None:
ovr = ""
else:
ovr = "OVERLAY"
rf = mype2.write()
entr = mype2.sections[0].entropy_H(rf)
pack = packed(mype2)
if pack == False:
result1 = "no"
elif pack == True:
result1 = "PACKED"
else:
result1 = "Likely"
else:
ovr = '-'.center(7)
result1 = 'no'
entr = 0.00
width = 32
value1 = (myfiletype[:32]) if len(myfiletype) > 30 else f'{myfiletype: <{width}}'
if (bkg == 1):
if ((prev2a == prev1a) and (n1 < 97)):
print(("\033[%dm" % n1 + "%-68s" % key1), end=' ')
print(("\033[%dm" % n1 + " %-2s" % value1), end=' ')
print(("\033[%dm" % n1 + " %-6s" % result1), end=' ')
print(("\033[%dm" % n1 + " %7s" % ovr), end=' ')
print(("\033[%dm" % n1 + " %4.2f" % entr) + mycolors.reset, end=' ')
if (vt == 1):
print(("\033[%dm" % n1 + " %8s" % vtfinal) + mycolors.reset)
else:
print(("\033[%dm" % n1 + " %8s" % ' ') + mycolors.reset)
else:
if ((n1 > 96) and (prev1a != prev2a)):
n1 = 90
elif (n1 > 96):
n1 = 96
n1 = n1 + 1
print(("\033[%dm" % n1 + "%-68s" % key1), end=' ')
print(("\033[%dm" % n1 + " %-2s" % value1), end=' ')
print(("\033[%dm" % n1 + " %-6s" % result1), end=' ')
print(("\033[%dm" % n1 + " %7s" % ovr), end=' ')
print(("\033[%dm" % n1 + " %4.2f" % entr) + mycolors.reset, end =' ')
if (vt == 1):
print(("\033[%dm" % n1 + " %8s" % vtfinal) + mycolors.reset)
else:
print(("\033[%dm" % n1 + " %8s" % ' ') + mycolors.reset)
prev2a = value1
else:
if ((prev2a == prev1a) and (n1 < 96)):
print(("\033[%dm" % n1 + "%-68s" % key1), end=' ')
print(("\033[%dm" % n1 + " %-2s" % value1), end=' ')
print(("\033[%dm" % n1 + " %-6s" % result1), end=' ')
print(("\033[%dm" % n1 + " %7s" % ovr), end=' ')
print(("\033[%dm" % n1 + " %4.2f" % entr) + mycolors.reset, end=' ')
if (vt == 1):
print(("\033[%dm" % n1 + " %8s" % vtfinal) + mycolors.reset)
else:
print(("\033[%dm" % n1 + " %8s" % ' ') + mycolors.reset)
else:
if ((n1 > 95) and (prev1a != prev2a)):
n1 = 89
elif (n1 > 95):
n1 = 95
n1 = n1 + 1
print(("\033[%dm" % n1 + "%-68s" % key1), end=' ')
print(("\033[%dm" % n1 + " %-2s" % value1), end=' ')
print(("\033[%dm" % n1 + " %-6s" % result1), end=' ')
print(("\033[%dm" % n1 + " %7s" % ovr), end=' ')
print(("\033[%dm" % n1 + " %4.2f" % entr) + mycolors.reset, end=' ')
if (vt == 1):
print(("\033[%dm" % n1 + " %8s" % vtfinal) + mycolors.reset)
else:
print(("\033[%dm" % n1 + " %8s" % ' ') + mycolors.reset)
prev2a = value1
prev1 = prev1a
prev2 = prev2a
n = n1
result = result1
tm = tm1
return (prev1, prev2, n, result, tm)
class abThread(threading.Thread):
def __init__(self, key, value):
threading.Thread.__init__(self)
self.key = key
self.value = value
def run(self):
key1 = self.key
value1 = self.value
if (vt==1):
myhashdir = sha256hash(key1)
vtfinal = vtcheck(myhashdir, url, param)
myfiletype = magic.from_file(key1)
if myfiletype is None:
ovr = '-'
result1 = '-'
entr = 0.00
elif (('PE32' or 'PE32+') in myfiletype):
mype2 = pefile.PE(key1)
over = mype2.get_overlay_data_start_offset()
if over == None:
ovr = ""
else:
ovr = "OVERLAY"
rf = mype2.write()
entr = mype2.sections[0].entropy_H(rf)
pack = packed(mype2)
if pack == False:
result1 = "no"
elif pack == True:
result1 = "PACKED"
else:
result1 = "Likely"
else:
ovr = '-'.center(7)
result1 = 'no'
entr = 0.00
width = 32
value1 = (myfiletype[:32]) if len(myfiletype) > 30 else f'{myfiletype: <{width}}'
if (bkg == 1):
print((mycolors.foreground.yellow + "%-68s" % key1), end=' ')
print((mycolors.foreground.lightcyan + " %-2s" % value1), end=' ')
print((mycolors.foreground.lightred + " %-6s" % result1), end=' ')
print((mycolors.foreground.pink + " %7s" % ovr), end=' ')
print((mycolors.foreground.lightgreen + " %4.2f" % entr) + mycolors.reset, end=' ')
if (vt == 1):
print((mycolors.foreground.yellow + " %8s" % vtfinal + mycolors.reset))
else:
print((" %8s" % ' ') + mycolors.reset)
else:
print((mycolors.foreground.red + "%-68s" % key1), end=' ')
print((mycolors.foreground.cyan + " %-2s" % value1), end=' ')
print((mycolors.foreground.blue + " %-6s" % result1), end=' ')
print((mycolors.foreground.purple + " %7s" % ovr), end=' ')
print((mycolors.foreground.green + " %4.2f" % entr) + mycolors.reset, end =' ')
if (vt == 1):
print((mycolors.foreground.red + " %8s" % vtfinal + mycolors.reset))
else:
print((" %8s" % ' ') + mycolors.reset)
class quickVTThread(threading.Thread):
def __init__(self, key):
threading.Thread.__init__(self)
self.key = key
def run(self):
key1 = self.key
myhashdir = sha256hash(key1)
vtfinal = vtcheck(myhashdir, url, param)
if (bkg == 1):
print((mycolors.foreground.orange + "%-68s" % key1), end=' ')
print((mycolors.reset + "|" + mycolors.foreground.lightgreen + "%8s" % vtfinal + mycolors.reset))
else:
print((mycolors.foreground.cyan + "%-68s" % key1), end=' ')
print((mycolors.reset + "|" + mycolors.foreground.red + "%8s" % vtfinal + mycolors.reset))
class quickHAThread(threading.Thread):
def __init__(self, key):
threading.Thread.__init__(self)
self.key = key
def run(self):
key1 = self.key
myhashdir = sha256hash(key1)
(final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) = quickhashow(myhashdir)
if (bkg == 1):
print((mycolors.foreground.orange + "%-70s" % key1), end=' ')
print((mycolors.foreground.lightcyan + "%9s" % final), end='')
print((mycolors.foreground.lightred + "%11s" % verdict), end='')
if(avdetect == 'None'):
print((mycolors.foreground.pink + "%7s" % avdetect), end='')
else:
print((mycolors.foreground.pink + "%6s%%" % avdetect), end='')
print((mycolors.foreground.yellow + "%7s" % totalsignatures), end='')
if(threatscore == 'None'):
print((mycolors.foreground.lightred + "%12s" % threatscore), end='')
else:
print((mycolors.foreground.lightred + "%8s/100" % threatscore), end='')
print((mycolors.foreground.lightgreen + "%6s" % totalprocesses), end='')
print((mycolors.foreground.lightgreen + "%6s" % networkconnections + mycolors.reset))
else:
print((mycolors.foreground.lightcyan + "%-70s" % key1), end=' ')
print((mycolors.foreground.cyan + "%9s" % final), end='')
print((mycolors.foreground.red + "%11s" % verdict), end='')
if (avdetect == 'None'):
print((mycolors.foreground.purple + "%7s" % avdetect), end='')
else:
print((mycolors.foreground.purple + "%6s%%" % avdetect), end='')
print((mycolors.foreground.green + "%7s" % totalsignatures), end='')
if(threatscore == 'None'):
print((mycolors.foreground.red + "%12s" % threatscore), end='')
else:
print((mycolors.foreground.red + "%8s/100" % threatscore), end='')
print((mycolors.foreground.blue + "%6s" % totalprocesses), end='')
print((mycolors.foreground.blue + "%6s" % networkconnections + mycolors.reset))
def dirwork(d):
x = d
global n
n = 90
global prev1
prev1 = 0
global prev2
prev2 = 0
global result
result = ""
global tm
tm = 0
global value
for key,value in sorted(iter(x.items()), key=lambda k_v:(k_v[1],k_v[0])):
vtfinal=''
if (T == 1):
if (windows == 1):
thread = abThread(key, value)
thread.start()
thread.join()
else:
thread = abThread(key, value)
thread.start()
else:
prev1 = value
(prev1, prev2, n, result, tm) = nothreadworks(key, value, tm, n, result, prev1, prev2)
def dirquick(d):
y = d
if (vt == 1):
print("FileName".center(70) + "VT".center(12))
print((83*'-').center(41))
if (ha == 1):
print("FileName".center(70) + "Found?".center(10) + "Verdict".center(14) + "AVdet".center(6) + "Sigs".center(5) + "Score".center(14) + "Procs".center(6) + "Conns".center(6))
print((130*'-').center(60))
for key,value in sorted(iter(y.items()), key=lambda k_v:(k_v[1],k_v[0])):
if (ha == 1):
if (windows == 1):
thread = quickHAThread(key)
thread.start()
thread.join()
else:
thread = quickHAThread(key)
thread.start()
if (vt == 1):
if (windows == 1):
thread = quickVTThread(key)
thread.start()
thread.join()
else:
thread = quickVTThread(key)
thread.start()
def malsharedown(filehash):
maltext3 = ''
malresponse3 = ''
resource = ''
try:
resource = filehash
requestsession3 = requests.Session( )
finalurl3 = ''.join([urlmalshare, MALSHAREAPI, '&action=getfile&hash=', resource])
malresponse3 = requestsession3.get(url=finalurl3, allow_redirects=True)
open(resource, 'wb').write(malresponse3.content)
print("\n")
print((mycolors.reset + "MALWARE SAMPLE SAVED! "))
print((mycolors.reset))
except (BrokenPipeError, IOError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Malshare.com!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Malshare.com!\n"))
print(mycolors.reset)
def urltoip(urltarget):
geoloc= ''
target = ''
finalip = ''
result = ''
try:
target = urlparse(urltarget)
result = target.netloc
finalip = socket.gethostbyname(result)
if finalip is not None:
geoloc = geocoder.ip(finalip)
if (geoloc is not None):
return geoloc.city
else:
result = ''
return result
else:
result = "Not Found"
return result
except:
result = "Not Found"
return result
print(mycolors.reset)
def malsharehashsearch(filehash):
maltext2 = ''
malresponse2 = ''
resource = ''
try:
print("\n")
print((mycolors.reset + "MALSHARE REPORT ".center(74)), end='')
print("\n" + (74*'-').center(37))
print((mycolors.reset))
resource = filehash
requestsession2 = requests.Session( )
requestsession2.headers.update({'accept': 'application/json'})
finalurl2 = ''.join([urlmalshare, MALSHAREAPI, '&action=search&query=', resource])
malresponse2 = requestsession2.get(url=finalurl2)
if (malresponse2.text == ''):
if(bkg == 1):
print(mycolors.foreground.lightred + "This sample couldn't be found on Malshare.\n" + mycolors.reset)
exit(1)
else:
print(mycolors.foreground.red + "This sample couldn't be found on Malshare.\n" + mycolors.reset)
exit(1)
maltext2 = json.loads(malresponse2.text)
if (maltext2):
try:
if (maltext2.get('sha256')):
urltemp = maltext2['source']
if (validators.url(urltemp)) == True:
loc = urltoip(urltemp)
else:
loc = ''
if (bkg == 1):
print((mycolors.reset + "sha256: " + mycolors.foreground.yellow + "%s\n" % maltext2['sha256'] + mycolors.reset + "sha1: " + mycolors.foreground.yellow + "%s\n" % maltext2['sha1'] + mycolors.reset + "md5: " + mycolors.foreground.yellow + "%s\n" % maltext2['md5'] + mycolors.reset + "type: " + mycolors.foreground.lightcyan + "%s\n" % maltext2['type'] + mycolors.reset + "source: " + mycolors.foreground.lightred + "%s\n" % maltext2['source'] + mycolors.reset + "city: " + mycolors.foreground.lightgreen + "%s" % loc))
for k in maltext2['yarahits']['yara']:
print(mycolors.reset + "Yara Hits: " + mycolors.foreground.lightgreen + str(k))
else:
print((mycolors.reset + "sha256: " + mycolors.foreground.green + "%s\n" % maltext2['sha256'] + mycolors.reset + "sha1: " + mycolors.foreground.green + "%s\n" % maltext2['sha1'] + mycolors.reset + "md5: " + mycolors.foreground.green +"%s\n" % maltext2['md5'] + mycolors.reset + "type: " + mycolors.foreground.cyan + "%s\n" % maltext2['type'] + mycolors.reset + "source: " + mycolors.foreground.red + "%s\n" % maltext2['source'] + mycolors.reset + "city: " + mycolors.foreground.blue + "%s" % loc))
for k in maltext2['yarahits']['yara']:
print(mycolors.reset + "Yara Hits: " + mycolors.foreground.purple + str(k))
if (maldownload == 1):
malsharedown(filehash)
except KeyError as e:
pass
except (BrokenPipeError, IOError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if(bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Malshare.com!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Malshare.com!\n"))
print(mycolors.reset)
class LocationThread(threading.Thread):
def __init__(self, key):
threading.Thread.__init__(self)
self.key = key
def run(self):
url = self.key
if (validators.url(url)) == True:
loc = urltoip(url)
else:
loc = 'URL not valid.'
if (bkg == 1):
print((mycolors.reset + "URL: " + mycolors.foreground.yellow + "%-100s" % url + mycolors.reset + " City: " + mycolors.foreground.lightred + "%s" % loc + mycolors.reset))
else:
print((mycolors.reset + "URL: " + mycolors.foreground.blue + "%-100s" % url + mycolors.reset + " City: " + mycolors.foreground.red + "%s" % loc + mycolors.reset))
def malsharelastlist(typex):
maltext = ''
malresponse = ''
filetype = ''
maltype = typex
if (maltype == 1):
filetype = 'PE32'
elif (maltype == 2):
filetype = 'Dalvik'
elif (maltype == 3):
filetype = 'ELF'
elif (maltype == 4):
filetype = 'HTML'
elif (maltype == 5):
filetype = 'ASCII'
elif (maltype == 6):
filetype = 'PHP'
elif (maltype == 7):
filetype = 'Java'
elif (maltype == 8):
filetype = 'RAR'
elif (maltype == 9):
filetype = 'Zip'
elif (maltype == 10):
filetype = 'UTF-8'
elif (maltype == 11):
filetype = 'MS-DOS'
elif (maltype == 12):
filetype = 'data'
elif (maltype == 13):
filetype = 'PDF'
else:
filetype = 'Composite'
try:
print("\n")
print((mycolors.reset + "SHA256 hash".center(75)), end='')
print((mycolors.reset + "MD5 hash".center(38)), end='')
print((mycolors.reset + "File type".center(8)), end='')
print("\n" + (126*'-').center(59))
print((mycolors.reset))
requestsession = requests.Session( )
requestsession.headers.update({'accept': 'application/json'})
finalurl = ''.join([urlmalshare, MALSHAREAPI, '&action=type&type=', filetype])
malresponse = requestsession.get(url=finalurl)
maltext = json.loads(malresponse.text)
if ((maltext)):
try:
for i in range(0, len(maltext)):
if (maltext[i].get('sha256')):
if (bkg == 1):
print((mycolors.reset + "sha256: " + mycolors.foreground.yellow + "%s" % maltext[i]['sha256'] + mycolors.reset + " md5: " + mycolors.foreground.lightgreen + "%s" % maltext[i]['md5'] + mycolors.reset + " type: " + mycolors.foreground.lightred + "%s" % filetype))
else:
print((mycolors.reset + "sha256: " + mycolors.foreground.red + "%s" % maltext[i]['sha256'] + mycolors.reset + " md5: " + mycolors.foreground.blue + "%s" % maltext[i]['md5'] + mycolors.reset + " type: " + mycolors.foreground.purple + "%s" % filetype))
except KeyError as e:
pass
except (BrokenPipeError, IOError):
print(mycolors.reset, file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Malshare.com!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Malshare.com!\n"))
print(mycolors.reset)
return
def urlhauscheck(urlx, haus):
haustext = ''
hausresponse = ''
finalurl5 = ''
try:
print("\n")
print((mycolors.reset + "URLhaus Report".center(100)), end='')
print((mycolors.reset + "".center(28)), end='')
print("\n" + (126*'-').center(59))
requestsession5 = requests.Session( )
requestsession5.headers.update({'accept': 'application/json'})
params = {"url": urlx}
hausresponse = requests.post(haus, data=params)
haustext = json.loads(hausresponse.text)
if (haustext.get('id') is None):
if (bkg == 1):
print(mycolors.foreground.lightred + "URL not found!\n" + mycolors.reset)
else:
print(mycolors.foreground.red + "URL not found!\n" + mycolors.reset)
exit(1)
if 'query_status' in haustext:
if (bkg == 1):
print(mycolors.foreground.lightgreen + "Is available?: \t" + haustext.get('query_status').upper())
else:
print(mycolors.foreground.purple + "Is available?: \t" + haustext.get('query_status').upper())
else:
if (bkg == 1):
print(mycolors.foreground.lightgreen + 'Is availble?: ')
else:
print(mycolors.foreground.purple + 'Is available: ')
if 'url' in haustext:
if(validators.url(haustext.get('url'))) == True:
urlcity = urltoip(haustext.get('url'))
if(urlcity is None):
urlcity = 'Not found'
else:
urlcity = 'Not found'
if (bkg == 1):
print(mycolors.foreground.lightgreen + "URL: \t\t" + haustext.get('url') + " (city: " + urlcity + ")" )
else:
print(mycolors.foreground.purple + "URL: \t\t" + haustext.get('url') + " (city: " + urlcity + ")" )
else:
if (bkg == 1):
print(mycolors.foreground.lightgreen + 'URL: ')
else:
print(mycolors.foreground.purple + 'URL: ')
if 'url_status' in haustext:
if (bkg == 1):
if(haustext.get('url_status') == 'online'):
print(mycolors.foreground.lightgreen + "Status: \t" + mycolors.reverse + haustext.get('url_status') + mycolors.reset)
if(haustext.get('url_status') == 'offline'):
print(mycolors.foreground.lightred + "Status: \t" + mycolors.reverse + haustext.get('url_status') + mycolors.reset)
if(haustext.get('url_status') == ''):
print(mycolors.foreground.lightblue + "Status: \t" + mycolors.reverse + "unknown" + mycolors.reset)
else:
if(haustext.get('url_status') == 'online'):
print(mycolors.foreground.green + "Status: \t" + mycolors.reverse + haustext.get('url_status') + mycolors.reset)
if(haustext.get('url_status') == 'offline'):
print(mycolors.foreground.red + "Status: \t" + mycolors.reverse + haustext.get('url_status') + mycolors.reset)
if(haustext.get('url_status') == ''):
print(mycolors.foreground.cyan + "Status: \t" + mycolors.reverse + "unknown" + mycolors.reset)
else:
if (bkg == 1):
print(mycolors.foreground.lightred + 'Status: ')
else:
print(mycolors.foreground.red + 'Status: ')
if 'host' in haustext:
if haustext.get('host') is not None:
if (bkg == 1):
print(mycolors.foreground.yellow + "Host: \t\t" + haustext.get('host'))
else:
print(mycolors.foreground.blue + "Host: \t\t" + haustext.get('host'))
else:
if (bkg == 1):
print(mycolors.foreground.yellow + 'Host: ')
else:
print(mycolors.foreground.blue + 'Host: ')
if 'date_added' in haustext:
if haustext.get('date_added') is not None:
if (bkg == 1):
print(mycolors.foreground.pink + "Date Added: \t" + haustext.get('date_added'))
else:
print(mycolors.foreground.green + "Date Added: \t" + haustext.get('date_added'))
else:
if (bkg == 1):
print(mycolors.foreground.pink + 'Date Added: ')
else:
print(mycolors.foreground.green + 'Date Added: ')
if 'threat' in haustext:
if haustext.get('threat') is not None:
if (bkg == 1):
print(mycolors.foreground.pink + "Threat: \t" + haustext.get('threat'))
else:
print(mycolors.foreground.green + "Threat: \t" + haustext.get('threat'))
else:
if (bkg == 1):
print(mycolors.foreground.pink + 'Threat: ')
else:
print(mycolors.foreground.green + 'Threat: ')
if 'blacklists' in haustext:
blacks = haustext.get('blacklists')
if(bkg == 1):
if 'gsb' in (blacks):
print(mycolors.foreground.lightred + "Google(gsb): \t" + blacks['gsb'])
if 'surbl' in (blacks):
print(mycolors.foreground.lightred + "Surbl: \t\t" + blacks['surbl'])
if 'spamhaus_dbl' in (blacks):
print(mycolors.foreground.lightred + "Spamhaus DBL: " + blacks['spamhaus_dbl'])
else:
if 'gsb' in (blacks):
print(mycolors.foreground.red + "Google(gsb): \t" + blacks['gsb'])
if 'surbl' in (blacks):
print(mycolors.foreground.red + "Surbl: \t\t" + blacks['surbl'])
if 'spamhaus_dbl' in (blacks):
print(mycolors.foreground.red + "Spamhaus DBL: " + blacks['spamhaus_dbl'])
else:
if(bkg == 1):
print(mycolors.foreground.lightred + "Google(gsb): \t")
print(mycolors.foreground.lightred + "Surbl: \t\t")
print(mycolors.foreground.lightred + "Spamhaus DBL: ")
else:
print(mycolors.foreground.red + "Google(gsb): \t")
print(mycolors.foreground.red + "Surbl: \t\t")
print(mycolors.foreground.red + "Spamhaus DBL: ")
if 'reporter' in haustext:
if haustext.get('reporter') is not None:
if (bkg == 1):
print(mycolors.foreground.lightblue + "Reporter: \t" + haustext.get('reporter'))
else:
print(mycolors.foreground.blue + "Reporter: \t" + haustext.get('reporter'))
else:
if (bkg == 1):
print(mycolors.foreground.lightblue + 'Reporter: ')
else:
print(mycolors.foreground.blue + 'Reporter: ')
if 'larted' in haustext:
if haustext.get('larted') is not None:
if (bkg == 1):
print(mycolors.foreground.lightblue + "Larted: \t" + haustext.get('larted'))
else:
print(mycolors.foreground.blue + "Larted: \t" + haustext.get('larted'))
else:
if (bkg == 1):
print(mycolors.foreground.lightblue + "Larted: ")
else:
print(mycolors.foreground.blue + "Larted: ")
if 'tags' in haustext:
if (haustext.get('tags') is not None):
alltags = haustext.get('tags')
if (bkg == 1):
print(mycolors.foreground.yellow + "Tags:\t\t", end='')
else:
print(mycolors.foreground.red + "Tags:\t\t", end='')
for i in alltags:
print(i, end=' ')
else:
if (bkg == 1):
print(mycolors.foreground.yellow + "Tags: ")
else:
print(mycolors.foreground.red + "Tags: ")
else:
if (bkg == 1):
print(mycolors.foreground.yellow + "Tags: ")
else:
print(mycolors.foreground.red + "Tags: ")
if 'payloads' in haustext:
if haustext.get('payloads') is not None:
allpayloads = haustext.get('payloads')
x = 0
z = 0
results = {}
if (bkg == 1):
print(Fore.WHITE + "\n")
else:
print(Fore.BLACK + "\n")
for i in allpayloads:
x = x + 1
if (bkg == 1):
print(mycolors.reset + "Payload_%d:\t" % x, end='')
print(mycolors.foreground.pink + "firstseen:%12s" % i['firstseen'], end = ' ' )
print(mycolors.foreground.yellow + "filename: %-30s" % i['filename'], end = ' ' + "\t")
print(mycolors.foreground.lightred + "filetype: %s" % i['file_type'] + Fore.WHITE, end= ' ' + "\t")
results = i['virustotal']
if (results) is not None:
print(mycolors.foreground.lightgreen + "VirusTotal: %s" % results['result'] + Fore.WHITE)
else:
print(mycolors.foreground.lightgreen + "VirusTotal: Not Found" + Fore.WHITE)
else:
print(mycolors.reset + "Payload_%d:\t" % x, end='')
print(mycolors.foreground.purple + "firstseen:%12s" % i['firstseen'], end = ' ')
print(mycolors.foreground.green + "filename: %-30s" % i['filename'], end = ' ' + "\t")
print(mycolors.foreground.red + "filetype: %s" % i['file_type'] + Fore.BLACK, end = '' + "\t")
results = i['virustotal']
if (results) is not None:
print(mycolors.foreground.blue + "VirusTotal: %s" % results['result'] + Fore.BLACK)
else:
print(mycolors.foreground.blue + "VirusTotal: Not Found" + Fore.BLACK)
print(mycolors.reset + "\nSample Hashes")
print(13 * '-' + "\n")
for j in allpayloads:
z = z + 1
if (bkg == 1):
print(mycolors.reset + "Payload_%d:\t" % z, end='')
print(mycolors.foreground.lightgreen + j['response_sha256'])
else:
print(mycolors.reset + "Payload_%d:\t" % z, end='')
print(mycolors.foreground.blue + j['response_sha256'])
print(mycolors.reset)
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to URLhaus!\n"))
print(mycolors.reset)
def haushashsearch(hashx, haus):
haustext = ''
hausresponse = ''
finalurl9 = ''
params = ''
try:
print("\n")
print((mycolors.reset + "URLHaus Report".center(126)), end='')
print((mycolors.reset + "".center(28)), end='')
print("\n" + (126*'-').center(59))
requestsession9 = requests.Session( )
requestsession9.headers.update({'accept': 'application/json'})
if ((len(hashx)==32)):
params = {"md5_hash": hashx}
hausresponse = requests.post(haus, data=params)
haustext = json.loads(hausresponse.text)
if ((len(hashx)==64)):
params = {"sha256_hash": hashx}
hausresponse = requests.post(haus, data=params)
haustext = json.loads(hausresponse.text)
if ((haustext.get('md5_hash') is None) and (haustext.get('sha256_hash') is None)):
if (bkg == 1):
print(mycolors.foreground.lightred + "Hash not found!\n" + mycolors.reset)
else:
print(mycolors.foreground.red + "Hash not found!\n" + mycolors.reset)
exit(1)
if 'query_status' in haustext:
if (bkg == 1):
print(mycolors.foreground.lightgreen + "Is available?: \t" + haustext.get('query_status').upper())
else:
print(mycolors.foreground.green + "Is available?: \t" + haustext.get('query_status').upper())
else:
if (bkg == 1):
print(mycolors.foreground.lightgreen + 'Is availble?: Not available')
else:
print(mycolors.foreground.green + 'Is available?: Not available')
if 'md5_hash' in haustext:
if haustext.get('md5_hash') is not None:
if (bkg == 1):
print(mycolors.foreground.yellow + "MD5: \t\t" + haustext.get('md5_hash'))
else:
print(mycolors.foreground.blue + "MD5: \t\t" + haustext.get('md5_hash'))
else:
if (bkg == 1):
print(mycolors.foreground.yellow + 'MD5: ')
else:
print(mycolors.foreground.blue + 'MD5: ')
if 'sha256_hash' in haustext:
if haustext.get('md5_hash') is not None:
if (bkg == 1):
print(mycolors.foreground.yellow + "SHA256:\t\t" + haustext.get('sha256_hash'))
else:
print(mycolors.foreground.blue + "SHA256:\t\t" + haustext.get('sha256_hash'))
else:
if (bkg == 1):
print(mycolors.foreground.yellow + 'SHA256: ')
else:
print(mycolors.foreground.blue + 'SHA256: ')
if 'file_type' in haustext:
if haustext.get('file_type') is not None:
if (bkg == 1):
print(mycolors.foreground.pink + "File Type: \t" + haustext.get('file_type'))
else:
print(mycolors.foreground.purple + "File Type: \t" + haustext.get('file_type'))
else:
if (bkg == 1):
print(mycolors.foreground.pink + 'File Type: ')
else:
print(mycolors.foreground.purple + 'File Type: ')
if 'file_size' in haustext:
if haustext.get('file_size') is not None:
if (bkg == 1):
print(mycolors.foreground.pink + "File Size: \t" + haustext.get('file_size') + " bytes")
else:
print(mycolors.foreground.purple + "File Size: \t" + haustext.get('file_size') + " bytes")
else:
if (bkg == 1):
print(mycolors.foreground.pink + 'File Size: ')
else:
print(mycolors.foreground.purple + 'File Size: ')
if 'firstseen' in haustext:
if haustext.get('firstseen') is not None:
if (bkg == 1):
print(mycolors.foreground.lightcyan + "First Seen: \t" + haustext.get('firstseen'))
else:
print(mycolors.foreground.cyan + "First Seen: \t" + haustext.get('firstseen'))
else:
if (bkg == 1):
print(mycolors.foreground.lightcyan + 'First Seen: ')
else:
print(mycolors.foreground.cyan + 'First Seen: ')
if 'lastseen' in haustext:
if haustext.get('lastseen') is not None:
if (bkg == 1):
print(mycolors.foreground.lightcyan + "Last Seen: \t" + haustext.get('lastseen'))
else:
print(mycolors.foreground.cyan + "Last Seen: \t" + haustext.get('lastseen'))
else:
if (bkg == 1):
print(mycolors.foreground.lightcyan + 'Last Seen: ')
else:
print(mycolors.foreground.cyan + 'Last Seen: ')
if 'urlhaus_download' in haustext:
if haustext.get('urlhaus_download') is not None:
if (bkg == 1):
print(mycolors.foreground.lightred + "URL Download: \t" + haustext.get('urlhaus_download'))
else:
print(mycolors.foreground.red + "URL Download: \t" + haustext.get('urlhaus_download'))
else:
if (bkg == 1):
print(mycolors.foreground.lightred + 'URL Download: ')
else:
print(mycolors.foreground.red + 'URL Download: ')
if 'virustotal' in haustext:
if haustext.get('virustotal') is not None:
if (bkg == 1):
print(mycolors.foreground.lightred + "Virus Total: \t" + haustext['virustotal'].get('result'))
else:
print(mycolors.foreground.red + "Virus Total: \t" + haustext['virustotal'].get('result'))
else:
if (bkg == 1):
print(mycolors.foreground.lightred + 'Virus Total: \tNot Found')
else:
print(mycolors.foreground.red + 'Virus Total: \tNot Found')
if 'urls' in haustext:
if (haustext.get('urls')) is not None:
if (bkg == 1):
print(mycolors.reset + "\nStatus".center(9) + " Filename".ljust(36) + " Location".ljust(23) + "Associated URL".ljust(20))
print("-" * 126 + "\n")
else:
print(mycolors.reset + "\nStatus".center(9) + " Filename".ljust(36) + " Location".ljust(23) + "Associated URL".ljust(20))
print("-" * 126 + "\n")
allurls = haustext.get('urls')
for w in allurls:
if (bkg == 1):
if(w['url_status'] == 'online'):
print(mycolors.foreground.lightgreen + mycolors.reverse + w['url_status'] + " " + mycolors.reset, end=' ')
if(w['url_status'] == 'offline'):
print(mycolors.foreground.lightred + mycolors.reverse + w['url_status'] + mycolors.reset, end=' ')
if(w['url_status'] == ''):
print(mycolors.foreground.lightblue + mycolors.reverse + "unknown" + mycolors.reset, end=' ')
if w['filename'] is not None:
print(mycolors.foreground.pink + "%-36s" % w['filename'] + mycolors.reset, end=' ')
else:
print(mycolors.foreground.pink + "%-36s" % "Filename not reported!" + mycolors.reset, end=' ')
if (w['url'] is not None):
if(validators.url(w['url'])):
print(mycolors.foreground.lightgreen + urltoip((w['url'])).ljust(20) + mycolors.reset, end=' ')
else:
print(mycolors.foreground.lightgreen + "Not located".center(20) + mycolors.reset, end=' ')
print(mycolors.foreground.yellow + w['url'] + mycolors.reset)
else:
print(mycolors.foreground.lightgreen + "Not located".center(20) + mycolors.reset, end=' ')
print(mycolors.foreground.lightgreen + "URL not provided".center(20) + mycolors.reset, end=' ')
else:
if(w['url_status'] == 'online'):
print(mycolors.foreground.green + mycolors.reverse + w['url_status'] + " " + mycolors.reset, end=' ')
if(w['url_status'] == 'offline'):
print(mycolors.foreground.red + mycolors.reverse + w['url_status'] + mycolors.reset, end=' ')
if(w['url_status'] == ''):
print(mycolors.foreground.cyan + mycolors.reverse + "unknown" + mycolors.reset, end=' ')
if w['filename'] is not None:
print(mycolors.foreground.pink + "%-36s" % w['filename'] + mycolors.reset, end=' ')
else:
print(mycolors.foreground.pink + "%-36s" % "Filename not reported!" + mycolors.reset, end=' ')
if (w['url']):
if(validators.url(w['url'])):
print(mycolors.foreground.green + (urltoip(w['url'])).ljust(20) + mycolors.reset, end=' ')
else:
print(mycolors.foreground.green + "Not located".center(20) + mycolors.reset, end=' ')
print(mycolors.foreground.blue + w['url'] + mycolors.reset)
else:
print(mycolors.foreground.lightgreen + "Not located".center(20) + mycolors.reset, end=' ')
print(mycolors.foreground.lightgreen + "URL not provided".center(20) + mycolors.reset, end=' ')
print(mycolors.reset)
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
else:
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
print(mycolors.reset)
def haussigsearchroutine(payloadtagx, haus):
haustext = ''
hausresponse = ''
finalurl9 = ''
params = ''
try:
print("\n")
print((mycolors.reset + "URLHaus Report".center(126)), end='')
print((mycolors.reset + "".center(28)), end='')
print("\n" + (126*'-').center(59))
requestsession9 = requests.Session( )
requestsession9.headers.update({'accept': 'application/json'})
params = {"signature": payloadtagx}
hausresponse = requests.post(haus, data=params)
haustext = json.loads(hausresponse.text)
if 'query_status' in haustext:
if (bkg == 1):
print(mycolors.foreground.lightgreen + "Is available?: \t" + haustext.get('query_status').upper())
else:
print(mycolors.foreground.green + "Is available?: \t" + haustext.get('query_status').upper())
else:
if (bkg == 1):
print(mycolors.foreground.lightgreen + 'Is availble?: Not available')
else:
print(mycolors.foreground.green + 'Is available?: Not available')
if 'firstseen' in haustext:
if haustext.get('firstseen') is not None:
if (bkg == 1):
print(mycolors.foreground.lightcyan + "First Seen: \t" + haustext.get('firstseen'))
else:
print(mycolors.foreground.cyan + "First Seen: \t" + haustext.get('firstseen'))
else:
if (bkg == 1):
print(mycolors.foreground.lightcyan + 'First Seen: ')
else:
print(mycolors.foreground.cyan + 'First Seen: ')
if 'lastseen' in haustext:
if haustext.get('lastseen') is not None:
if (bkg == 1):
print(mycolors.foreground.lightcyan + "Last Seen: \t" + haustext.get('lastseen'))
else:
print(mycolors.foreground.cyan + "Last Seen: \t" + haustext.get('lastseen'))
else:
if (bkg == 1):
print(mycolors.foreground.lightcyan + 'Last Seen: ')
else:
print(mycolors.foreground.cyan + 'Last Seen: ')
if 'url_count' in haustext:
if haustext.get('url_count') is not None:
if (bkg == 1):
print(mycolors.foreground.lightred + "URL count: \t" + haustext.get('url_count'))
else:
print(mycolors.foreground.red + "URL count: \t" + haustext.get('url_count'))
else:
if (bkg == 1):
print(mycolors.foreground.lightred + 'URL count: ')
else:
print(mycolors.foreground.red + 'URL count: ')
if 'payload_count' in haustext:
if haustext.get('payload_count') is not None:
if (bkg == 1):
print(mycolors.foreground.lightred + "Payload count: \t" + haustext.get('payload_count'))
else:
print(mycolors.foreground.red + "Payload count: \t" + haustext.get('payload_count'))
else:
if (bkg == 1):
print(mycolors.foreground.lightred + 'Payload count: ')
else:
print(mycolors.foreground.red + 'Payload count: ')
if (bkg == 1):
print(mycolors.foreground.orange + "Tag:\t\t%s" % payloadtagx)
else:
print(mycolors.foreground.pink + "Tag:\t\t%s" % payloadtagx)
if 'urls' in haustext:
if ('url_id' in haustext['urls']) is not None:
print(mycolors.reset + "\nStatus".center(9) + " " * 2 + "File Type".ljust(10) + " SHA256 Hash".center(64) + " " * 5 + "Virus Total".ljust(14) + ' ' * 2 + "URL to Payload".center(45))
print("-" * 170 + "\n")
for w in haustext['urls']:
if (bkg == 1):
if(w['url_status'] == 'online'):
print(mycolors.foreground.lightgreen + mycolors.reverse + w['url_status'] + " " + mycolors.reset, end=' ')
if(w['url_status'] == 'offline'):
print(mycolors.foreground.lightred + mycolors.reverse + w['url_status'] + mycolors.reset, end=' ')
if(w['url_status'] == ''):
print(mycolors.foreground.lightblue + mycolors.reverse + "unknown" + mycolors.reset, end=' ')
if w['file_type']:
print(mycolors.foreground.lightcyan + ' ' * 2 + "%-10s" % w['file_type'] + mycolors.reset, end=' ')
else:
print(mycolors.foreground.lightcyan + ' ' * 2 + "%-10s" % "unknown" + mycolors.reset, end=' ')
if w['sha256_hash']:
print(mycolors.foreground.yellow + w['sha256_hash'] + mycolors.reset, end= ' ')
if w['virustotal']:
print(mycolors.foreground.lightgreen + ' ' * 2 + "%-9s" % w['virustotal'].get('result') + mycolors.reset, end= ' ')
else:
print(mycolors.foreground.lightgreen + ' ' * 2 + "%-9s" % "Not Found" + mycolors.reset, end= ' ')
if (w['url']):
print(mycolors.foreground.pink + ' ' * 2 + w['url'] + mycolors.reset)
else:
print(mycolors.foreground.pink + ' ' * 2 + "URL not provided".center(20) + mycolors.reset)
else:
if(w['url_status'] == 'online'):
print(mycolors.foreground.green + mycolors.reverse + w['url_status'] + " " + mycolors.reset, end=' ')
if(w['url_status'] == 'offline'):
print(mycolors.foreground.red + mycolors.reverse + w['url_status'] + mycolors.reset, end=' ')
if(w['url_status'] == ''):
print(mycolors.foreground.blue + mycolors.reverse + "unknown" + mycolors.reset, end=' ')
if w['file_type']:
print(mycolors.foreground.purple + ' ' * 2 + "%-10s" % w['file_type'] + mycolors.reset, end=' ')
else:
print(mycolors.foreground.purple + ' ' * 2 + "%-10s" % "unknown" + mycolors.reset, end=' ')
if w['sha256_hash']:
print(mycolors.foreground.red + w['sha256_hash'] + mycolors.reset, end= ' ')
if w['virustotal']:
print(mycolors.foreground.cyan + ' ' * 2 + "%-9s" % w['virustotal'].get('result') + mycolors.reset, end= ' ')
else:
print(mycolors.foreground.cyan + ' ' * 2 + "%-9s" % "Not Found" + mycolors.reset, end= ' ')
if (w['url']):
print(mycolors.foreground.green + ' ' * 2 + w['url'] + mycolors.reset)
else:
print(mycolors.foreground.green + ' ' * 2 + "URL not provided".center(20) + mycolors.reset)
print(mycolors.reset)
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
else:
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
print(mycolors.reset)
def haustagsearchroutine(haustag, hausurltag):
haustext = ''
hausresponse = ''
params = ''
try:
print("\n")
print((mycolors.reset + "URLHaus Report".center(126)), end='')
print((mycolors.reset + "".center(28)), end='')
print("\n" + (130*'-').center(59))
params = {"tag": haustag}
requestsession9 = requests.Session( )
requestsession9.headers.update({'accept': 'application/json'})
hausresponse = requests.post(hausurltag, data=params)
haustext = json.loads(hausresponse.text)
if 'query_status' in haustext:
if (bkg == 1):
print(mycolors.foreground.lightgreen + "Is available?: \t" + haustext.get('query_status').upper())
else:
print(mycolors.foreground.green + "Is available?: \t" + haustext.get('query_status').upper())
else:
if (bkg == 1):
print(mycolors.foreground.lightgreen + 'Is availble?: Not available')
else:
print(mycolors.foreground.green + 'Is available?: Not available')
if 'firstseen' in haustext:
if haustext.get('firstseen') is not None:
if (bkg == 1):
print(mycolors.foreground.lightcyan + "First Seen: \t" + haustext.get('firstseen'))
else:
print(mycolors.foreground.cyan + "First Seen: \t" + haustext.get('firstseen'))
else:
if (bkg == 1):
print(mycolors.foreground.lightcyan + 'First Seen: ')
else:
print(mycolors.foreground.cyan + 'First Seen: ')
if 'lastseen' in haustext:
if haustext.get('lastseen') is not None:
if (bkg == 1):
print(mycolors.foreground.lightcyan + "Last Seen: \t" + haustext.get('lastseen'))
else:
print(mycolors.foreground.cyan + "Last Seen: \t" + haustext.get('lastseen'))
else:
if (bkg == 1):
print(mycolors.foreground.lightcyan + 'Last Seen: ')
else:
print(mycolors.foreground.cyan + 'Last Seen: ')
if 'url_count' in haustext:
if haustext.get('url_count') is not None:
if (bkg == 1):
print(mycolors.foreground.lightred + "URL count: \t" + haustext.get('url_count'))
else:
print(mycolors.foreground.red + "URL count: \t" + haustext.get('url_count'))
else:
if (bkg == 1):
print(mycolors.foreground.lightred + 'URL count: \tNot Found')
else:
print(mycolors.foreground.red + 'URL count: \tNot Found')
if (bkg == 1):
print(mycolors.foreground.orange + "Tag:\t\t%s" % haustag)
else:
print(mycolors.foreground.pink + "Tag:\t\t%s" % haustag)
if 'urls' in haustext:
if ('url_id' in haustext['urls']) is not None:
print(mycolors.reset + "\nStatus".center(9) + " " * 6 + " " * 2 + "Date Added".ljust(22) + " Threat".ljust(17) + " " * 28 + "Associated URL".ljust(80))
print("-" * 130 + "\n")
for w in haustext['urls']:
if (bkg == 1):
if(w['url_status'] == 'online'):
print(mycolors.foreground.lightgreen + mycolors.reverse + w['url_status'] + " " + mycolors.reset, end=' ')
if(w['url_status'] == 'offline'):
print(mycolors.foreground.lightred + mycolors.reverse + w['url_status'] + mycolors.reset, end=' ')
if(w['url_status'] == ''):
print(mycolors.foreground.lightblue + mycolors.reverse + "unknown" + mycolors.reset, end=' ')
if (w['url']):
if (w['dateadded']):
print(mycolors.foreground.lightcyan + " " * 2 + (w['dateadded']).ljust(22) + mycolors.reset, end=' ')
else:
print(mycolors.foreground.lightcyan + " " * 2 + "not provided".center(17) + mycolors.reset, end=' ')
if (w['threat']):
print(mycolors.foreground.pink + (w['threat']).ljust(17) + mycolors.reset, end=' ')
else:
print(mycolors.foreground.pink + "not provided".center(22) + mycolors.reset, end=' ')
if (w['url']):
print(mycolors.foreground.yellow + " " * 2 + (w['url']).ljust(80) + mycolors.reset)
else:
print(mycolors.foreground.yellow + " " * 2 + "URL not provided".center(80) + mycolors.reset)
else:
if(w['url_status'] == 'online'):
print(mycolors.foreground.green + mycolors.reverse + w['url_status'] + " " + mycolors.reset, end=' ')
if(w['url_status'] == 'offline'):
print(mycolors.foreground.red + mycolors.reverse + w['url_status'] + mycolors.reset, end=' ')
if(w['url_status'] == ''):
print(mycolors.foreground.cyan + mycolors.reverse + "unknown" + mycolors.reset, end=' ')
if (w['url']):
if (w['dateadded']):
print(mycolors.foreground.purple + " " * 2 + (w['dateadded']).ljust(22) + mycolors.reset, end=' ')
else:
print(mycolors.foreground.purple + " " * 2 + "not provided".center(17) + mycolors.reset, end=' ')
if (w['threat']):
print(mycolors.foreground.blue + (w['threat']).ljust(17) + mycolors.reset, end=' ')
else:
print(mycolors.foreground.blue + "not provided".center(22) + mycolors.reset, end=' ')
if (w['url']):
print(mycolors.foreground.red + " " * 2 + (w['url']).ljust(80) + mycolors.reset)
else:
print(mycolors.foreground.red + " " * 2 + "URL not provided".center(80) + mycolors.reset, end=' ')
print(mycolors.reset)
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
else:
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
print(mycolors.reset)
def haussample(hashx, haus):
hatext = ''
response = ''
finalurl = ''
try:
resource = hashx
requestsession = requests.Session( )
requestsession.headers.update({'accept': 'application/gzip'})
finalurl = ''.join([haus, resource])
response = requestsession.get(url=finalurl, allow_redirects=True)
hatext = response.text
rc = str(hatext)
if 'not_found' in rc:
final = 'Malware sample is not available to download.'
if (bkg == 1):
print((mycolors.foreground.lightred + "\n" + final + "\n" + mycolors.reset))
else:
print((mycolors.foreground.red + "\n" + final + "\n" + mycolors.reset))
exit(1)
if 'copy_error' in rc:
final = 'It has occured an error while downloading.'
if (bkg == 1):
print((mycolors.foreground.lightred + "\n" + final + "\n" + mycolors.reset))
else:
print((mycolors.foreground.red + "\n" + final + "\n" + mycolors.reset))
exit(1)
open(resource + '.zip', 'wb').write(response.content)
final = '\nSAMPLE SAVED!'
if (bkg == 1):
print((mycolors.foreground.yellow + final + "\n"))
else:
print((mycolors.foreground.green + final + "\n"))
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to URLhaus!\n"))
print(mycolors.reset)
print(mycolors.reset)
exit(0)
def hausgetbatch(haus):
haustext = ''
hausresponse = ''
nurl = 0
alltags = ''
l = 0
try:
print("\n")
print((mycolors.reset + "URLhaus Recent Malicious URLs".center(104)), end='')
print((mycolors.reset + "".center(28)), end='')
print("\n" + (126*'-').center(59))
requestsession7 = requests.Session( )
requestsession7.headers.update({'accept': 'application/json'})
hausresponse = requestsession7.get(haus)
haustext = json.loads(hausresponse.text)
nurl = len(haustext['urls'])
if (nurl > 0):
try:
for i in range(0,nurl):
if 'url' in haustext['urls'][i]:
if (bkg == 1):
if(haustext['urls'][i].get('url_status') == 'online'):
print(mycolors.foreground.lightgreen + haustext['urls'][i].get('url_status') + " " + mycolors.reset, end=' ')
if(haustext['urls'][i].get('url_status') == 'offline'):
print(mycolors.foreground.lightred + haustext['urls'][i].get('url_status') + mycolors.reset, end=' ')
if(haustext['urls'][i].get('url_status') == ''):
print(mycolors.foreground.lightblue + "unknown" + mycolors.reset, end=' ')
if 'tags' in haustext['urls'][i]:
print(mycolors.foreground.yellow, end='')
if haustext['urls'][i].get('tags') is not None:
alltags = haustext['urls'][i].get('tags')
for t in alltags:
print("%s" % t, end=' ')
l += len(t)
print(" " * ((28 - l) - len(alltags)) , end=' ')
else:
print(" " * 28, end=' ')
print(mycolors.foreground.lightcyan + haustext['urls'][i].get('url'))
l = 0
else:
if(haustext['urls'][i].get('url_status') == 'online'):
print(mycolors.foreground.green + haustext['urls'][i].get('url_status') + " " + mycolors.reset, end=' ')
if(haustext['urls'][i].get('url_status') == 'offline'):
print(mycolors.foreground.red + haustext['urls'][i].get('url_status') + mycolors.reset, end=' ')
if(haustext['urls'][i].get('url_status') == ''):
print(mycolors.foreground.cyan + "unknown" + mycolors.reset, end=' ')
if 'tags' in haustext['urls'][i]:
print(mycolors.foreground.blue, end='')
if haustext['urls'][i].get('tags') is not None:
alltags = haustext['urls'][i].get('tags')
for t in alltags:
print("%s" % t, end=' ')
l += len(t)
print(" " * ((28 - l) - len(alltags)) , end=' ')
else:
print(" " * 28, end=' ')
print(mycolors.foreground.purple + haustext['urls'][i].get('url'))
l = 0
print(mycolors.reset , file=sys.stderr)
except KeyError as e:
pass
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
print(mycolors.reset)
except KeyError as e:
pass
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to URLhaus!\n"))
print(mycolors.reset)
def hauspayloadslist(haus):
haustext = ''
hausresponse = ''
npayloads = 0
try:
print("\n")
print((mycolors.reset + "Haus Downloadable Links to Recent Payloads".center(146)), end='')
print((mycolors.reset + "".center(28)), end='')
print("\n" + (146*'-').center(59))
requestsession8 = requests.Session( )
requestsession8.headers.update({'accept': 'application/json'})
hausresponse = requestsession8.get(haus)
haustext = json.loads(hausresponse.text)
npayloads = len(haustext['payloads'])
if (npayloads > 0):
try:
for i in range(0,npayloads):
if 'sha256_hash' in haustext['payloads'][i]:
if (bkg == 1):
print(mycolors.foreground.lightred + "%-8s" % haustext['payloads'][i].get('file_type'), end=' ')
print(mycolors.foreground.lightgreen + haustext['payloads'][i].get('firstseen'), end=" ")
results = haustext['payloads'][i]['virustotal']
if (results) is not None:
print(mycolors.foreground.yellow + (results['result']).center(9), end=' ')
else:
print(mycolors.foreground.yellow + "Not Found", end=' ')
print(mycolors.foreground.lightcyan + haustext['payloads'][i].get('urlhaus_download'))
else:
print(mycolors.foreground.red + "%-8s" % haustext['payloads'][i].get('file_type'), end=' ')
print(mycolors.foreground.green + haustext['payloads'][i].get('firstseen'), end=" ")
results = haustext['payloads'][i]['virustotal']
if (results) is not None:
print(mycolors.foreground.purple + (results['result']).center(9), end=' ')
else:
print(mycolors.foreground.purple + "Not Found", end=' ')
print(mycolors.foreground.blue + haustext['payloads'][i].get('urlhaus_download'))
print(mycolors.reset , file=sys.stderr)
except KeyError as e:
pass
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
print(mycolors.reset , file=sys.stderr)
except KeyError as e:
pass
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to URLhaus!\n"))
print(mycolors.reset)
def urlhauspost(urlx, haus, mytags):
haustext = ''
hausresponse = ''
finalurl6 = ''
try:
print("\n")
print((mycolors.reset + "URLhaus Submission Report".center(100)), end='')
print((mycolors.reset + "".center(28)), end='')
print("\n" + (100*'-').center(40))
postdata = {
'token' : HAUSSUBMITAPI,
'anonymous': '0',
'submission' : [
{
'url' : urlx,
'threat' : "malware_download",
'tags': mytags
}
]
}
requestsession6 = requests.Session()
requestsession6.headers.update({'Content-Type': 'application/json'})
requestsession6.headers.update({'user-agent': 'URLhaus Malwoverview'})
params = {"url": urlx}
hausresponse = requests.post(haus, json=postdata, timeout=15)
if(bkg == 1):
print(mycolors.foreground.lightgreen + "URLhaus Submission Status: " + hausresponse.text)
else:
print(mycolors.foreground.red + "URLhaus Submission Status: " + hausresponse.text)
print(mycolors.reset , file=sys.stderr)
exit(1)
except KeyError as e:
pass
except (BrokenPipeError, IOError, TypeError):
print(mycolors.reset , file=sys.stderr)
exit(1)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to URLhaus!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to URLhaus!\n"))
print(mycolors.reset)
def quickhashowAndroid(filehash):
hatext = ''
haresponse = ''
final = 'Yes'
verdict = '-'
avdetect = '0'
totalsignatures = '-'
threatscore = '-'
totalprocesses = '-'
networkconnections = '-'
try:
resource = filehash
requestsession = requests.Session( )
requestsession.headers.update({'user-agent': user_agent})
requestsession.headers.update({'api-key': HAAPI})
requestsession.headers.update({'content-type': 'application/x-www-form-urlencoded'})
finalurl = '/'.join([haurl,'report', 'summary'])
resource1 = resource + ":200"
datahash = {
'hashes[0]': resource1
}
haresponse = requestsession.post(url=finalurl, data = datahash)
hatext = json.loads(haresponse.text)
rc = str(hatext)
if 'message' in rc:
final = 'Not Found'
return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections)
if 'verdict' in hatext[0]:
verdict = str(hatext[0]['verdict'])
else:
verdict = ''
if 'threat_score' in hatext[0]:
threatscore = str(hatext[0]['threat_score'])
else:
threatscore = ''
if 'av_detect' in hatext[0]:
avdetect = str(hatext[0]['av_detect'])
else:
avdetect = ''
if 'total_signatures' in hatext[0]:
totalsignatures = str(hatext[0]['total_signatures'])
else:
totalsignatures = ''
if 'total_processes' in hatext[0]:
totalprocesses = str(hatext[0]['total_processes'])
else:
totalprocesses = ''
if 'total_network_connections' in hatext[0]:
networkconnections = str(hatext[0]['total_network_connections'])
else:
networkconnections = ''
return (final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections)
except ValueError as e:
print(e)
if (bkg == 1):
print((mycolors.foreground.lightred + "Error while connecting to Hybrid-Analysis!\n"))
else:
print((mycolors.foreground.red + "Error while connecting to Hybrid-Analysis!\n"))
print(mycolors.reset)
class androidVTThread(threading.Thread):
def __init__(self, key, package):
threading.Thread.__init__(self)
self.key = key
self.package = package
def run(self):
key1 = self.key
package1 = self.package
myhash = key1
vtfinal = vtcheck(myhash, url, param)
if (bkg == 1):
print((mycolors.foreground.orange + "%-50s" % package1), end=' ')
print((mycolors.foreground.lightcyan + "%-32s" % key1), end=' ')
print((mycolors.reset + mycolors.foreground.lightgreen + "%8s" % vtfinal + mycolors.reset))
else:
print((mycolors.foreground.green + "%-08s" % package), end=' ')
print((mycolors.foreground.cyan + "%-32s" % key1), end=' ')
print((mycolors.reset + mycolors.foreground.red + "%8s" % vtfinal + mycolors.reset))
class quickHAAndroidThread(threading.Thread):
def __init__(self, key, package):
threading.Thread.__init__(self)
self.key = key
self.package = package
def run(self):
key1 = self.key
package1 = self.package
myhash = key1
(final, verdict, avdetect, totalsignatures, threatscore, totalprocesses, networkconnections) = quickhashowAndroid(myhash)
if (bkg == 1):
print((mycolors.foreground.lightgreen + "%-50s" % package1), end=' ')
print((mycolors.foreground.yellow + "%-34s" % key1), end=' ')
print((mycolors.foreground.lightcyan + "%9s" % final), end='')
if (verdict == "malicious"):
print((mycolors.foreground.lightred + "%20s" % verdict), end='')
else:
print((mycolors.foreground.yellow + "%20s" % verdict), end='')
if(avdetect == 'None'):
print((mycolors.foreground.lightcyan + "%7s" % avdetect), end='')
else:
print((mycolors.foreground.lightcyan + "%6s%%" % avdetect), end='')
print((mycolors.foreground.orange + "%7s" % totalsignatures), end='')
if(threatscore == 'None'):
print((mycolors.foreground.lightred + "%12s" % threatscore), end='')
else:
print((mycolors.foreground.lightred + "%8s/100" % threatscore), end='')
print((mycolors.foreground.lightgreen + "%6s" % totalprocesses), end='')
print((mycolors.foreground.lightgreen + "%6s" % networkconnections + mycolors.reset))
else:
print((mycolors.foreground.lightcyan + "%-50s" % key1), end=' ')
print((mycolors.foreground.green + "%-34s" % key1), end=' ')
print((mycolors.foreground.cyan + "%9s" % final), end='')
if (verdict == "malicious"):
print((mycolors.foreground.red + "%20s" % verdict), end='')
else:
print((mycolors.foreground.green + "%20s" % verdict), end='')
if (avdetect == 'None'):
print((mycolors.foreground.purple + "%7s" % avdetect), end='')
else:
print((mycolors.foreground.purple + "%6s%%" % avdetect), end='')
print((mycolors.foreground.green + "%7s" % totalsignatures), end='')
if(threatscore == 'None'):
print((mycolors.foreground.red + "%12s" % threatscore), end='')
else:
print((mycolors.foreground.red + "%8s/100" % threatscore), end='')
print((mycolors.foreground.blue + "%6s" % totalprocesses), end='')
print((mycolors.foreground.blue + "%6s" % networkconnections + mycolors.reset))
def checkandroidha(key, package):
if (windows == 1):
thread = quickHAAndroidThread(key, package)
thread.start()
thread.join()
else:
thread = quickHAAndroidThread(key, package)
thread.start()
def checkandroidvt(key, package):
key1 = key
vtfinal = vtcheck(key1, url, param)
if (bkg == 1):
print((mycolors.foreground.orange + "%-50s" % package), end=' ')
print((mycolors.foreground.lightcyan + "%-32s" % key1), end=' ')
print((mycolors.reset + mycolors.foreground.lightgreen + "%8s" % vtfinal + mycolors.reset))
else:
print((mycolors.foreground.green + "%-08s" % package), end=' ')
print((mycolors.foreground.cyan + "%-32s" % key1), end=' ')
print((mycolors.reset + mycolors.foreground.red + "%8s" % vtfinal + mycolors.reset))
def checkandroidvtx(key, package):
if (windows == 1):
thread = androidVTThread(key, package)
thread.start()
thread.join()
else:
thread = androidVTThread(key, package)
thread.start()
def checkandroid(engine):
adb_comm = "adb"
results = list()
results2 = list()
final1 = list()
final2 = list()
localengine = engine
tm1 = 0
myconn = subprocess.run([adb_comm, "shell", "pm", "list", "packages", "-f", "-3"], capture_output=True)
myconn2 = myconn.stdout.decode()
try:
for i in myconn2.split('\n'):
for j in i.split('base.apk='):
if 'package' in j:
key, value = j.split('package:')
key2, value2 = value.split('/data/app/')
results.append(value2[:-3])
valuetmp = value + "base.apk"
results2.append(valuetmp)
except AttributeError:
pass
try:
for h in results2:
myconn3 = subprocess.run([adb_comm, "shell", "md5sum", h], text=True, capture_output=True)
x = myconn3.stdout.split(" ")[0]
final1.append(x)
except AttributeError:
pass
try:
for n in results:
final2.append(n)
except AttributeError:
pass
zipAndroid = zip(final2, final1)
dictAndroid = dict(zipAndroid)
if(engine == 1):
print(mycolors.reset + "\n")
print("Package".center(50) + "Hash".center(34) + "Found?".center(12) + "Verdict".center(23) + "AVdet".center(6) + "Sigs".center(5) + "Score".center(14) + "Procs".center(6) + "Conns".center(6))
print((160*'-').center(80))
for key, value in dictAndroid.items():
checkandroidha(value, key)
if(engine == 2):
print(mycolors.reset + "\n")
print("Package".center(50) + "Hash".center(36) + "Virus Total".center(12))
print((100*'-').center(50))
for key, value in dictAndroid.items():
tm1 = tm1 + 1
if tm1 % 4 == 0:
time.sleep(61)
checkandroidvt(value, key)
if(engine == 3):
print(mycolors.reset + "\n")
print("Package".center(50) + "Hash".center(36) + "Virus Total".center(12))
print((100*'-').center(50))
for key, value in dictAndroid.items():
checkandroidvtx(value, key)
def sendandroidha(package):
adb_comm = "adb"
results = list()
results2 = list()
final1 = list()
final2 = list()
newname= ''
myconn = subprocess.run([adb_comm, "shell", "pm", "list", "packages", "-f", "-3"], capture_output=True)
myconn2 = myconn.stdout.decode()
try:
for i in myconn2.split('\n'):
for j in i.split('base.apk='):
if 'package' in j:
key, value = j.split('package:')
key2, value2 = value.split('/data/app/')
results.append(value2)
valuetmp = value + "base.apk"
results2.append(valuetmp)
except AttributeError:
pass
try:
for j in results2:
if (package in j):
myconn3 = subprocess.run([adb_comm, "pull", j], capture_output=True)
newname = j[10:-9]
except AttributeError:
pass
try:
targetfile = newname + ".apk"
os.rename(r'base.apk',targetfile)
hafilecheck(targetfile)
except FileNotFoundError:
if (bkg == 1):
print((mycolors.foreground.lightred + "\nFile not found on device!\n"))
else:
print((mycolors.foreground.lightred + "\nFile not found on device!\n"))
exit(1)
finally:
if (targetfile != ".apk"):
os.remove(targetfile)
def sendandroidvt(package):
adb_comm = "adb"
results = list()
results2 = list()
final1 = list()
final2 = list()
newname= ''
myconn = subprocess.run([adb_comm, "shell", "pm", "list", "packages", "-f", "-3"], capture_output=True)
myconn2 = myconn.stdout.decode()
try:
for i in myconn2.split('\n'):
for j in i.split('base.apk='):
if 'package' in j:
key, value = j.split('package:')
key2, value2 = value.split('/data/app/')
results.append(value2)
valuetmp = value + "base.apk"
results2.append(valuetmp)
except AttributeError:
pass
try:
for j in results2:
if (package in j):
myconn3 = subprocess.run([adb_comm, "pull", j], capture_output=True)
newname = j[10:-9]
except AttributeError:
pass
try:
targetfile = newname + ".apk"
os.rename(r'base.apk',targetfile)
vtfilecheck(targetfile, urlfilevtcheck, param)
except FileNotFoundError:
if (bkg == 1):
print((mycolors.foreground.lightred + "\nFile not found on device!\n"))
else:
print((mycolors.foreground.lightred + "\nFile not found on device!\n"))
print(mycolors.reset)
exit(1)
finally:
if (targetfile != ".apk"):
os.remove(targetfile)
def dirchecking(repo2):
directory = repo2
if os.path.isabs(directory) == False:
directory = os.path.abspath('.') + "/" + directory
os.chdir(directory)
for filen in os.listdir(directory):
try:
filename = str(filen)
if(os.path.isdir(filename) == True):
continue
targetfile = ftype(filename)
if re.match(r'^PE[0-9]{2}|^MS-DOS', targetfile):
mype = pefile.PE(filename)
imph = mype.get_imphash()
F.append(filename)
H.append(imph)
else:
F.append(filename)
H.append("IT IS NOT A KNOW FORMAT")
except (AttributeError, NameError) as e:
if (bkg == 1):
print(mycolors.foreground.lightred + "\nThe file %s doesn't respect some PE format rules. Skipping this file..." % filename)
else:
print(mycolors.foreground.red + "\nThe file %s doesn't respect some PE format rules. Skipping this file..." % filename)
print(mycolors.reset)
pass
d = dict(list(zip(F,H)))
n = 30
prev1 = 0
prev2 = 0
result = ""
tm = 0
print((mycolors.reset + "\n"))
if(Q == 1):
dirquick(d)
exit(0)
print("FileName".center(65) + "ImpHash(PE32/PE32+) or Type".center(40) + "Packed?".center(9) + "Overlay?".center(10) + ".text_entropy".center(13) + "VT".center(8))
print((32*'-').center(32) + (36*'-').center(35) + (11*'-').center(10) + (10*'-').ljust(10) + (13*'-').center(13) + (42*'-').center(22))
dirwork(d)
if __name__ == "__main__":
backg = 1
virustotal = 0
fprovided = 0
fpname = ''
repo = ''
ovrly = 0
showreport = 0
gt = 0
ie = 0
ha = 0
urltemp = ''
domaintemp = ''
urlcheck = 0
domaincheck = 0
hashcheck = 0
filecheck = 0
filecheckha = 0
hashtemp = ''
filetemp = ''
download = 0
sysenviron = 0
filenameha = ''
fileha = ''
reportha = ''
multithread = 0
quick = 0
malsharelist = 0
malsharehash = ''
urlhaussubmit = ''
urlhausquery = ''
urlhausbatch = 0
hauspayloadbatch = 0
haushash = ''
hausdownloadpayload = ''
malsharetype = 1
malsharedownload = 0
filecheckpoly = 0
polycheck = 0
polyswarmscan = ''
polyswarmurl = ''
polyswarmhash = ''
polyswarmmeta = ''
androidha = 0
androidsendha = ''
androidsendvt = ''
androidvt = 0
androidvtt = 0
haustagsearch = ''
haussigsearch = ''
ipaddrvt = ''
metatype = 0
parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a malware triage tool written by Alexandre Borges. The current version is 3.0.0.", usage= "python malwoverview.py -d <directory> -f <fullpath> -i <0|1> -b <0|1> -v <0|1> -a <0|1> -p <0|1> -s <0|1> -x <0|1> -w <|1> -u <url> -H <hash file> -V <filename> -D <0|1> -e<0|1|2|3|4> -A <filename> -g <job_id> -r <domain> -t <0|1> -Q <0|1> -l <0|1> -n <1-12> -m <hash> -M <0|1> -U <url> -S <url> -z <tags> -B <0|1> -K <0|1> -j <hash> -J <hash> -P <filename> -N <url> -R <PE file, IP address, domain or URL> -G <0|1|2|3|4> -y <0|1> -Y <file name> -Z <0|1> -X <0|1> -Y <file name> -T <file name> -W <tag> -k <signature> -I <ip address> ")
parser.add_argument('-d', '--directory', dest='direct',type=str, metavar = "DIRECTORY", help='specify directory containing malware samples.')
parser.add_argument('-f', '--filename', dest='fpname',type=str, metavar = "FILENAME", default = '', help='Specifies a full path to a file. Shows general information about the file (any filetype)')
parser.add_argument('-b', '--background', dest='backg', type=int,default = 1, metavar = "BACKGROUND", help='(optional) Adapts the output colors to a white terminal. The default is black terminal')
parser.add_argument('-i', '--iat_eat', dest='impsexts', type=int,default = 0, metavar = "IAT_EAT", help='(optional) Shows imports and exports (it is used with -f option).')
parser.add_argument('-x', '--overlay', dest='over', type=int,default = 0, metavar = "OVERLAY", help='(optional) Extracts overlay (it is used with -f option).')
parser.add_argument('-s', '--vtreport', dest='showvt', type=int,default = 0, metavar = "SHOW_VT_REPORT", help='Shows antivirus reports from the main players. This option is used with the -f option (any filetype).')
parser.add_argument('-v', '--virustotal', dest='virustotal', type=int,default = 0, metavar = "VIRUSTOTAL", help='Queries the Virus Total database for positives and totals.Thus, you need to edit the configmalw.py and insert your VT API.')
parser.add_argument('-a', '--hybrid', dest='hybridanalysis', type=int,default = 0, metavar = "HYBRID_ANALYSIS", help='Queries the Hybrid Analysis database for general report. Use the -e option to specify which environment are looking for the associate report because the sample can have been submitted to a different environment that you are looking for. Thus, you need to edit the configmalw.py and insert your HA API and secret.')
parser.add_argument('-p', '--vtpub', dest='pubkey', type=int,default = 0, metavar = "USE_VT_PUB_KEY", help='(optional) You should use this option if you have a public Virus Total API. It forces a one minute wait every 4 malware samples, but allows obtaining a complete evaluation of the malware repository.')
parser.add_argument('-w', '--windows', dest='win', type=int,default = 0, metavar = "RUN_ON_WINDOWS", help='This option is used when the OS is Microsoft Windows.')
parser.add_argument('-u', '--vturl', dest='urlx', type=str, metavar = "URL_VT", help='SUBMITS a URL for the Virus Total scanning.')
parser.add_argument('-I', '--ipaddrvt', dest='ipaddrvt', type=str, metavar = "IP_VT", help='This options checks an IP address on Virus Total.')
parser.add_argument('-r', '--urldomain', dest='domainx', type=str, metavar = "URL_DOMAIN", help='GETS a domain\'s report from Virus Total.')
parser.add_argument('-H', '--hash', dest='filehash', type=str, metavar = "FILE_HASH", help='Specifies the hash to be checked on Virus Total and Hybrid Analysis. For the Hybrid Analysis report you must use it together -e option.')
parser.add_argument('-V', '--vtsubmit', dest='filenamevt', type=str, metavar = "FILENAME_VT", help='SUBMITS a FILE(up to 32MB) to Virus Total scanning and read the report. Attention: use forward slash to specify the target file even on Windows systems. Furthermore, the minimum waiting time is set up in 90 seconds because the Virus Total queue. If an error occurs, so wait few minutes and try to access the report by using -f option.')
parser.add_argument('-A', '--submitha', dest='filenameha', type=str, metavar = "SUBMIT_HA", help='SUBMITS a FILE(up to 32MB) to be scanned by Hybrid Analysis engine. Use the -e option to specify the best environment to run the suspicious file.')
parser.add_argument('-g', '--hastatus', dest='reportha', type=str, metavar = "HA_STATUS", help='Checks the report\'s status of submitted samples to Hybrid Analysis engine by providing the job ID. Possible returned status values are: IN_QUEUE, SUCCESS, ERROR, IN_PROGRESS and PARTIAL_SUCCESS.')
parser.add_argument('-D', '--download', dest='download', type=int,default = 0, metavar = "DOWNLOAD", help='Downloads the sample from Hybrid Analysis. Option -H must be specified.')
parser.add_argument('-e', '--haenv', dest='sysenviron', type=int,default = 0, metavar = "HA_ENVIRONMENT", help='This option specifies the used environment to be used to test the samlple on Hybrid Analysis: <0> Windows 7 32-bits; <1> Windows 7 32-bits (with HWP Support); <2> Windows 7 64-bits; <3> Android; <4> Linux 64-bits environment. This option is used together either -H option or the -A option or -a option.')
parser.add_argument('-t', '--thread', dest='multithread', type=int,default = 0, metavar = "MULTITHREAD", help='(optional) This option is used to force multithreads on Linux whether: the -d option is specifed AND you have a PAID Virus Total API or you are NOT checking the VT while using the -d option. PS1: using this option causes the Imphashes not to be grouped anymore; PS2: it also works on Windows, but there is not gain in performance.')
parser.add_argument('-Q', '--quick', dest='quick', type=int,default = 0, metavar = "QUICK_CHECK", help='This option should be used with -d option in two scenarios: 1) either including the -v option (Virus Total -- you\'ll see a complete VT response whether you have the private API) for a multithread search and reduced output; 2) or including the -a option (Hybrid Analysis) for a multithread search and complete and amazing output. If you are using the -a option, so -e option can also be used to adjust the output to your sample types. PS1: certainly, if you have a directory holding many malware samples, so you will want to test this option with -a option; PS2: it also works on Windows, but there is not gain in performance.')
parser.add_argument('-l', '--malsharelist', dest='malsharelist', type=int,default = 0, metavar = "MALSHARE_HASHES", help='Show hashes from last 24 hours from Malshare. You need to insert your Malshare API into the configmalw.py file.')
parser.add_argument('-m', '--malsharehash', dest='malsharehash', type=str, metavar = "MALSHARE_HASH_SEARCH", help='Searches for the provided hash on the Malshare repository. You need to insert your Malshare API into the configmalw.py file. PS: sometimes the Malshare website is unavailable, so should check the website availability if you get some error message.')
parser.add_argument('-n', '--filetype', dest='malsharetype', type=int, metavar = "FILE_TYPE", default = 1, help='Specifies the file type to be listed by -l option. Therefore, it must be used together -l option. Possible values: 1: PE32 (default) ; 2: Dalvik ; 3: ELF ; 4: HTML ; 5: ASCII ; 6: PHP ; 7: Java ; 8: RAR ; 9: Zip ; 10: UTF-8 ; 11: MS-DOS ; 12: data ; 13: PDF ; 14: Composite(OLE).')
parser.add_argument('-M', '--malsharedownload', dest='malsharedownload', type=int, default = 0, metavar = "MALSHARE_DOWNLOAD", help='Downloads the sample from Malshare. This option must be specified with -m option.')
parser.add_argument('-B', '--haus_batch', dest='urlhausbatch', type=int, default = 0, metavar = "URL_HAUS_BATCH", help='Retrieves a list of recent URLs (last 3 days, limited to 1000 entries) from URLHaus website.')
parser.add_argument('-K', '--haus_payloadbatch', dest='hauspayloadbatch', type=int, default = 0, metavar = "HAUS_PAYLOADS", help='Retrieves a list of downloadable links to recent PAYLOADS (last 3 days, limited to 1000 entries) from URLHaus website. Take care: each link take you to download a passworless zip file containing a malware, so your AV can generate alerts!')
parser.add_argument('-U', '--haus_query', dest='urlhausquery', type=str, metavar = "URL_HAUS_QUERY", help='Queries a URL on the URLHaus website.')
parser.add_argument('-j', '--haus_hash', dest='haushash', type=str, metavar = "HAUS_HASH", help='Queries a payload\'s hash (md5 or sha256) on the URLHaus website.')
parser.add_argument('-S', '--haus_submission', dest='urlhaussubmit', type=str, metavar = "URL_HAUS_SUB", help='Submits a URL used to distribute malware (executable, script, document) to the URLHaus website. Pay attention: Any other submission will be ignored/deleted from URLhaus. You have to register your URLHaus API into the configmalw.py file.')
parser.add_argument('-z', '--haustag', dest='tag', type=str, default='', metavar = "HAUSTAG", nargs = "*", help='Associates tags (separated by spaces) to the specified URL. Please, only upper case, lower case, \'-\' and \'.\' are allowed. This parameter is optional, which could be used with the -S option.')
parser.add_argument('-W', '--haustagsearch', dest='haustagsearch', type=str, default='', metavar = "HAUSTAGSEARCH", nargs = "*", help='This option is for searching malicious URLs by tag on URLhaus. Tags are case-senstive and only upper case, lower case, \'-\' and \'.\' are allowed.')
parser.add_argument('-k', '--haussigsearch', dest='haussigsearch', type=str, default='', metavar = "HAUSSIGSEARCH", nargs = "*", help='This option is for searching malicious payload by tag on URLhaus. Tags are case-sensitive and only upper case, lower case, \'-\' and \'.\' are allowed.')
parser.add_argument('-J', '--haus_download', dest='hausdownloadpayload', type=str, metavar = "HAUS_DOWNLOAD", help='Downloads a sample (if it is available) from the URLHaus repository. It is necessary to provide the SHA256 hash.')
parser.add_argument('-P', '--polyswarm_scan', dest='polyswarmscan', type=str, metavar = "POLYSWARMFILE", help='(Only for Linux) Performs a file scan using the Polyswarm engine.')
parser.add_argument('-N', '--polyswarm_url', dest='polyswarmurl', type=str, metavar = "POLYSWARMURL", help='(Only for Linux) Performs a URL scan using the Polyswarm engine.')
parser.add_argument('-O', '--polyswarm_hash', dest='polyswarmhash', type=str, metavar = "POLYSWARMHASH", help='(Only for Linux) Performs a hash scan using the Polyswarm engine.')
parser.add_argument('-R', '--polyswarm_meta', dest='polyswarmmeta', type=str, metavar = "POLYSWARMMETA", help='(Only for Linux) Performs a complementary search for similar PE executables through meta-information or IP addresses using the Polyswarm engine. This parameters depends on -G parameters, so check it, please.')
parser.add_argument('-G', '--metatype', dest='metatype', type=int, default = 0, metavar = "METATYPE", help='(Only for Linux) This parameter specifies whether the -R option will gather information about the PE executable or IP address using the Polyswarm engine. Thus, 0: PE Executable ; 1: IP Address ; 2: Domains ; 3. URL.')
parser.add_argument('-y', '--androidha', dest='androidha', type=int, default = 0, metavar = "ANDROID_HA", help='Check all third-party APK packages from the USB-connected Android device against Hybrid Analysis using multithreads. The Android device does not need be rooted and you need have adb in your PATH environment variable.')
parser.add_argument('-Y', '--androidsendha', dest='androidsendha', type=str, metavar = "ANDROID_SEND_HA", help='Send an third-party APK packages from your USB-connected Android device to Hybrid Analysis. The Android device does not need be rooted and you need have adb in your PATH environment variable.')
parser.add_argument('-T', '--androidsendvt', dest='androidsendvt', type=str, metavar = "ANDROID_SEND_VT", help='Send an third-party APK packages from your USB-connected Android device to Virus Total. The Android device does not need be rooted and you need have adb in your PATH environment variable.')
parser.add_argument('-Z', '--androidvt', dest='androidvt', type=int, default = 0, metavar = "ANDROID_VT", help='Check all third-party APK packages from the USB-connected Android device against VirusTotal using Public API (slower because of 60 seconds delay for each 4 hashes). The Android device does not need be rooted and you need have adb in your PATH environment variable.')
parser.add_argument('-X', '--androidvtt', dest='androidvtt', type=int, default = 0, metavar = "ANDROID_VT", help='Check all third-party APK packages from the USB-connected Android device against VirusTotal using multithreads (only for Private Virus API). The Android device does not need be rooted and you need have adb in your PATH environment variable.')
args = parser.parse_args()
optval = [0,1]
optval2 = [0,1,2,3,4]
optval3 = [0,1,2,3,4,5,6, 7, 8, 9, 10, 11, 12, 13, 14]
optval4 = [0, 1, 2, 3]
repo = args.direct
bkg = args.backg
vt = args.virustotal
ffpname = args.fpname
ovrly = args.over
showreport = args.showvt
gt = args.pubkey
ie = args.impsexts
ha = args.hybridanalysis
windows = args.win
urltemp = args.urlx
domaintemp = args.domainx
hashtemp = args.filehash
filetemp = args.filenamevt
down = args.download
xx = args.sysenviron
fileha = args.filenameha
repoha = args.reportha
T = args.multithread
Q = args.quick
mallist = args.malsharelist
malhash = args.malsharehash
maltype = args.malsharetype
maldownload = args.malsharedownload
hausfinalurl2 = args.urlhaussubmit
hausfinalurl = args.urlhausquery
hausbatch = args.urlhausbatch
haustag = args.tag
haustagsearchx = args.haustagsearch
haussigsearchx = args.haussigsearch
hauspayloads = args.hauspayloadbatch
hauspayloadhash = args.haushash
hausdownload = args.hausdownloadpayload
polyscan = args.polyswarmscan
polyurl = args.polyswarmurl
polyhash = args.polyswarmhash
polymeta = args.polyswarmmeta
androidx = args.androidha
androidsendhax = args.androidsendha
androidsendvtx = args.androidsendvt
androidvtx = args.androidvt
androidvttx = args.androidvtt
ipaddrvtx = args.ipaddrvt
metatypex = args.metatype
if (os.path.isfile(ffpname)):
fprovided = 1
else:
fprovided = 0
if (args.over) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
elif ovrly == 1:
if fprovided == 0:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.impsexts) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
elif ie == 1:
if fprovided == 0:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.urlhausbatch) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.hauspayloadbatch) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.hybridanalysis) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
elif ie == 1:
if fprovided == 0:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.showvt) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
elif (showreport == 1):
if (fprovided == 0 or vt == 0):
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.androidha) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.androidvt) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.androidvtt) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.metatype) not in optval4:
parser.print_help()
print(mycolors.reset)
exit(0)
if ((not args.direct) and (fprovided == 0) and (not urltemp) and (not hashtemp) and (not filetemp) and (not fileha) and (not repoha) and (not domaintemp) and (mallist == 0) and (not args.malsharehash) and (not args.urlhausquery) and (not args.urlhaussubmit) and (hausbatch == 0) and (hauspayloads == 0) and (not args.haushash) and (not args.hausdownloadpayload) and (not args.polyswarmscan) and (not args.polyswarmurl) and (not args.polyswarmhash) and (not args.polyswarmmeta) and (androidx == 0) and (not androidsendhax) and (androidvtx == 0) and (androidvttx == 0) and (not androidsendvtx) and (not haustagsearchx) and (not haussigsearchx) and (not ipaddrvtx) and (metatype == 0)):
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.backg) not in optval:
parser.print_help()
print(mycolors.reset)
sys.exit(0)
if (args.download) not in optval:
parser.print_help()
print(mycolors.reset)
sys.exit(0)
if (args.malsharelist) not in optval:
parser.print_help()
print(mycolors.reset)
sys.exit(0)
if (args.quick) not in optval:
parser.print_help()
print(mycolors.reset)
sys.exit(0)
elif (args.quick == 1):
if ((vt == 0) and (ha == 0)):
parser.print_help()
print(mycolors.reset)
sys.exit(0)
elif (args.quick == 1):
if (not repo):
parser.print_help()
print(mycolors.reset)
sys.exit(0)
if (args.multithread) not in optval:
parser.print_help()
print(mycolors.reset)
sys.exit(0)
elif (T == 1):
if((not args.direct) and Q == 0):
parser.print_help()
print(mycolors.reset)
sys.exit(0)
if ((args.malsharetype) not in optval3):
parser.print_help()
print(mycolors.reset)
sys.exit(0)
if (args.virustotal) not in optval:
parser.print_help()
print(mycolors.reset)
sys.exit(0)
if (args.pubkey) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.win) not in optval:
parser.print_help()
print(mycolors.reset)
exit(0)
if (args.sysenviron) not in optval2:
parser.print_help()
print(mycolors.reset)
sys.exit(0)
if (windows == 1):
init(convert = True)
if (not urltemp):
if (not args.direct):
if (fprovided == 0 ):
if (not hashtemp):
if (not filetemp):
if (not fileha):
if (not repoha):
if (not domaintemp):
if (args.malsharelist == 0):
if (not args.malsharehash):
if (not args.urlhausquery):
if (not args.urlhaussubmit):
if (args.urlhausbatch == 0):
if (args.hauspayloadbatch == 0):
if (not args.haushash):
if (not args.hausdownloadpayload):
if (not args.polyswarmscan):
if (not args.polyswarmurl):
if (not args.polyswarmhash):
if (not args.polyswarmmeta):
if (args.androidha == 0):
if (not args.androidsendha):
if (args.androidvt == 0):
if (args.androidvtt == 0):
if (not args.androidsendvt):
if (not args.haustagsearch):
if (not args.haussigsearch):
if (not args.ipaddrvt):
if (args.metaitype == 0):
parser.print_help()
print(mycolors.reset)
exit(0)
if (urltemp):
if (validators.url(urltemp)) == True:
urlcheck = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid URL.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid URL.\n")
print(mycolors.reset)
exit(1)
if (hausfinalurl):
if (validators.url(hausfinalurl)) == True:
hauscheck = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid URL.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid URL.\n")
print(mycolors.reset)
exit(1)
if ((args.urlhausquery) and (hauscheck == 1)):
urlhauscheck(hausfinalurl, hausq)
print(mycolors.reset)
exit(0)
if (polyurl):
if (validators.url(polyurl)) == True:
polycheck = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid URL.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid URL.\n")
print(mycolors.reset)
exit(1)
if ((args.polyswarmurl) and (polycheck == 1)):
polyurlcheck(polyurl)
print(mycolors.reset)
exit(0)
if(hausbatch == 1):
hausgetbatch(hausb)
print(mycolors.reset)
if(hauspayloads == 1):
hauspayloadslist(hausp)
print(mycolors.reset)
if (hausfinalurl2):
if (validators.url(hausfinalurl2)) == True:
hauscheck = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid URL.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid URL.\n")
print(mycolors.reset)
exit(1)
if ((args.urlhaussubmit) and (hauscheck == 1)):
urlhauspost(hausfinalurl2, hauss, haustag)
print(mycolors.reset)
exit(0)
if (domaintemp):
if (validators.domain(domaintemp)) == True:
domaincheck = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid domain.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid domain.\n")
print(mycolors.reset)
exit(1)
if (filetemp):
if (os.path.isfile(filetemp)) == True:
filecheck = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid file.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid file.\n")
print(mycolors.reset)
exit(1)
if (fileha):
if (os.path.isfile(fileha)) == True:
filecheckha = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid file.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid file.\n")
print(mycolors.reset)
exit(1)
if (polyscan):
if (os.path.isfile(polyscan)) == True:
filecheckpoly = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid file.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid file.\n")
print(mycolors.reset)
exit(1)
if (urlcheck == 1):
vturlcheck(urltemp,param)
print(mycolors.reset)
exit(0)
if (polyhash):
if (polyhash):
if ((len(polyhash)==32) or (len(polyhash)==40) or (len(polyhash)==64)):
polycheck = 1
if (polycheck == 1):
polyhashsearch(polyhash)
print(mycolors.reset)
exit(0)
if (domaincheck == 1):
vtdomaincheck(domaintemp,param)
print(mycolors.reset)
exit(0)
if (filecheck == 1):
vtfilecheck(filetemp, urlfilevtcheck, param)
print(mycolors.reset)
exit(0)
if (filecheckha == 1):
hafilecheck(fileha)
print(mycolors.reset)
exit(0)
if (filecheckpoly == 1):
polyfile(polyscan)
print(mycolors.reset)
exit(0)
if (androidsendhax):
xx = 3
sendandroidha(androidsendhax)
print(mycolors.reset)
exit(0)
if (androidsendvtx):
sendandroidvt(androidsendvtx)
print(mycolors.reset)
exit(0)
if (polymeta):
polymetasearch(polymeta, metatypex)
print(mycolors.reset)
exit(0)
if (hashtemp):
if ((len(hashtemp)==32) or (len(hashtemp)==40) or (len(hashtemp)==64)):
hashcheck = 1
elif (bkg == 0):
print(mycolors.foreground.red + "\nYou didn't provided a valid hash.\n")
print(mycolors.reset)
exit(1)
else:
print(mycolors.foreground.yellow + "\nYou didn't provided a valid hash.\n")
print(mycolors.reset)
exit(1)
if (hashcheck == 1):
hashchecking()
print(mycolors.reset)
exit(0)
if (mallist == 1):
malsharelastlist(maltype)
print(mycolors.reset)
exit(0)
if (malhash):
if (malhash):
if ((len(malhash)==32) or (len(malhash)==40) or (len(malhash)==64)):
hashcheck = 1
if (hashcheck == 1):
malsharehashsearch(malhash)
print(mycolors.reset)
exit(0)
if (androidx):
engine = 1
checkandroid(engine)
print(mycolors.reset)
exit(0)
if (androidvtx):
engine = 2
checkandroid(engine)
print(mycolors.reset)
exit(0)
if (androidvttx):
engine = 3
checkandroid(engine)
print(mycolors.reset)
exit(0)
if (hauspayloadhash):
if (hauspayloadhash):
if ((len(hauspayloadhash)==32) or (len(hauspayloadhash)==64)):
hashcheck = 1
if (hashcheck == 1):
haushashsearch(hauspayloadhash, hausph)
print(mycolors.reset)
exit(0)
if (haustagsearchx):
haustagsearchroutine(haustagsearchx, haust)
print(mycolors.reset)
exit(0)
if (haussigsearchx):
haussigsearchroutine(haussigsearchx, haussig)
print(mycolors.reset)
exit(0)
if (ipaddrvtx):
ipvtcheck(ipaddrvtx, ipvt)
print(mycolors.reset)
exit(0)
if (hausdownload):
if (len(hausdownload)==64):
hashcheck = 1
if (hashcheck == 1):
haussample(hausdownload, hausd)
print(mycolors.reset)
exit(0)
if (fprovided == 1):
filenamecheck = ffpname
filechecking(filenamecheck)
print(mycolors.reset)
exit(0)
if (repoha):
checkreportha(repoha)
print(mycolors.reset)
exit(0)
if (repo is not None):
repository = repo
dirchecking(repository)
