LocCheck : A Tool For Simplifying The Process Of Researching IOCs

LocCheck is a tool for simplifying the process of researching file hashes, IP addresses, and other indicators of compromise (IOCs).

Features

Quickstart

pip install ioccheck

You can also run the code directly

git clone https://github.com/ranguli/ioccheck && cd ioccheck
poetry install

Usage

➜ ioccheck 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
Checking hash 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f.
[] Hashing algorithm: SHA256 [] VirusTotal URL:
https://virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/
[] VirusTotal detections: 61 engines (81%) detected this file. ╒══════════════╤════════════╤═══════════════════════════════╕ │ Antivirus │ Detected │ Result │ ╞══════════════╪════════════╪═══════════════════════════════╡ │ Malwarebytes │ No │ │ ├──────────────┼────────────┼───────────────────────────────┤ │ Avast │ Yes │ EICAR Test-NOT virus!!! │ ├──────────────┼────────────┼───────────────────────────────┤ │ ClamAV │ Yes │ Win.Test.EICAR_HDB-1 │ ├──────────────┼────────────┼───────────────────────────────┤ │ Kaspersky │ Yes │ EICAR-Test-File │ ├──────────────┼────────────┼───────────────────────────────┤ │ BitDefender │ Yes │ EICAR-Test-File (not a virus) │ ├──────────────┼────────────┼───────────────────────────────┤ │ Paloalto │ No │ │ ├──────────────┼────────────┼───────────────────────────────┤ │ TrendMicro │ Yes │ Eicar_test_file │ ├──────────────┼────────────┼───────────────────────────────┤ │ FireEye │ Yes │ EICAR-Test-File (not a virus) │ ├──────────────┼────────────┼───────────────────────────────┤ │ Sophos │ Yes │ EICAR-AV-Test │ ├──────────────┼────────────┼───────────────────────────────┤ │ Microsoft │ Yes │ Virus:DOS/EICAR_Test_File │ ├──────────────┼────────────┼───────────────────────────────┤ │ McAfee │ Yes │ EICAR test file │ ├──────────────┼────────────┼───────────────────────────────┤ │ Fortinet │ Yes │ EICAR_TEST_FILE │ ├──────────────┼────────────┼───────────────────────────────┤ │ AVG │ Yes │ EICAR Test-NOT virus!!! │ ╘══════════════╧════════════╧═══════════════════════════════╛ [*]VirusTotal reputation:
3392

Using the API

Creating a hash

>>>from ioccheck import Hash
>>>from ioccheck.services import VirusTotal
>>>eicar = Hash(“275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f”)
>>> #what kind of hash is this?
>>>print(eicar.hash_type)
SHA256

Looking up a hash

>>> # With no arguments, check() tries all supported services. API keys grabbed from ~/.ioccheck by default.
>>>eicar.check()
>>> #Alternatively:
>>>eicar.check(services=VirusTotal, config_path=/foo/bar/.ioccheck)

Researching a hash

>>>Check the VirusTotal report to see if Sophos detects our hash
>>>eicar.reports.virustotal.get_detections(engines=[“Sophos”])
{‘Sophos’: {‘category’: ‘malicious’, ‘engine_name’: ‘Sophos’, ‘engine_version’: ‘1.0.2.0’, ‘result’: ‘EICAR-AV-Test’, ‘method’: ‘blacklist’, ‘engine_update’: ‘20210314’}}
>>> #What is this hash known as?
>>> print(eicar.reports.virustotal.name)
‘eicar.com-2224’
>>> # How many AV engines are detecting this hash?
>>> eicar.reports.virustotal.detection_count
60

>>> # Just show me the VirusTotal API response!
>>> eicar.reports.virustotal.api_response
<vt.object.Object file 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f>

R K

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

1 day ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

1 day ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

2 days ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

3 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

4 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

4 days ago