Malwoverview is a first response tool to perform an initial and quick triage on either a directory containing malware samples or a specific malware sample.
This tool aims to :
2a. Two or more sections with Entropy > 7.0 or < 1.0 ==> Packed.
2b. One one section with Entropy > 7.0 or two sections with SizeOfRawData ==> Likely packed.
2c. None section with Entropy > 7.0 or SizeOfRawData ==> not packed.
Malwoverview.py only examines PE/PE+ files, skipping everything else.
This tool was tested on a Kali Linux 2018 system and Windows 10. Therefore, it will be necessary to install:
$ apt-get install python
To install python-magic package you can execute the following command:
$ pip install python-magic
Or compiling it from the github repository:
$ git clone https://github.com/ahupp/python-magic
$ cd python-magic/
$ python setup.py build
$ python setup.py install
As there are serious problems about existing two versions of python-magic package, my recommendation is to install it from github (second procedure above) and copy the magic.py file to the SAME directory of malwoverview tool.
$ pip install pefile
$ pip install colorama
$ pip install simple-json
$ pip install requestsTo install python-magic package you can execute the following command:
C:\> pip install python-magic
Or compiling it from the github repository:
C:\> git clone https://github.com/ahupp/python-magic
C:\> cd python-magic/
C:\> python setup.py build
C:\> python setup.py install
C:\> pip install pefile
C:\> pip install colorama
C:\> pip install simple-json
C:\> pip install requestsC:\> pip install python-magic-bin==0.4.14
You must edit the malwoverview.py and insert your APIs and secret to enable Virus Total and Hybrid-Analysis checking:
VT:
VTAPI = '<----ENTER YOUR API HERE and UNCOMMENT THE LINE---->'
Hybrid-Analysis:
HAAPI = '<----ENTER YOUR API HERE and UNCOMMENT THE LINE---->'
HASECRET = '<----ENTER YOUR SECRET HERE and UNCOMMENT THE LINE---->'To use the malwoverview, execute the command as shown below:
$ python malwoverview -d <directory> -f <fullpath> -i <0|1> -b <0|1> -v <0|1> -a <0|1> -p <0|1> -s <0|1> -x <0|1>
-w <0|1>
where:
<directory> -d is the folder containing malware samples.
<fullpath> -f specifies the full path to a file. Shows general information about the file (any filetype).
(optional) -b 1 (optional) adapts the output colors to black window.
(optional) -i 1 show imports and exports (it is used with -f option).
(optional) -x 1 extracts overlay (it is used with -f option).
(optional) -v 1 queries Virus Total database for positives and totals (any filetype).
(optional) -a 1 (optional) query Hybrid Analysis database for general report.Thus, you need to edit the
malwoverview.py and insert your HA API and respective secret.
(optional) -s 1 shows antivirus reports from the main players. This option is used with
-f option (any filetype).
(optional) -p 1 use this option if you have a public Virus Total API. It forces a one minute wait
every 4 malware samples, but allows obtaining a complete evaluation of the malware repository.
(optional) -w 1 used when the OS is Microsoft Windows.
If you use Virus Total option, so it is necessary to edit the malwoverview.py and insert your VT API.
Remember that public VT API only allows 4 searches per second (as shown at the image above). Therefore, if you
are willing to wait some minutes, so you can use the -p option, which forces a one minute wait every 4 malware
samples, but allows obtaining a complete evaluation of the repository.
*ATENTION: if the directory contains many malware samples, so malwoverview.py could take some time. :)
Version 1.4.5
This versiom:
* Adds the -w option to use malwoverview in Windows systems.
* Improves and fixes colors when using -b option with black window.
Version 1.4:
This version:
* Adds the -a option for getting the Hybrid Analysis summary report.
* Adds the -i option for listing imported and exported functions. Therefore, imported/exported function
report was decoupled for a separated option.
Version 1.3:
This version:
* Adds the -p option for public Virus Total API.
Version 1.2:
This version includes:
* evaluates a single file (any filetype)
* shows PE sessions.
* shows imported functions.
* shows exported function.
* extracts overlay.
* shows AV report from the main players. (any filetype)
Version 1.1:
This version:
* Adds the VT checking feature.
Version 1.0:
Malwoverview is a tool to perform a first triage of malware samples in a directory and group them according
to their import functions (imphash) using colors. This version:
* Shows the imphash information classified by color.
* Checks whether malware samples are packed.
* Checks whether malware samples have overlay.
* Shows the entropy of the malware samples.
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…