Skip to content

Commit 8740e45

Browse files
Merge pull request #63 from alexandreborges/dev
Version 6.1.0
2 parents 4e4b54c + 4fc6fd5 commit 8740e45

22 files changed

+598
-94
lines changed

.gitignore

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Byte-compiled / optimized / DLL files
2+
__pycache__/
3+
*.py[cod]
4+
*$py.class
5+
6+
# C extensions
7+
*.so
8+
9+
# Distribution / packaging
10+
.Python
11+
build/
12+
develop-eggs/
13+
dist/
14+
downloads/
15+
eggs/
16+
.eggs/
17+
lib/
18+
lib64/
19+
parts/
20+
sdist/
21+
var/
22+
wheels/
23+
share/python-wheels/
24+
*.egg-info/
25+
.installed.cfg
26+
*.egg
27+
MANIFEST

.malwapi.conf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,8 @@ TRIAGEAPI =
2525
[INQUEST]
2626
INQUESTAPI =
2727

28+
[VIRUSEXCHANGE]
29+
VXAPI =
30+
31+
[IPINFO]
32+
IPINFOAPI =

README.md

Lines changed: 81 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Malwoverview
22

3-
[<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases/tag/v6.0.1) [<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge">](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE)
3+
[<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases/tag/v6.1.0) [<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge">](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE)
44
[<img alt="GitHub stars" src="https://img.shields.io/github/stars/alexandreborges/malwoverview?logoColor=Red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/stargazers)
55
[<img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/ale_sp_brazil?style=for-the-badge&logo=X&color=blueviolet">](https://twitter.com/ale_sp_brazil)
66
[<img alt="Downloads/Last Month" src="https://img.shields.io/pypi/dm/malwoverview?color=blue&style=for-the-badge&label=Last%20Month">](https://pypistats.org/packages/malwoverview)
@@ -56,7 +56,7 @@
5656
![Alt text](pictures/picture_47.jpg?raw=true "Title")
5757
![Alt text](pictures/picture_48.jpg?raw=true "Title")
5858

59-
Copyright (C) 2018-2024 Alexandre Borges (https://exploitreversing.com)
59+
Copyright (C) 2018-2025 Alexandre Borges (https://exploitreversing.com)
6060

6161
This program is free software: you can redistribute it and/or modify
6262
it under the terms of the GNU General Public License as published by
@@ -71,7 +71,7 @@
7171
See GNU Public License on <http://www.gnu.org/licenses/>.
7272

7373

74-
## Current Version: 6.0.1
74+
## Current Version: 6.1.0
7575

7676
Important note: Malwoverview does NOT submit samples to any endpoint by default,
7777
so it respects possible Non-Disclosure Agreements (NDAs). There're specific options
@@ -120,14 +120,18 @@ This tool aims to :
120120
28. Submit large files (>= 32 MB) to Virus Total.
121121
29. Malwoverview uses Virus Total API v.3, so there isn't longer any option using v.2.
122122
30. Retrieve different information from InQuest Labs and download samples from there.
123-
123+
31. Retrieve information and download malware samples from Virus Exchange (vxunderground).
124+
32. Retrieve information about a given IP address from IPInfo service.
125+
33. Retrieve information about a given IP address from BGPView service.
126+
34. Retrieve combined information about a given IP address from multiple services.
127+
35. Offer extra option to save any downloaded file to a central location.
124128

125129
## CONTRIBUTORS
126130

127131
Alexandre Borges (project owner)
132+
Artur Marzano (https://github.com/Macmod)
128133
Corey Forman (https://github.com/digitalsleuth)
129134
Christian Clauss (https://github.com/cclauss)
130-
Artur Marzano (https://github.com/Macmod)
131135

132136
## HOW TO CONTRIBUTE TO THIS PROJECT
133137

@@ -214,6 +218,11 @@ has the following format:
214218
[INQUEST]
215219
INQUESTAPI =
216220

221+
[VIRUSEXCHANGE]
222+
VXAPI =
223+
224+
[IPINFO]
225+
IPINFOAPI =
217226

218227
The APIs can be requested on the respective service websites:
219228

@@ -230,7 +239,10 @@ The APIs can be requested on the respective service websites:
230239
09. ThreatFox: It isn't necessary an API.
231240
10. InQuest: https://labs.inquest.net/.
232241
11. Triage: https://tria.ge/signup.
233-
242+
12. Virus Exchange: https://virus.exchange/
243+
13. IPInfo: https://ipinfo.io/
244+
14. BGPView: ihttps://bgpview.docs.apiary.io/
245+
234246
----------------------------------------------------
235247
A special note about API requests to the MALPEDIA:
236248
----------------------------------------------------
@@ -334,10 +346,10 @@ should be executed:
334346
## HELP
335347

336348
usage: python malwoverview.py -c <API configuration file> -d <directory> -o <0|1> -v <1-13>
337-
-V <virustotal arg> -a <1-15> -w <0|1> -A <filename> -l <1-7> -L <hash> -j <1-7>
338-
-J <URLhaus argument> -p <1-8> -P <polyswarm argument> -y <1-5> -Y <file name> -n <1-5>
339-
-N <argument> -m <1-8> -M <argument> -b <1-10> -B <arg> -x <1-7> -X <arg> -i <1-13>
340-
-I <INQUEST argument>
349+
-V <argument> -a <1-15> -w <0|1> -A <filename> -l <1-7> -L <hash> -j <1-7>
350+
-J <argument> -p <1-8> -P <argument> -y <1-5> -Y <file name> -n <1-5>
351+
-N <argument> -m <1-8> -M <argument> -b <1-10> -B <argument> -x <1-7> -X <argurment> -i <1-13>
352+
-I <argument> -vx <1-2> -VX <argument> -ip <1-3> -IP <argument> -O <directory>
341353

342354
Malwoverview is a first response tool for threat hunting written by Alexandre Borges.
343355

@@ -574,7 +586,7 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
574586
-x TRIAGE, --triage TRIAGE
575587

576588
+ Provides information from TRIAGE according to the specified value:
577-
+ <1> this option gets sample's general information by providing an
589+
+ 1: this option gets sample's general information by providing an
578590
argument with -X option in the following possible formats:
579591
- sha256:<value>
580592
- sha1:<value>
@@ -586,12 +598,12 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
586598
- wallet:<value>
587599
- ip:<value>;
588600
589-
+ <2> Get a sumary report for a given Triage ID (got from option -x 1);
590-
+ <3> Submit a sample for analysis;
591-
+ <4> Submit a sample through a URL for analysis;
592-
+ <5> Download sample specified by the Triage ID;
593-
+ <6> Download pcapng file from sample associated to given Triage ID;
594-
+ <7> Get a dynamic report for the given Triage ID (got from option -x 1);
601+
+ 2: Get a sumary report for a given Triage ID (got from option -x 1);
602+
+ 3: Submit a sample for analysis;
603+
+ 4: Submit a sample through a URL for analysis;
604+
+ 5: Download sample specified by the Triage ID;
605+
+ 6: Download pcapng file from sample associated to given Triage ID;
606+
+ 7: Get a dynamic report for the given Triage ID (got from option -x 1);
595607

596608
-X TRIAGE_ARG, --triagearg TRIAGE_ARG
597609

@@ -607,20 +619,45 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
607619
+ 4: Gets the most recent list of threats. To this option, the -I
608620
argument must be "list" (lowercase and without double quotes);
609621
+ 5: Retrives threats related to a provided domain;
610-
+ 6. Retrieves a list of samples related to the given IP address;
611-
+ 7. Retrives a list of sample related to the given e-mail address;
612-
+ 8. Retrieves a list of samples related to the given filename;
613-
+ 9. Retrieves a list of samples related to a given URL;
614-
+ 10. Retrieves information about a specified IOC;
615-
+ 11. List a list of IOCs. Note: you must pass "list" (without
622+
+ 6: Retrieves a list of samples related to the given IP address;
623+
+ 7: Retrives a list of sample related to the given e-mail address;
624+
+ 8: Retrieves a list of samples related to the given filename;
625+
+ 9: Retrieves a list of samples related to a given URL;
626+
+ 10: Retrieves information about a specified IOC;
627+
+ 11: List a list of IOCs. Note: you must pass "list" (without
616628
double quotes) as argument to -I;
617-
+ 12. Check for a given keyword in the reputation database;
618-
+ 13. List artifacts in the reputation dabatabse. Note: you must
629+
+ 12: Check for a given keyword in the reputation database;
630+
+ 13: List artifacts in the reputation dabatabse. Note: you must
619631
pass "list" (without double quotes) as argument to -I.
620632

621633
-I INQUEST_ARG, --inquestarg INQUEST_ARG
622634

623-
+ Provides argument to INQUEST -i option.
635+
+ Provides argument to INQUEST -i option.
636+
637+
-vx VXOPTION, --vx VXOPTION
638+
639+
+ 1: Gets basic metadata for a given SHA256 hash;
640+
+ 2: Downloads sample given a SHA256 provided in the -VX argument.
641+
642+
-VX VXARG, --VX VXARG
643+
644+
+ Provides argument to the -vx option from VirusExchange.
645+
646+
-O OUTPUTDIR, --output-dir OUTPUTDIR
647+
648+
+ Set output directory for all sample downloads.
649+
650+
-ip IP, --ip IP
651+
652+
+ Get IP information from various sources. The possible values are:
653+
+ 1: Get details for an IP address provided with -IP from IPInfo;
654+
+ 2: Get details for an IP address provided with -IP from BGPView;
655+
+ 3: Get details for an IP address provided with -IP from all
656+
available intel services (VirusTotal/Alienvault).
657+
658+
-IP IPARG, --iparg IPARG
659+
660+
+ Provides argument for IP lookup operations specified by the -ip option.
624661

625662

626663
## EXAMPLES
@@ -730,15 +767,32 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
730767
malwoverview -i 11 -I list
731768
malwoverview -i 12 -I rebrand.ly
732769
malwoverview -i 13 -I list | more
770+
malwoverview -vx 1 -VX c3247ada71931ee267e975cb04160dc8ac611f3b4409f41b595177e124be7c2e
771+
malwoverview -vx 2 -VX c3247ada71931ee267e975cb04160dc8ac611f3b4409f41b595177e124be7c2e
772+
malwoverview -ip 1 -IP 8.8.8.8
773+
malwoverview -ip 2 -IP 8.8.8.8
774+
malwoverview -ip 3 -IP 8.8.8.8
775+
malwoverview -vx 2 -VX <hash> -O <directory>
776+
malwoverview -b 5 -B <hash> -O <directory>
733777

734778

735779
## HISTORY
736780

781+
782+
Version 6.1.0:
783+
784+
This version:
785+
786+
* Introduces -vx option for Virus Exchange.
787+
* Introduces -ip option for IPView and BGPView.
788+
* Introduces -O option to save samples in a central directory.
789+
* Fixes multiple other issues.
790+
737791
Version 6.0.1:
738792

739793
This version:
740794

741-
* Issue in Malshare's download option has been fixed..
795+
* Issue in Malshare's download option has been fixed.
742796

743797
Version 6.0.0:
744798

malwoverview/malwoverview.py

Lines changed: 51 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#!/usr/bin/env python3
22

3-
# Copyright (C) 2018-2024 Alexandre Borges <https://exploitreversing.com>
3+
# Copyright (C) 2018-2025 Alexandre Borges <https://exploitreversing.com>
44
#
55
# This program is free software: you can redistribute it and/or modify
66
# it under the terms of the GNU General Public License as published by
@@ -21,7 +21,7 @@
2121
# Christian Clauss (https://github.com/cclauss)
2222
# Artur Marzano (https://github.com/Macmod)
2323

24-
# Malwoverview.py: version 6.0.1
24+
# Malwoverview.py: version 6.1.0
2525

2626
import os
2727
import argparse
@@ -42,6 +42,10 @@
4242
from malwoverview.modules.triage import TriageExtractor
4343
from malwoverview.modules.urlhaus import URLHausExtractor
4444
from malwoverview.modules.virustotal import VirusTotalExtractor
45+
from malwoverview.modules.virusexchange import VirusExchangeExtractor
46+
from malwoverview.modules.ipinfo import IPInfoExtractor
47+
from malwoverview.modules.bgpview import BGPViewExtractor
48+
from malwoverview.modules.multipleip import MultipleIPExtractor
4549
from malwoverview.utils.colors import printr
4650
from malwoverview.utils.hash import calchash
4751
import malwoverview.modules.configvars as cv
@@ -50,9 +54,9 @@
5054
# On Windows systems, it is necessary to install python-magic-bin: pip install python-magic-bin
5155

5256
__author__ = "Alexandre Borges"
53-
__copyright__ = "Copyright 2018-2024, Alexandre Borges"
57+
__copyright__ = "Copyright 2018-2025, Alexandre Borges"
5458
__license__ = "GNU General Public License v3.0"
55-
__version__ = "6.0.1"
59+
__version__ = "6.1.0"
5660
__email__ = "reverseexploit at proton.me"
5761

5862
def finish_hook(signum, frame):
@@ -73,7 +77,7 @@ def main():
7377
USER_HOME_DIR = str(Path.home()) + '/'
7478
cv.windows = 0
7579

76-
parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is 6.0.1", usage="python malwoverview.py -c <API configuration file> -d <directory> -o <0|1> -v <1-13> -V <virustotal arg> -a <1-15> -w <0|1> -A <filename> -l <1-7> -L <hash> -j <1-7> -J <URLhaus argument> -p <1-8> -P <polyswarm argument> -y <1-5> -Y <file name> -n <1-5> -N <argument> -m <1-8> -M <argument> -b <1-10> -B <arg> -x <1-7> -X <arg> -i <1-13> -I <INQUEST argument>")
80+
parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is " + __version__, usage="usage: python malwoverview.py -c <API configuration file> -d <directory> -o <0|1> -v <1-13> -V <virustotal arg> -a <1-15> -w <0|1> -A <filename> -l <1-7> -L <hash> -j <1-7> -J <URLhaus argument> -p <1-8> -P <polyswarm argument> -y <1-5> -Y <file name> -n <1-5> -N <argument> -m <1-8> -M <argument> -b <1-10> -B <arg> -x <1-7> -X <arg> -i <1-13> -I <INQUEST argument> -vx <1-2> -VX <VirusExchange arg> -O <output directory> -ip <1-3> -IP <IP address>")
7781
parser.add_argument('-c', '--config', dest='config', type=str, metavar="CONFIG FILE", default=(USER_HOME_DIR + '.malwapi.conf'), help='Use a custom config file to specify API\'s.')
7882
parser.add_argument('-d', '--directory', dest='direct', type=str, default='', metavar="DIRECTORY", help='Specifies the directory containing malware samples to be checked against VIRUS TOTAL. Use the option -D to decide whether you are being using a public VT API or a Premium VT API.')
7983
parser.add_argument('-o', '--background', dest='backg', type=int, default=1, metavar="BACKGROUND", help='Adapts the output colors to a light background color terminal. The default is dark background color terminal.')
@@ -100,6 +104,11 @@ def main():
100104
parser.add_argument('-X', '--triagearg', dest='triagearg', type=str, default='', metavar="TRIAGE_ARG", help='Provides argument for options especified by -x option. Pay attention: the format of this argument depends on provided -x value.')
101105
parser.add_argument('-i', '--inquest', dest='inquest', type=int, default=0, metavar="INQUEST", help='Retrieves multiple information from INQUEST. The possible values are: 1: Downloads a sample; 2: Retrives information about a sample given a SHA256; 3: Retrieves information about a sample given a MD5 hash; 4: Gets the most recent list of threats. To this option, the -I argument must be "list" (lowercase and without double quotes) ; 5: Retrives threats related to a provided domain; 6. Retrieves a list of samples related to the given IP address; 7. Retrives a list of sample related to the given e-mail address; 8. Retrieves a list of samples related to the given filename; 9. Retrieves a list of samples related to a given URL; 10. Retrieves information about a specified IOC; 11. List a list of IOCs. Note: you must pass "list" (without double quotes) as argument to -I; 12. Check for a given keyword in the reputation database; 13. List artifacts in the reputation dabatabse. Note: you must pass "list" (without double quotes) as argument to -I.')
102106
parser.add_argument('-I', '--inquestarg', dest='inquestarg', type=str, metavar="INQUEST_ARG", help='Provides argument to INQUEST -i option.')
107+
parser.add_argument('-vx', '--vx', dest='vxoption', type=int, default=0, help='VirusExchange operations. The possible values are: 1: Gets basic metadata for a given SHA256 hash; 2: Downloads sample given a SHA256 provided in the -VX argument.')
108+
parser.add_argument('-VX', '--VX', dest='vxarg', type=str, help='Provides argument to the -vx option from VirusExchange.')
109+
parser.add_argument('-O', '--output-dir', dest='output_dir', type=str, default='.', help='Set output directory for all sample downloads.')
110+
parser.add_argument('-ip', '--ip', dest='ipoption', type=int, default=0, metavar="IP", help='Get IP information from various sources. The possible values are: 1: Get details for an IP address provided with -IP from IPInfo; 2: Get details for an IP address provided with -IP from BGPView; 3: Get details for an IP address provided with -IP from all available intel services (VirusTotal/Alienvault).')
111+
parser.add_argument('-IP', '--iparg', dest='iparg', type=str, metavar="IP_ARG", help='Provides argument for IP lookup operations specified by the -ip option.')
103112

104113
args = parser.parse_args()
105114

@@ -115,6 +124,8 @@ def main():
115124
MALPEDIAAPI = config_dict.get('MALPEDIA', 'MALPEDIAAPI')
116125
TRIAGEAPI = config_dict.get('TRIAGE', 'TRIAGEAPI')
117126
INQUESTAPI = config_dict.get('INQUEST', 'INQUESTAPI')
127+
VXAPI = config_dict.get('VIRUSEXCHANGE', 'VXAPI')
128+
IPINFOAPI = config_dict.get('IPINFO', 'IPINFOAPI')
118129

119130
optval = range(2)
120131
optval1 = range(3)
@@ -128,6 +139,7 @@ def main():
128139
optval9 = range(14)
129140
optval10 = range(16)
130141
repo = args.direct
142+
cv.output_dir = args.output_dir
131143
cv.bkg = args.backg
132144
virustotaloptionx = args.virustotaloption
133145
haoptionx = args.haoption
@@ -153,6 +165,10 @@ def main():
153165
virustotalargx = args.virustotalarg
154166
inquestx = args.inquest
155167
inquestargx = args.inquestarg
168+
vxoptionx = args.vxoption
169+
vxargx = args.vxarg
170+
ipoptionx = args.ipoption
171+
ipargx = args.iparg
156172
config = args.config
157173

158174
ffpname = ''
@@ -187,7 +203,7 @@ def main():
187203
haargx, mallist, args.malsharehash, args.hausoption, polyoptionx, polyargx,
188204
androidoptionx, androidargx, alienx, alienargsx, malpediaargx,
189205
malpediax, bazaarx, bazaarargx, triagex, triageargx,
190-
inquestx, inquestargx
206+
inquestx, inquestargx, vxoptionx, vxargx, ipoptionx, ipargx
191207
]
192208

193209
# Show the help message if:
@@ -211,6 +227,19 @@ def main():
211227
malshare = MalshareExtractor(MALSHAREAPI)
212228
haus = URLHausExtractor(HAUSSUBMITAPI)
213229
android = AndroidExtractor(hybrid, virustotal)
230+
vx = VirusExchangeExtractor(VXAPI)
231+
ipinfo = IPInfoExtractor(IPINFOAPI)
232+
bgpview = BGPViewExtractor()
233+
multipleip = MultipleIPExtractor(
234+
{
235+
#"IPInfo": ipinfo,
236+
#"BGPView": bgpview,
237+
"VirusTotal": virustotal,
238+
"AlienVault": alien,
239+
#"InQuest": inquest,
240+
# "PolySwarm": polyswarm,
241+
}
242+
)
214243

215244
# Special parameters for hybrid analysis module
216245
query = haargx
@@ -385,6 +414,22 @@ def ha_show_and_down(haargx, xx=0):
385414
4: (android.sendandroidha, [androidargx]),
386415
5: (android.sendandroidvt, [androidargx])
387416
}
417+
},
418+
{
419+
'flag': vxoptionx,
420+
'actions': {
421+
1: (vx.check_hash, [vxargx]),
422+
2: (vx.download_sample, [vxargx])
423+
# 3: (vx.upload_sample, [vxargx])
424+
}
425+
},
426+
{
427+
'flag': ipoptionx,
428+
'actions': {
429+
1: (ipinfo.get_ip_details, [ipargx]),
430+
2: (bgpview.get_ip_details, [ipargx]),
431+
3: (multipleip.get_multiple_ip_details, [ipargx])
432+
}
388433
}
389434
]
390435

0 commit comments

Comments
 (0)