alexandreborges/malwoverview

# Malwoverview [](https://github.com/alexandreborges/malwoverview/releases/tag/v7.0) [](https://github.com/alexandreborges/malwoverview/releases) [](https://github.com/alexandreborges/malwoverview/releases) [](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) [](https://github.com/alexandreborges/malwoverview/stargazers) [](https://twitter.com/ale_sp_brazil) [](https://pypistats.org/packages/malwoverview) [](https://pepy.tech/project/malwoverview) [](https://pepy.tech/project/malwoverview)                    ``` Copyright (C) 2018-2026 Alexandre Borges (https://exploitreversing.com) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. See GNU Public License on . ``` ## 当前版本：7.0 ``` Important note: Malwoverview does NOT submit samples to any endpoint by default, so it respects possible Non-Disclosure Agreements (NDAs). There're specific options that explicitly submit samples, but these options are explained in the help. ``` ## 关于 Malwoverview.py 是一款用于威胁狩猎的快速响应工具，它能对恶意软件样本、URL、IP 地址、域名、恶意软件家族、IOC 和哈希值进行初步且快速的分类。此外，Malwoverview 能够从多个端点获取动态和静态行为报告，提交和下载样本。简而言之，它充当了现有主要沙箱的客户端。 该工具旨在： 1. 根据导入表 (imphash) 确定相似的可执行恶意软件样本 (PE/PE+)，并用不同的颜色对它们进行分组（请注意输出的第二列）。因此，颜色很重要！ 2. 在 Virus Total、Hybrid Analysis、Malshare、Polyswarm、URLhaus、Alien Vault、Malpedia 和 ThreatCrowd 引擎上显示哈希信息。 3. 确定恶意软件样本是否包含覆盖层 (overlay)，并在需要时将其提取。 4. 在 Virus Total、Hybrid Analysis 和 Polyswarm 上检查可疑文件。 5. 在 Virus Total、Malshare、Polyswarm、URLhaus 引擎和 Alien Vault 上检查 URL。 6. 从 Hybrid Analysis、Malshare、URLHaus、Polyswarm 和 Malpedia 引擎下载恶意软件样本。 7. 将恶意软件样本提交到 VirusTotal、Hybrid Analysis 和 Polyswarm。 8. 列出 URLHaus 上最近的可疑 URL。 9. 列出 URLHaus 上最近的载荷 (payload)。 10. 在 Malshare 上搜索特定的载荷。 11. 在 Polyswarm 引擎上搜索相似的载荷 (PE32/PE32+)。 12. 对目录中的所有文件进行分类，在 Virus Total 和 Hybrid Analysis 上搜索信息。 13. 使用 VirusTotal、Malpedia 和 ThreatCrowd 等不同引擎生成关于可疑域名的报告。 14. 直接从 Android 设备检查 APK 包，通过 Hybrid Analysis 和 Virus Total 进行检测。 15. 直接从 Android 设备将 APK 包提交到 Hybrid Analysis 和 Virus Total。 16. 显示与 URLHaus 上用户提供的标签相关的 URL。 17. 显示与 URLHaus 上标签（签名）相关的载荷。 18. 显示来自 Virus Total、Alien Vault、Malpedia 和 ThreatCrowd 的 IP 地址信息。 19. 显示来自 Polyswarm 的 IP 地址、域名和 URL 信息。 20. 使用多种标准在 Polyswarm Network 上执行元搜索：imphash、IPv4、域名、URL 和恶意软件家族。 21. 使用不同的标准从 AlienVault 收集威胁狩猎信息。 22. 使用不同的标准从 Malpedia 收集威胁狩猎信息。 23. 使用不同的标准从 Malware Bazaar 收集威胁狩猎信息。 24. 使用不同的标准从 ThreatFox 收集 IOC 信息。 25. 使用不同的标准从 Triage 收集威胁狩猎信息。 26. 从给定文件中获取哈希值，并在 Virus Total 上进行评估。 27. 向 Virus Total 提交大文件 (>= 32 MB)。 28. Malwoverview 使用 Virus Total API v.3，因此不再有任何使用 v.2 的选项。 29. 从 IPInfo 服务检索给定 IP 地址的信息。 30. 从 BGPView 服务检索给定 IP 地址的信息。 31. 从多个服务检索关于给定 IP 地址的组合信息。 32. 提供额外选项，将任何下载的文件保存到中心位置。 33. 通过不同的标准从 NIST 列出和搜索漏洞。 ## 安装 该工具已在 REMnux、Ubuntu、Kali Linux、macOS 和 Windows 上通过测试。可以通过执行以下命令安装 Malwoverview： ``` * pip3.11 install git+https://github.com/alexandreborges/malwoverview or... * python -m pip install -U malwoverview ``` 如果你想在 macOS 上安装 Malwoverview，必须执行以下命令： ``` * /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" * brew install libmagic * pip3 install urllib3==1.26.6 * pip3 install -U malwoverview * Add Python binary directory to the PATH variable by editing .bash_profile file in your home directory. Example: export PATH=$PATH:/Users/alexandreborges/Library/Python/3.9/bin * Execute: . ./.bash_profile ``` 如果你在 Windows 上安装 Malwoverview，请确保在安装 Malwoverview 之后满足以下条件： ``` * python-magic is NOT installed. (pip show python-magic) * python-magic-bin IS installed. (pip show python-magic-bin) ``` #### 注意：建议在任何更新之前保存 .malwapi.conf 文件！ ## 必需的 API 即使不插入所有 API 也可以开始使用 Malwoverview。但是，要使用 Malwoverview 的所有选项，您必须将以下服务的相应 API 插入到 .malwapi.conf 配置文件中： VirusTotal, Hybrid Analysis, URLHaus, Malshare, Polyswarm, Alien Vault, Malpedia, Triage, APInfo, Malware Bazaar 和 ThreatFox。该配置文件必须存在（或创建）在主目录中（Linux 上为 /home/[username] 或 /root，Windows 上为 C:\Users\[username]）。或者，用户可以创建自定义配置文件并使用 -c 选项指定。 特别提醒：如果主目录中不存在 .malwapi.conf 文件，则必须创建它！ * 关于 Alien Vault 的特别说明：在使用 -n 1 选项之前，需要在 Alien Vault 网站上订阅 pulses。 .malwapi.conf 配置文件具有以下格式： ``` [VIRUSTOTAL] VTAPI = [HYBRID-ANALYSIS] HAAPI = [MALSHARE] MALSHAREAPI = [HAUSSUBMIT] HAUSSUBMITAPI = [POLYSWARM] POLYAPI = [ALIENVAULT] ALIENAPI = [MALPEDIA] MALPEDIAAPI = [TRIAGE] TRIAGEAPI = [IPINFO] IPINFOAPI = [BAZAAR] BAZAARAPI = [THREATFOX] THREATFOXAPI = [URLHAUS] URLHAUSAPI = ``` 可以在相应的服务网站上请求 API： 1. Virus Total（社区和付费 API）：https://www.virustotal.com/gui/join-us 2. Hybrid Analysis：https://www.hybrid-analysis.com/signup 3. Malshare：https://malshare.com/doc.php 4. URLHaus：https://urlhaus.abuse.ch/api/#account 5. Polyswarm：https://docs.polyswarm.io/consumers 6. Alien Vault：https://otx.alienvault.com/api 7. Malpedia：它不提供公开注册，但你可以直接通过 Twitter（DM）或反馈电子邮件申请用户账户。Malpedia 的 Twitter 账号是 @malpedia。 8. Malware Bazaar：https://bazaar.abuse.ch/api/#auth\_key 9. ThreatFox：https://threatfox.abuse.ch/api/#auth\_key 10. Triage：https://tria.ge/signup。 11. IPInfo：https://ipinfo.io/ 12. BGPView：https://bgpview.docs.apiary.io/ ## 关于 MALPEDIA API 请求的说明： 该服务基于社区审查。因此，建议您使用企业邮箱地址提交 API 请求，而不是公共/免费邮箱（Gmail、Outlook 等）。此外，如果您能提供更多关于您自己的信息（LinkedIn 账户、X/Twitter、Mastodon、BlueSky 等），将有助于验证您的身份、职业资料和合法性，从而加快审批速度。 ## 关于 Triage 的说明： 每个 Triage 操作都基于每个工件的 Triage ID，因此您需要使用 "-x 1 -X \:\" 搜索正确的工件 ID，然后使用此 ID 信息与其他 Triage 选项（-x [2-7]）一起，从 Triage 端点获取更多威胁狩猎信息。 ## 关于 URLHaus、Malware Bazaar 和 Threat Fox 的说明： 从 2025 年下半年开始，将需要 Auth-Key (API) 才能使用 URLHaus、Malware Bazaar 和 Threat Fox 服务。 ## 关于终端背景颜色的说明： Malwoverview 的编写初衷是为深色终端背景生成输出。但是，有一个 -o 0 选项可以更改输出颜色并使其适应浅色背景。 要检查安装，请执行： ``` malwoverview --help ``` 更多信息可在以下位置找到： ``` (PYPI.org repository) https://pypi.org/project/malwoverview/ (Github) https://github.com/alexandreborges/malwoverview ``` 如果你想执行手动安装（通常不需要），则应执行几个步骤，如下一小节所示。 ## 手动安装 1. Python 版本 3.11 或更高版本（仅限 Python 3.x！！！使用 Python 2.7 无法运行） $ apt-get install python3.11（例如） 2. Python-magic。 要安装 python-magic 包，你可以执行以下命令： $ pip3.11 install python-magic 或者你可以从 github 仓库编译它： $ git clone https://github.com/ahupp/python-magic $ cd python-magic/ $ python3.11 setup.py build $ python3.11 setup.py install 由于存在两个版本的 python-magic 包导致的严重问题，建议从 Github（上面的第二个过程）安装它，并将 magic.py 文件复制到 malwoverview 工具的同一目录中。 3. 安装所有需要的 Python 包： $ pip3.11 install -r requirements.txt 或者 $ pip3.11 install -U pefile $ pip3.11 install -U colorama $ pip3.11 install -U simplejson $ pip3.11 install -U python-magic $ pip3.11 install -U requests $ pip3.11 install -U validators $ pip3.11 install -U geocoder $ pip3.11 install -U polyswarm-api $ pip3.11 install -U pathlib $ pip3.11 install -U configparser 4. 要检查 Android 手机，你需要安装 "adb" 工具： $ sudo apt get install adb PS：在尝试 Android 选项之前，请检查： * adb 工具是否列在 PATH 环境变量中。 * 系统是否已通过使用 "adb devices -l" 获得访问设备的授权 ## 帮助 usage: python malwoverview.py -c -d -o <0|1> -v <1-13> -V -a <1-15> -w <0|1> -A -l <1-7> -L -j <1-7> -J -p <1-8> -P -y <1-5> -Y -n <1-5> -N -m <1-8> -M -b <1-10> -B -x <1-7> -X -ip <1-3> -IP -O --nist <1-5> --NIST Malwoverview 是由 Alexandre Borges 编写的用于威胁狩猎的快速响应工具。 恶意软件选项： 恶意软件分析和情报查询选项 ``` -h, --help + show this help message and exit -c CONFIG FILE, --config CONFIG FILE + Use a custom config file to specify API's. -d DIRECTORY, --directory DIRECTORY + Specifies the directory containing malware samples to be checked against VIRUS TOTAL. + Use the option -D to decide whether you are being using a public VT API or a Premium VT API. -o BACKGROUND, --background BACKGROUND + Adapts the output colors to a light background color terminal. + The default is dark background color terminal. -v VIRUSTOTAL, --virustotal_option VIRUSTOTAL + -v 1: given a file using -V option, it queries the VIRUS TOTAL database (API v.3) to get the report for the given file through -V option. + v 2: it shows an antivirus report for a given file using -V option (API v.3); + v 3: equal to -v2, but the binary's IAT and EAT are also shown (API v.3); + v 4: it extracts the overlay; + v 5: submits an URL to VT scanning; + v 6: submits an IP address to Virus Total; + v 7: this options gets a report on the provided domain from Virus Total; + v 8: verifies a given hash against Virus Total; + v 9: submits a sample to VT (up to 32 MB). Use forward slash to specify the target file on Windows systems. Demands passing sample file with -V option; + -v 10: verifies hashes from a provided file through option -V. This option uses public VT API v.3; + -v 11: verifies hashes from a provided file through option -V. This option uses Premium API v.3; + -v 12: it shows behaviour information of a sample given a hash through option -V. This option uses VT API v.3; -v 13: it submits LARGE files (above 32 MB) to VT using API v.3; -V VIRUSTOTAL_ARG, --virustotal_arg VIRUSTOTAL_ARG + Provides arguments for -v option. -a HYBRID_ANALYSIS, --hybrid_option HYBRID_ANALYSIS + This parameter fetches reports from HYBRID ANALYSIS, download samples and submits samples to be analyzed. + The possible values are: + 1: gets a report for a given hash or sample from a Windows 7 32-bit environment; + 2: gets a report for a given hash or sample from a Windows 7 32-bit environment (HWP Support); + 3: gets a report for given hash or sample from a Windows 64-bit environment; + 4: gets a report for a given hash or sample from an Android environment; + 5: gets a report for a given hash or sample from a Linux 64-bit environment; + 6: submits a sample to Windows 7 32-bit environment; + 7. submits a sample to Windows 7 32-bit environment with HWP support environment; + 8. submits a sample to Windows 7 64-bit environment; + 9. submits a sample to an Android environment; + 10. submits a sample to a Linux 64-bit environment; + 11. downloads a sample from a Windows 7 32-bit environment; + 12. downloads a sample from a Windows 7 32-bit HWP environment; + 13. downloads a sample from a Windows 7 64-bit environment; + 14. downloads a sample from an Android environment; + 15. downloads a sample from a Linux 64-bit environment. -A SUBMIT_HA, --ha_arg SUBMIT_HA + Provides an argument for -a option from HYBRID ANALYSIS. -D VT_PUBLIC_PREMIUM, --vtpubpremium VT_PUBLIC_PREMIUM + This option must be used with -d option. + Possible values: + <0> it uses the Premium VT API v3 (default); + <1> it uses the Public VT API v3. -l MALSHARE_HASHES, --malsharelist MALSHARE_HASHES + This option performs download a sample and shows hashes of a specific type from the last 24 hours from MALSHARE repository. + Possible values are: + 1: Download a sample; + 2: PE32 (default) ; + 3: ELF ; + 4: Java; + 5: PDF ; + 6: Composite(OLE); + 7: List of hashes from past 24 hours. -L MALSHARE_HASH_SEARCH, --malshare_hash MALSHARE_HASH_SEARCH + Provides a hash as argument for downloading a sample from MALSHARE repository. -j HAUS_OPTION, --haus_option HAUS_OPTION + This option fetches information from URLHaus depending of the value passed as argument: + 1: performs download of the given sample; + 2: queries information about a provided hash ; + 3: searches information about a given URL; + 4: searches a malicious URL by a given tag (case sensitive); + 5: searches for payloads given a tag; + 6: retrives a list of downloadable links to recent payloads; + 7: retrives a list of recent malicious URLs. -J HAUS_ARG, --haus_arg HAUS_ARG + Provides argument to -j option from URLHaus. -p POLY_OPTION, --poly_option POLY_OPTION + (Only for Linux) This option is related to POLYSWARM operations: + 1. searches information related to a given hash provided using -P option; + 2. submits a sample provided by -P option to be analyzed by Polyswarm engine ; + 3. Downloads a sample from Polyswarm by providing the hash throught option -P. Attention: Polyswarm enforces a maximum of 20 samples per month; + 4. searches for similar samples given a sample file thought option -P; + 5. searches for samples related to a provided IP address through option -P; + 6. searches for samples related to a given domain provided by option -P; + 7. searches for samples related to a provided URL throught option -P; + 8. searches for samples related to a provided malware family given by option -P. -P POLYSWARM_ARG, --poly_arg POLYSWARM_ARG + (Only for Linux) Provides an argument for -p option from POLYSWARM. -y ANDROID_OPTION, --android_option ANDROID_OPTION + This ANDROID option has multiple possible values: + <1>: Check all third-party APK packages from the USB-connected Android device against Hybrid Analysis using multithreads. Notes: the Android device does not need to be rooted and the system does need to have the adb tool in the PATH environment variable; + <2>: Check all third-party APK packages from the USB-connected Android device against VirusTotal using Public API (slower because of 60 seconds delay for each 4 hashes). Notes: the Android device does not need to be rooted and the system does need to have adb tool in the PATH environment variable; + <3>: Check all third-party APK packages from the USB-connected Android device against VirusTotal using multithreads (only for Private Virus API). Notes: the Android device does not need to be rooted and the system needs to have adb tool in the PATH environment variable; + <4> Sends an third-party APK from your USB-connected Android device to Hybrid Analysis; + 5. Sends an third-party APK from your USB-connected Android device to Virus-Total. -Y ANDROID_ARG, --android_arg ANDROID_ARG + This option provides the argument for -y from ANDROID. -n ALIENVAULT, --alienvault ALIENVAULT + Checks multiple information from ALIENVAULT. The possible values are: + 1: Get the subscribed pulses; + 2: Get information about an IP address; + 3: Get information about a domain; + 4: Get information about a hash; + 5: Get information about a URL. -N ALIENVAULT_ARGS, --alienvaultargs ALIENVAULT_ARGS + Provides argument to ALIENVAULT -n option. -m MALPEDIA, --malpedia MALPEDIA + This option is related to MALPEDIA and presents different meanings depending on the chosen value. Thus: + 1: List meta information for all families; + 2: List all actors ID; + 3: List all available payloads organized by family from Malpedia; + 4: Get meta information from an specific actor, so it is necessary to use the -M option. Additionally, try to confirm the correct actor ID by executing malwoverview with option -m 3; + 5: List all families IDs; + 6: Get meta-information from an specific family, so it is necessary to use the -M option. Additionally, try to confirm the correct family ID by executing malwoverview with option -m 5; + 7: Get a malware sample from malpedia (zip format -- password: infected). It is necessary to specify the requested hash by using -M option; + 8: Get a zip file containing Yara rules for a specific family (get the possible families using -m 5), which must be specified by using -M option. -M MALPEDIAARG, --malpediarg MALPEDIAARG + This option provides an argument to the -m option, which is related to MALPEDIA. -b BAZAAR, --bazaar BAZAAR + Checks multiple information from MALWARE BAZAAR and THREATFOX. The possible values are: + 1: (Bazaar) Query information about a malware hash sample; + 2: (Bazaar) Get information and a list of malware samples associated and according to a specific tag; + 3: (Bazaar) Get a list of malware samples according to a given imphash; + 4: (Bazaar) Query latest malware samples; + 5: (Bazaar) Download a malware sample from Malware Bazaar by providing a SHA256 hash. The downloaded sample is zipped using the following password: infected; + 6: (ThreatFox) Get current IOC dataset from last x days given by option -B (maximum of 7 days); + 7: (ThreatFox) Search for the specified IOC on ThreatFox given by option -B; + 8: (ThreatFox) Search IOCs according to the specified tag given by option -B; + 9: (ThreatFox) Search IOCs according to the specified malware family provided by option -B; + 10. (ThreatFox) List all available malware families. -B BAZAAR_ARG, --bazaararg BAZAAR_ARG + Provides argument to -b MALWARE BAZAAR and THREAT FOX option: + "-b 1" indicates that the -B's argument must be a hash and a report about the sample will be retrieved; + "-b 2" indicates that -B's argument must be a malware tag and last samples matching this tag will be shown; + "-b 3" means that the argument given by -M must be a imphash and last samples matching this impshash will be shown; + "-b 4" means that the argument given by -M must be "100 or time", where "100" lists last "100 samples" and "time" lists last samples added to Malware Bazaar in the last 60 minutes; + "-b 5" means that the sample will be downloaded and -B's argument must be a SHA256 hash of the sample that you want to download from Malware Bazaar; + "-b 6" indicates that a list of IOCs will be retrieved and the -B's value is the number of DAYS to filter such IOCs. The maximum time is 7 (days); + "-b 7" indicates that the -B's argument is the IOC you want to search for; + "-b 8" indicates that the -B's argument is the IOC's TAG that you want search for; + "-b 9" indicates that the -B argument is the malware family that you want to search for IOCs; -x TRIAGE, --triage TRIAGE + Provides information from TRIAGE according to the specified value: + 1: this option gets sample's general information by providing an argument with -X option in the following possible formats: - sha256: - sha1: - md5: - family: - score: - tag: - url: - wallet: - ip:; + 2: Get a sumary report for a given Triage ID (got from option -x 1); + 3: Submit a sample for analysis; + 4: Submit a sample through a URL for analysis; + 5: Download sample specified by the Triage ID; + 6: Download pcapng file from sample associated to given Triage ID; + 7: Get a dynamic report for the given Triage ID (got from option -x 1); -X TRIAGE_ARG, --triagearg TRIAGE_ARG + Provides argument for options especified by -x option. Pay attention: the format of this argument depends on provided -x value. -O OUTPUTDIR, --output-dir OUTPUTDIR + Set output directory for all sample downloads. -ip IP, --ip IP + Get IP information from various sources. The possible values are: + 1: Get details for an IP address provided with -IP from IPInfo; + 2: Get details for an IP address provided with -IP from BGPView; + 3: Get details for an IP address provided with -IP from all available intel services (VirusTotal/Alienvault). -IP IPARG, --iparg IPARG + Provides argument for IP lookup operations specified by the -ip option. ``` 漏洞选项： 漏洞数据库查询选项 ``` NIST CVE Database Query: Query options for NIST CVE database (Query type and value are required; other options are optional) --nist NIST_OPTION, Query type: 1=CPE/Product Search, 2=CVE ID Search, 3=CVSS v3 Severity, 4=Keyword Search, 5=CWE ID Search --NIST NIST_ARG Search value (format depends on query type) --time YEARS Limit results to last N years --rpp NUM Results per page (default: 100, max: 2000) --startindex NUM Pagination start index (default: 0) --ncves NUM Limit output to first N CVEs ``` ## 示例 ### 恶意软件选项： ``` malwoverview -d /home/remnux/malware/windows_2/ malwoverview -v 1 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe malwoverview -v 2 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe malwoverview -v 3 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe malwoverview -v 4 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe, malwoverview -v 5 -V http://jamogames.com/templates/JLHk/ malwoverview -v 6 -V 185.220.100.243 malwoverview -v 7 -V xurl.es malwoverview -v 8 -V ab4d6a82cafc92825a0b88183325855f0c44920da970b42c949d5d5ffdcc0585 malwoverview -v 9 -V cc2d791b16063a302e1ebd35c0e84e6cf6519e90bb710c958ac4e4ddceca68f7.exe malwoverview -v 10 -V /home/remnux/malware/hash_list_3.txt malwoverview -v 11 -V /home/remnux/malware/hash_list_3.txt malwoverview -v 12 -V 9d26e19b8fc5819b634397d48183637bacc9e1c62d8b1856b8116141cb8b4000 malwoverview -v 13 -V /largefiles/4b3b46558cffe1c0b651f09c719af2779af3e4e0e43da060468467d8df445e93 malwoverview -a 1 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8 malwoverview -a 1 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8.exe malwoverview -a 2 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8 malwoverview -a 3 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8 malwoverview -a 4 -A malware1.apk malwoverview -a 4 -A 82eb6039cdda6598dc23084768e18495d5ebf3bc3137990280bc0d9351a483eb malwoverview -a 5 -A 2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46 malwoverview -a 5 -A 2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46.elf malwoverview -a 6 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe malwoverview -a 7 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe malwoverview -a 8 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe malwoverview -a 9 -A malware_7.apk malwoverview -a 10 -A 925f649617743f0640bdfff4b6b664b9e12761b0e24bbb99ca72740545087ad2.elf malwoverview -a 11 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e malwoverview -a 12 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e malwoverview -a 13 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e malwoverview -a 14 -A d90a5552fd4ef88a8b621dd3642e3be8e52115a67e6b17b13bdff461d81cf5a8 malwoverview -a 15 -A 925f649617743f0640bdfff4b6b664b9e12761b0e24bbb99ca72740545087ad2 malwoverview -l 1 -L d3dcc08c9b955cd3f68c198e11d5788869d1b159dc8014d6eaa39e6c258123b0 malwoverview -l 2 malwoverview -l 3 malwoverview -l 4 malwoverview -l 5 malwoverview -l 6 malwoverview -j 1 -J 7c99d644cf39c14208df6d139313eaf95123d569a9206939df996cfded6924a6 malwoverview -j 2 -J 7c99d644cf39c14208df6d139313eaf95123d569a9206939df996cfded6924a6 malwoverview -j 3 -J https://unada.us/acme-challenge/3NXwcYNCa/ malwoverview -j 4 -J Qakbot malwoverview -j 5 -J Emotet malwoverview -j 5 -J Icedid malwoverview -j 6 malwoverview -j 7 malwoverview -p 1 -P 1999ba265cd51c94e8ae3a6038b3775bf9a49d6fe57d75dbf1726921af8a7ab2 malwoverview -p 2 -P 301524c3f959d2d6db9dffdf267ab16a706d3286c0b912f7dda5eb42b6d89996.exe malwoverview -p 3 -P 68c11ef39769674123066bcd52e1d687502eb6c4c0788b4f682e8d31c15e5306 malwoverview -p 4 -P 68c11ef39769674123066bcd52e1d687502eb6c4c0788b4f682e8d31c15e5306.exe malwoverview -p 5 -P 188.40.75.132 malwoverview -p 6 -P covid19tracer.ca malwoverview -p 7 -P http://ksahosting.net/wp-includes/utf8.php malwoverview -p 8 -P Qakbot malwoverview -y 1 malwoverview -y 2 malwoverview -y 3 malwoverview -y 4 -Y com.spaceship.netprotect malwoverview -y 5 -Y com.mwr.dz malwoverview -v 1 -V 368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792.apk malwoverview -n 1 -N 10 malwoverview -n 2 -N 176.57.215.100 malwoverview -n 3 -N threesmallhills.com malwoverview -n 4 -N 6d1756aa6b45244764409398305c460368d64ff9 -o 0 malwoverview -n 5 -N http://ksahosting.net/wp-includes/utf8.php malwoverview -m 1 | more malwoverview -m 2 | more malwoverview -m 3 | more malwoverview -m 4 -M apt41 | more malwoverview -m 5 | more malwoverview -m 6 -M win.qakbot malwoverview -m 7 -M 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d malwoverview -m 8 -M win.qakbot malwoverview -b 1 -B c9d7b5d06cd8ab1a01bf0c5bf41ef2a388e41b4c66b1728494f86ed255a95d48 malwoverview -b 2 -B Revil | more malwoverview -b 3 -B f34d5f2d4577ed6d9ceec516c1f5a744 malwoverview -b 4 -B 100 malwoverview -b 4 -B time | more malwoverview -b 5 -B bda50ff249b947617d9551c717e78131ed32bf77db9dc5b7591d3e1af6cb2f1a malwoverview -b 6 -B 3 | more malwoverview -b 7 -B 193.150.103.37:21330 malwoverview -b 8 -B Magecart | more malwoverview -b 9 -B "Cobalt Strike" malwoverview -b 10 | more malwoverview -x 1 -X score:10 | more malwoverview -x 1 -X 71382e72d8fb3728dc8941798ab1c180493fa978fd7eadc1ab6d21dae0d603e2 malwoverview -x 2 -X 220315-qxzrfsadfl malwoverview -x 3 -X cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e malwoverview -x 4 -X http://ztechinternational.com/Img/XSD.exe malwoverview -x 5 -X 220315-xmbp7sdbel malwoverview -x 6 -X 220315-xmbp7sdbel malwoverview -x 7 -X 220315-xmbp7sdbel malwoverview -ip 1 -IP 8.8.8.8 malwoverview -ip 2 -IP 8.8.8.8 malwoverview -ip 3 -IP 8.8.8.8 malwoverview -b 5 -B -O ``` ### 漏洞选项 ``` # Search for Windows vulnerabilities malwoverview --nist 1 --NIST "windows" --ncves 50 # Search for Apache vulnerabilities malwoverview --nist 1 --NIST "apache" --ncves 30 # Search for Chrome vulnerabilities malwoverview --nist 1 --NIST "chrome" --ncves 25 # Search for Chromium vulnerabilities malwoverview --nist 1 --NIST "chromium" --ncves 25 # Search for Linux vulnerabilities malwoverview --nist 1 --NIST "linux" --ncves 25 # Search for MacOS vulnerabilities malwoverview --nist 1 --NIST "MacOS" --ncves 25 # Search for Log4Shell vulnerability malwoverview --nist 2 --NIST "CVE-2021-44228" # Search for ProxyShell vulnerability malwoverview --nist 2 --NIST "CVE-2021-34473" # Search for Spring4Shell vulnerability malwoverview --nist 2 --NIST "CVE-2022-22965" # Search for CRITICAL severity vulnerabilities malwoverview --nist 3 --NIST "CRITICAL" --ncves 50 # Search for HIGH severity vulnerabilities malwoverview --nist 3 --NIST "HIGH" --ncves 40 # Search for MEDIUM severity vulnerabilities malwoverview --nist 3 --NIST "MEDIUM" --ncves 30 # Search for Authentication Bypass vulnerabilities malwoverview --nist 4 --NIST "authentication bypass" --ncves 30 # Search for Remote Code Execution (RCE) vulnerabilities malwoverview --nist 4 --NIST "remote code execution" --ncves 50 # Search for SQL injection vulnerabilities malwoverview --nist 4 --NIST "sql injection" --ncves 25 # Search for Path Traversal vulnerabilities (CWE-22) malwoverview --nist 5 --NIST "CWE-22" --ncves 30 # Search for SQL Injection vulnerabilities (CWE-89) malwoverview --nist 5 --NIST "CWE-89" ---ncves 40 # Search for Cross-Site Scripting vulnerabilities (CWE-79) malwoverview --nist 5 --NIST "CWE-79" --ncves 35 ``` ## 历史记录 版本 7.0： ``` This version: * Introduces options to search for vulnerabilites on NIST. * Fixes multiples URLHaus options. * Removes InQuest and Virus Exchange options. * Fixes and modificates multiple minor issues. * Fixes Python requirements file. * Fixes setup.py file. ``` 版本 6.2： ``` This version: * Modifies Malware Bazaar option to use Auth-Key. * Modifies Threat Fox option to use Auth-Key. ``` 版本 6.1.1： ``` This version: * Modifies the code to not require to registers all APIs at the first usage. * Add a new section in the README (this file) about required APIs. ``` 版本 6.1.0： ``` This version: * Introduces -vx option for Virus Exchange. * Introduces -ip option for IPInfo and BGPView. * Introduces -O option to save samples in a central directory. * Fixes multiple other issues. ``` 版本 6.0.1： ``` This version: * Issue in Malshare's download option has been fixed. ``` 版本 6.0.0： ``` This version: * It has been completely refactored. * README.md has been also changed. * Special thanks to Artur Marzano, who has contributed and dedicated his time to conduct and write this new version. ``` 版本 5.4.5： ``` This version: * Includes a fix related to the installation path. ``` 版本 5.4.4： ``` This version: * Includes only small changes and updates in the README.md. ``` 版本 5.4.3： ``` This version: * Fixes a recent issue on -v 10 and 11 options (VT) due to a change in one of the used libraries. * Fixes other minor issues on several options. ``` 版本 5.4.2： ``` This version: * Fixes two small issues. ``` 版本 5.4.1： ``` This version: * Fixes issues related to URLHaus. * Fixes issues related to Polyswarm. * Fixes issues related to Malware Bazaar. * Fixes issues related to InQuest. * Introduces changes to the help description. * Introduces changes to installation process. ``` 版本 5.3： ``` This version: * Fixes issues related to Malshare (-l and -L options). * Adds a new Malshare option (-l 7) to list all samples from last 24 hours. ``` 版本 5.2： ``` This version: * Multiple issues related to Hybrid Analysis have been fixed. ``` 版本 5.1.1： ``` This version: * A formatting issue related to -v 10 option has been fixed. ``` 版本 5.1： ``` This version: * Introduces thirteen options related to InQuest Labs. * Fix an issue related to -b 6 option from ThreatFox. ``` 版本 5.0.3： ``` This version: * Includes the possibility of getting information from Hybrid-Analysis using a SHA256 hash or the malware file. * Removes all options related to ThreatCrowd. * Fix an issue related to downloading from Malshare. * Includes macOS as operating system supported to run Malwoverview. ``` 版本 5.0.2： ``` This version: * Includes a small fix for options -v 1 and -v 8. ``` 版本 5.0.0： ``` This version: * Includes upgrades of all Virus Total options from API v.2 to API v.3. * Introduces a new option to check hashes within a given file using Virus Total. * Introduces a new option to submit large files (>= 32 MB) to Virus Total. * Changes all Virus Total options. * Inverts Malpedia options ("m" and "M") purposes. * Introduces a new purpose for -D option. * Removes Malshare option to check a binary. * Removes all Valhalla options completely. * Changes all Malshare options. * Removes -g option. * Changes all URLhaus options. * Changes all Polyswarm options. * Removes -S and -z options. * Upgrades, fixes and merges Android options. * Updates Android options to Android 11 version. * Removes -t and T options. * Fixes and changes Hybrid Analysis options. * Changes -d option to Virus Total APIi v.3 with a new content. * Swaps options -q and -Q from Threatcrowd. * Fixes tag option from Triage. * Fixes URL formatting issues from URLhaus. * Removes several support functions. * Fixes several color issues. * Fixes descriptions. * Changes configuration, setup and requirement files. * Removes many option's letters used in previous versions. ``` 版本 4.4.2： ``` This version: * It is NOT longer necessary to insert all APIs into .malwapi.conf file before using Malwoverview. For example, if you have only Virus Total and Hybrid Analysis APIs, so you can use their respective options without needing insert the remaining ones. The same rule is valid for any API and option. * Small fixes have been done on the code and this README file. ``` 版本 4.4.1： ``` This version: * Improves and fixes a formatting issue with cmd field from option -x 2. ``` 版本 4.4.0.2： ``` This version: * Improves and fixes a formatting issue with cmd field from option -x 7. ``` 版本 4.4： ``` This version: * Introduces Triage endpoint and seven associated options. * Changes the overlay extraction option (previously -x) to -v 4. ``` 版本 4.3.5： ``` This version: * Fixes formating issues related to option -M 6 from Malpedia. * Fixes formating issues related to option -W from URLHaus. * Fixes formating issues related to option -k from URLHaus. * Fixes working issues related to option -L from Malshare. * Corrects misspelled words. ``` 版本 4.3.4： ``` This version: * Removes two columns from option -y 1 (Android package checking on HA) to offer better formatting. ``` 版本 4.3.3： ``` This version: * Fixes output formatting of option -y (Android package checking on VT and HA) * Fixes issue with option -y while using -o 0. ``` 版本 4.3.2： ``` This version: * Fixes output formatting of option -n 2 (Alien Vault). * Fixes URL output formatting of long URL when using option -I (Virus Total). * Fixes option -f when using a binary without IAT (Virus Total). * Fixes option -B 10, which caused a endless loop (ThreatFox). * Fixes option formatting issue related to -K 2 when fetched URLs were long (URLHaus). * Introduces "FireEye" endpoint in -v 2 output (VirusTotal). This addition has been suggested by @vxsh4d0w. ``` 版本 4.3.1： ``` This version: * Introduces a fix in the "-b 8" ThreatFox option. * Corrects sentences in the help's section. ``` 版本 4.3： ``` This version: * Introduces Malware Bazaar and ThreatFox endpoints, with 5 options for each one. to get the APIs. * Changes background option from -b to -o. * Fixes problems on Malpedia and URLHaus options. ``` 版本 4.2： ``` This version: * Fixes -L option from Malware. * Introduces additional instruction on README.md (this file) to help professionals to get the APIs. ``` 版本 4.1： ``` This version: * Introduces the -E and -C options for Valhalla service (https://www.nextron-systems.com/valhalla/) * Introduces few changes in the setup.py file (contribution from Christian Clauss). * Introduces a new contributor: Christian Clauss (https://github.com/cclauss) ``` 版本 4.0.3： ``` This version: * Fixes the fact of Virus Total evaluation wasn't showed when the user specified "-v 2" and "-v 3" options. * The version of the Python request package is fixed to prevent issues with Polyswarm API 2.x. ``` 版本 4.0.2： ``` This version: * Two small bugs (typos) in the functions for Polyswarm downloading and Android package checking have been fixed. * An unnecessary and dead code has been removed. * Several typos in the README.md and in the help have been corrected. * All fixes for this version have been suggested by Christian Clauss (https://github.com/cclauss) ``` 版本 4.0.1： ``` This version: * Fixes small typos and the README. ``` 版本 4.0.0： ``` This version: * Introduces new engines such as Alien Vault, Malpedia and ThreatCrowd. * The -s option has been removed. Use -v 2 option for antivirus report. * The -n option is not longer associated to Malshare. Use -l option with values between 1 and 14. * To specify the hash in Malshare use the L option instead of -m option. * The -i option has been removed. Use the -v 3 option for IAT/EAT. * The -a option has been changed to include the system environments in Hybrid Analysis. However, the -e option has been kept to be used with other options. * The -M option is not longer responsible for downloading samples in Malshare. Use -D option for this task. * The -B option for list URLs from URLHaus has been replaced by -K 2 option. * The -Z and -X options (related to Android) have been replaced for -y 2 and -y 3, respectively. * The -D option (download a malware sample) has been extended to Polyswarm. * The malware sample's DLL list has been introduced. * The -R and -G options from Polyswarm have been completely fixed. Additionally, both ones also include the polyscore in the output. * The -N option is not longer associated to Polyswarm . * The -G 4 option has been introduced and it makes possible to search samples by families and types such as "*Trickbot*", "*Ransomware", "*Trojan*" and so on. * Colors from -I option have been fixed. * The -w option has been removed. * Several issues in the help have been fixed. ``` 版本 3.1.2： ``` This version: * Introduces the -c option that allows the user to specify a custom API configuration file. * The API configuration file has been changed to .malwapi.conf file. * The project structure has been changed to make easier to install it in different operating systems. * Updates for this version are a contribution from Corey Forman (https://github.com/digitalsleuth). ``` 版本 3.0.0： ``` This version: * Includes fixes in the URL reporting (-u option) from Virus Total. * New players have have been included in the URL reporting (-u option) from Virus Total. * Fixes have been included in payload listing (-K option) from URLhaus. * Yara information has been include in the hash report (-m option) from Malshare. * Fixes have been included in the -l option. * New file types have been included in the -n option: Java, Zip, data, RAR, PDF, Composite (OLE), MS_DOS and UTF-8. * New -W option, which is used to show URLs related to an user provided tags from URLHaus. * New -k option, which is used to show payloads related to a tag from URLHaus * New -I option, which is used to show information related to an IP address from Virus Total. * The -R option was refactored and now it supports searching for file, IPv4, domain or URL on Polyswarm. ``` 版本 2.5.0： ``` This version: * Introduces the following options: * -y to check all third-party APKs from an Android device against the Hybrid Analysis. * -Y to send a third-party APKs from an Android device to the Hybrid Analysis. * -Z to check all third-party APKs from an Android device against the Virus Total. * -X to check all third-party APKs from an Android device against the Virus Total (it is necessary private API). * -T to send a third-party APK from an Android device to Virus Total. * Fixes several issues related to color in command outputs. * Adds the filename identification in the report while sending a sample to Virus Total. ``` 版本 2.1.9.1： ``` This version: * Fixes several issues about colors in outputs. * Removes the -L option from Malshare (unfortunately, Malshare doesn't provide an URL list anymore). * Removes the -c option. * Introduces some verification lines in the URLHaus command. ``` 版本 2.1： ``` This version: * Fixes formatting issues related to Hybrid Analysis output (-Q 1 -a 1). * Fixes color issues. * Fixes small issues related to Polyswarm. ``` 版本 2.0.8.1： ``` This version: * Introduces installation using: pip3.8 install malwoverview (Linux) or python -m pip install malwoverviewwin (Windows). * Fixes small problems related to Polyswarm usage. * Changes the help to verify whether the APIs were inserted into configmalw.py file. ``` 版本 2.0.1： ``` This version: * Fixes a problem related to searching by hash on Malshare (-m option). * Fixes a problem related to searching by hash on Polyswarm (-O option). ``` 版本 2.0.0： ``` This version: * Introduces a completely ported version of Malwoverview to Python 3.x (it does not work in Python 2.7.x anymore!) * Fixes several bugs related to IAT/EAT listing. * Fixes several bugs related to colors. * Introduces multi-threading to some options. * Introduces several options related to Malshare. * Introduces several options related to URLHaus. * Introduces several options related to Polyswarm engine. * Changes the place of the API key configuration. Now you should edit the configmalw.py file. * Changes the help libraries and functions, so making the Malwoverview's help more complete. * Introduces geolocation feature by using the package named Geocoder written by Dennis Carrierre. * Fixes problems related to Hybrid Analysis engine. * Fixes several mistaked related to a mix between spaces and Tab. * Extends the -d option to include Hybrid Analysis. ``` 版本 1.7.5： ``` This version: * It has been fixed a problem related to sample submission to Hybrid Analysis on Windows operating system. Additionally, file name handling has been also fixed. ``` 版本 1.7.3： ``` This version: * Malwoverview has been adapted to API version 2.6.0 of Hybrid Analysis. * -A option has been fixed according to new version (2.6.0) of Hybrid Analysis. * -a option has been modified to work together with -e option. * help information has been modified. ``` 版本 1.7.2： ``` This version: * A small fix related to -g option has been included. ``` 版本 1.7.1： ``` This version: * Relevant fix of a problem related to options -A and -H options. * Includes a new Hybrid Analysis environment to the -e option (Windows 7 32-bits with HWP support). * Updates the Malwoverview to support Hybrid Analysis API version 2.5.0. ``` 版本 1.7.0： ``` This version: * Includes -A option for submitting a sample to Hybrid Analysis. * Includes -g option for checking the status a submission of a sample to Hybrid Analysis. * Includes -e option for specifying the testing environment on the Hybrid Analysis. * Includes -r option for getting a complete domain report from Virus Total. * Modifies the -H options for working together the -e option. * Modifies several functions of the tool to prepare it for version 1.8.0 ``` 版本 1.6.3： ``` This version: * Includes creation of new functions aiming 1.7.0 version. * Includes new exception handling blocks. ``` 版本 1.6.2： ``` This version: * Includes small fixes. * For the Hybrid Analysis API version 2.40 is not longer necessary to include the API Secret. ``` 版本 1.6.1： ``` This version: * Includes small format fixes. ``` 版本 1.6.0： ``` This version: * It is using the Hybrid Analysis API version 2.4.0. * Includes certificate information in the Hybrid Analysis report. * Includes MITRE information in the Hybrid Analysis report. * Includes an option to download samples from Hybrid Analysis. ``` 版本 1.5.1： ``` This version: * Small change to fix format issue in -d option. ``` 版本 1.5.0： ``` This version: * Includes the -u option to check URLs against Virus Total and associated engines. * Includes the -H option to find existing reports on Virus Total and Hybrid Analysis through the hash. * Includes the -V option to submit a file to Virus Total. Additionally, the report is shown after few minutes. * Includes two small fixes. ``` 版本 1.4.5.2： ``` This version: * Includes two small fixes. ``` 版本 1.4.5.1： ``` This version: * Includes one small fix. ``` 版本 1.4.5： ``` This version: * Adds the -w option to use malwoverview in Windows systems. * Improves and fixes colors when using -b option with black window. ``` 版本 1.4： ``` This version: * Adds the -a option for getting the Hybrid Analysis summary report. * Adds the -i option for listing imported and exported functions. Therefore, imported/exported function report was decoupled for a separated option. ``` 版本 1.3： ``` This version: * Adds the -p option for public Virus Total API. ``` 版本 1.2： ``` This version includes: * evaluates a single file (any filetype) * shows PE sessions. * shows imported functions. * shows exported function. * extracts overlay. * shows AV report from the main players. (any filetype) ``` 版本 1.1： ``` This version: * Adds the VT checking feature. ``` 版本 1.0： ``` Malwoverview is a tool to perform a first triage of malware samples in a directory and group them according to their import functions (imphash) using colors. This version: * Shows the imphash information classified by color. * Checks whether malware samples are packed. * Checks whether malware samples have overlay. * Shows the entropy of the malware samples. ```

标签：Alien Vault, Android安全, Ask搜索, CVE, DAST, ESC4, Hybrid Analysis, IPInfo, Malpedia, Malshare, Malware Bazaar, NIST, OSINT, Polyswarm, Python, ThreatFox, Triage, URLHaus, VirusTotal, 哈希查询, 威胁情报, 库, 应急响应, 开发者工具, 快速响应工具, 恶意样本, 恶意软件分析, 情报收集, 数字签名, 无后门, 沙箱检测, 漏洞查询, 漏洞研究, 网络安全, 隐私保护, 集成环境