{"id":13510748,"url":"https://github.com/alexandreborges/malwoverview","last_synced_at":"2025-05-16T16:00:32.161Z","repository":{"id":39228838,"uuid":"147892666","full_name":"alexandreborges/malwoverview","owner":"alexandreborges","description":"Malwoverview is a first response tool used for threat hunting and offers intel information from Virus Total, Hybrid Analysis, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, Malware Bazaar, ThreatFox, Triage, InQuest, VxExchange and IPInfo, and it is also able to scan Android devices against VT.","archived":false,"fork":false,"pushed_at":"2025-01-24T23:14:57.000Z","size":40254,"stargazers_count":3185,"open_issues_count":0,"forks_count":460,"subscribers_count":120,"default_branch":"master","last_synced_at":"2025-05-08T20:55:44.396Z","etag":null,"topics":["alienvault","cybersecurity","malpedia","malshare","malware","malware-analysis","malwarebazaar","threat-hunting","threatfox","threathunting","threatintelligence","triage","urlhaus","virustotal"],"latest_commit_sha":null,"homepage":"https://github.com/alexandreborges/malwoverview","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alexandreborges.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-08T02:08:49.000Z","updated_at":"2025-05-07T15:58:18.000Z","dependencies_parsed_at":"2024-06-19T06:11:53.941Z","dependency_job_id":"bb7fa2d8-0533-42dc-972a-d89af4e75741","html_url":"https://github.com/alexandreborges/malwoverview","commit_stats":{"total_commits":560,"total_committers":7,"mean_commits":80.0,"dds":"0.11428571428571432","last_synced_commit":"d5fc570750951dfcf1608525282b6cb01a753a41"},"previous_names":[],"tags_count":45,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexandreborges%2Fmalwoverview","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexandreborges%2Fmalwoverview/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexandreborges%2Fmalwoverview/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexandreborges%2Fmalwoverview/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alexandreborges","download_url":"https://codeload.github.com/alexandreborges/malwoverview/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253156601,"owners_count":21862960,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alienvault","cybersecurity","malpedia","malshare","malware","malware-analysis","malwarebazaar","threat-hunting","threatfox","threathunting","threatintelligence","triage","urlhaus","virustotal"],"created_at":"2024-08-01T02:01:52.791Z","updated_at":"2025-05-08T22:25:57.378Z","avatar_url":"https://github.com/alexandreborges.png","language":"Python","funding_links":[],"categories":["Python","\u003ca id=\"e1fc1d87056438f82268742dc2ba08f5\"\u003e\u003c/a\u003e事件响应\u0026\u0026取证\u0026\u0026内存取证\u0026\u0026数字取证","Uncategorized","Python (1887)","[](#table-of-contents) Table of contents","threat-hunting","Malware Analysis"],"sub_categories":["\u003ca id=\"d0f59814394c5823210aa04a8fcd1220\"\u003e\u003c/a\u003e事件响应\u0026\u0026IncidentResponse","Uncategorized","[](#warc)Tools for working with WARC (WebARChive) files","Hashing"],"readme":"# Malwoverview\n\n[\u003cimg alt=\"GitHub release (latest by date)\" src=\"https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red\u0026style=for-the-badge\"\u003e](https://github.com/alexandreborges/malwoverview/releases/tag/v6.1.1) [\u003cimg alt=\"GitHub last commit\" src=\"https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow\u0026style=for-the-badge\"\u003e](https://github.com/alexandreborges/malwoverview/releases) [\u003cimg alt=\"GitHub Release Date\" src=\"https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date\u0026style=for-the-badge\"\u003e](https://github.com/alexandreborges/malwoverview/releases) [\u003cimg alt=\"GitHub\" src=\"https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge\"\u003e](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) \n[\u003cimg alt=\"GitHub stars\" src=\"https://img.shields.io/github/stars/alexandreborges/malwoverview?logoColor=Red\u0026style=for-the-badge\"\u003e](https://github.com/alexandreborges/malwoverview/stargazers)\n[\u003cimg alt=\"Twitter Follow\" src=\"https://img.shields.io/twitter/follow/ale_sp_brazil?style=for-the-badge\u0026logo=X\u0026color=blueviolet\"\u003e](https://twitter.com/ale_sp_brazil)\n[\u003cimg alt=\"Downloads/Last Month\" src=\"https://img.shields.io/pypi/dm/malwoverview?color=blue\u0026style=for-the-badge\u0026label=Last%20Month\"\u003e](https://pypistats.org/packages/malwoverview)\n[![Downloads](https://static.pepy.tech/personalized-badge/malwoverview?period=month\u0026units=international_system\u0026left_color=grey\u0026right_color=orange\u0026left_text=Last%2030%20days)](https://pepy.tech/project/malwoverview)\n[\u003cimg alt=\"Downloads/Total\" src=\"https://static.pepy.tech/personalized-badge/malwoverview?period=total\u0026units=international_system\u0026left_color=grey\u0026right_color=red\u0026left_text=Total%20Downloads\"\u003e](https://pepy.tech/project/malwoverview)\n\n![Alt text](pictures/picture_1.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_2.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_3.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_4.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_5.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_6.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_7.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_8.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_9.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_10.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_11.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_12.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_13.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_14.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_15.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_16.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_17.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_18.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_19.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_20.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_21.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_22.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_23.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_24.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_25.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_26.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_27.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_28.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_29.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_30.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_31.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_32.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_33.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_34.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_35.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_36.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_37.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_38.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_39.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_40.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_41.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_42.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_43.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_44.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_45.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_46.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_47.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_48.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_49.jpg?raw=true \"Title\")\n![Alt text](pictures/picture_50.jpg?raw=true \"Title\")\n\n Copyright (C) 2018-2025 Alexandre Borges (https://exploitreversing.com) \n\n This program is free software: you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation, either version 3 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n See GNU Public License on \u003chttp://www.gnu.org/licenses/\u003e.\n\n\n## Current Version: 6.1.1\n\n Important note: Malwoverview does NOT submit samples to any endpoint by default, \n so it respects possible Non-Disclosure Agreements (NDAs). There're specific options\n that explicitly submit samples, but these options are explained in the help.\n\n\n## ABOUT\n\nMalwoverview.py is a first response tool for threat hunting, which performs an initial and quick \ntriage of malware samples, URLs, IP addresses, domains, malware families, IOCs and hashes. Additionally,\nMalwoverview is able to get dynamic and static behavior reports, submit and download samples\nfrom several endpoints. In few words, it works as a client to main existing sandboxes. \n\nThis tool aims to : \n\n01. Determine similar executable malware samples (PE/PE+) according to the import table (imphash) and group \n them by different colors (pay attention to the second column from output). Thus, colors matter!\n02. Show hash information on Virus Total, Hybrid Analysis, Malshare, Polyswarm, URLhaus, Alien Vault, \n Malpedia and ThreatCrowd engines. \n03. Determining whether the malware samples contain overlay and, if you want, extract it. \n04. Check suspect files on Virus Total, Hybrid Analysis and Polyswarm.\n05. Check URLs on Virus Total, Malshare, Polyswarm, URLhaus engines and Alien Vault. \n06. Download malware samples from Hybrid Analysis, Malshare, URLHaus, Polyswarm and Malpedia engines.\n07. Submit malware samples to VirusTotal, Hybrid Analysis and Polyswarm.\n08. List last suspected URLs from URLHaus.\n09. List last payloads from URLHaus. \n10. Search for specific payloads on the Malshare.\n11. Search for similar payloads (PE32/PE32+) on Polyswarm engine.\n12. Classify all files in a directory searching information on Virus Total and Hybrid Analysis. \n13. Make reports about a suspect domain using different engines such as VirusTotal, Malpedia and \n ThreatCrowd. \n14. Check APK packages directly from Android devices against Hybrid Analysis and Virus Total. \n15. Submit APK packages directly from Android devices to Hybrid Analysis and Virus Total. \n16. Show URLs related to an user provided tag from URLHaus.\n17. Show payloads related to a tag (signature) from URLHaus.\n18. Show information about an IP address from Virus Total, Alien Vault, Malpedia and ThreatCrowd.\n19. Show IP address, domain and URL information from Polyswarm. \n21. Perform meta-search on Polyswarm Network using several criteria: imphash, IPv4, domain, URL and\n malware family. \n22. Gather threat hunting information from AlienVault using different criteria. \n23. Gather threat hunting information from Malpedia using different criteria. \n24. Gather threat hunting information from Malware Bazaar using different criteria. \n25. Gather IOC information from ThreatFox using different criteria. \n26. Gather threat hunting information from Triage using different criteria. \n27. Get evaluation to hashes from a given file against Virus Total. \n28. Submit large files (\u003e= 32 MB) to Virus Total. \n29. Malwoverview uses Virus Total API v.3, so there isn't longer any option using v.2.\n30. Retrieve different information from InQuest Labs and download samples from there. \n31. Retrieve information and download malware samples from Virus Exchange (vxunderground). \n32. Retrieve information about a given IP address from IPInfo service.\n33. Retrieve information about a given IP address from BGPView service.\n34. Retrieve combined information about a given IP address from multiple services.\n35. Offer extra option to save any downloaded file to a central location.\n\n## CONTRIBUTORS\n\n Alexandre Borges (https://github.com/alexandreborges) | project owner and main developer\n Artur Marzano (https://github.com/Macmod) | co-main developer\n Corey Forman (https://github.com/digitalsleuth) | responsible for REMnux integration\n Christian Clauss (https://github.com/cclauss)\n\n## HOW TO CONTRIBUTE TO THIS PROJECT\n\nSince version 6.0.0, there is a new branch named \"dev\". All contributions and proposals \nmust be done into this \"dev\" branch.\n\nProfessionals who want to contribute must open an issue explaining your proposed improvement \nand how it would make the project better. Once it has been accepted, so she/he is \nauthorized to submit the PR, which will be tested. \n\nOnce all changes are tested, this new version of Malwoverview is replicated to the master \nbranch and a new Python package is generated.\n\n## INSTALLATION\n\nThis tool has been tested on REMnux, Ubuntu, Kali Linux, macOS and Windows. Malwoverview \ncan be installed by executing the following command:\n\n * pip3.11 install git+https://github.com/alexandreborges/malwoverview (preferred method) \n \n or...\n \n * python -m pip install -U malwoverview\n \nIf you want to install the Malwoverview on macOS, you have to execute the following commands:\n\n * /bin/bash -c \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\"\n * brew install libmagic\n * pip3 install urllib3==1.26.6\n * pip3 install -U malwoverview\n * Add Python binary directory to the PATH variable by editing .bash_profile file in your home \n directory. Example:\n\n export PATH=$PATH:/Users/alexandreborges/Library/Python/3.9/bin\n\n * Execute: . ./.bash_profile\n\nIf you are installing Malwoverview on Windows, make sure that the following conditions are true \nAFTER having installed Malwoverview:\n\n * python-magic is NOT installed. (pip show python-magic)\n * python-magic-bin IS installed. (pip show python-magic-bin)\n\n#### Note: It is recommended to save the .malwapi.conf before any update!\n\n\n## REQUIRED APIs\n\nMalwoverview does not require to insert all APIs anymore. Therefore, professionals can \nus it without having registered such APIs. Obviously, to use certain options is necessary to \nadd respective API into .malwapi.conf file, whose format is shown below. \n\nTo use all options of Malwoverview you must insert respective API of the following services:\nVirusTotal, Hybrid Analysis, URLHaus, Malshare, Polyswarm, Alien Vault, Malpedia, Triage, \nInQuest, Virus Exchange and APInfo into the .malwapi.conf configuration file, which must be present \n(or created) in the home directory (/home/[username] or /root on Linux, and C:\\Users\\[username] \non Windows. Alternatively, users could create a custom configuration file and indicate it by \nusing the -c option.\n\nTo highlight: if the .malwapi.conf file does not exist in your home directory, so you must \ncreate it!\n\n* A special note about the Alien Vault: it is necessary to subscribe to pulses on Alien Vault \nwebsite before using -n 1 option.\n\nThe .malwapi.conf configuration file has the following format:\n\n [VIRUSTOTAL]\n VTAPI = \n\n [HYBRID-ANALYSIS]\n HAAPI = \n\n [MALSHARE]\n MALSHAREAPI = \n\n [HAUSSUBMIT]\n HAUSSUBMITAPI =\n\n [POLYSWARM]\n POLYAPI = \n\n [ALIENVAULT]\n ALIENAPI = \n\n [MALPEDIA]\n MALPEDIAAPI =\n\n [TRIAGE]\n TRIAGEAPI =\n\n [INQUEST]\n INQUESTAPI =\n\n [VIRUSEXCHANGE]\n VXAPI = \n\n [IPINFO]\n IPINFOAPI = \n\nThe APIs can be requested on the respective service websites:\n\n01. Virus Total (community and paid API): https://www.virustotal.com/gui/join-us\n02. Hybrid Analysis: https://www.hybrid-analysis.com/signup\n03. Malshare: https://malshare.com/doc.php\n04. URLHaus: https://urlhaus.abuse.ch/api/#account \n05. Polyswarm: https://docs.polyswarm.io/consumers\n06. Alien Vault: https://otx.alienvault.com/api\n07. Malpedia: It doesn't offer open registration, but you can request an user account \n directly through Twitter (DM) or feedback e-email. The Malpedia Twitter \n handle is @malpedia.\n08. Malware Bazaar: It isn't necessary an API.\n09. ThreatFox: It isn't necessary an API.\n10. InQuest: https://labs.inquest.net/.\n11. Triage: https://tria.ge/signup.\n12. Virus Exchange: https://virus.exchange/ \n13. IPInfo: https://ipinfo.io/ \n14. BGPView: ihttps://bgpview.docs.apiary.io/\n\n\n----------------------------------------------------\nA special note about API requests to the MALPEDIA:\n----------------------------------------------------\n\nThe service and acceptance is based on the community vetting. Thus, it's recommended \nyou send a request for an API from your business e-mail address and NOT \npublic/free one (Gmail, Outlook and so on). Additionally, it'd be great whether \nyou provided further information about you (LinkedIn account, Twitter and so on) \nbecause it would make simpler to proof your identity, professional profile and \nlegitimacy, so making quicker the approval of your request. \n\n\n----------------------------------------------------\nAdditional explanation about Triage:\n----------------------------------------------------\n\nEvery Triage operation is based on the Triage ID of each artifact, so you need to\nuse the \"-x 1 -X \\\u003cattribute\\\u003e:\\\u003cvalue\\\u003e\" to search for the correct ID of the artifact,\nso use this ID information with the remaining Triage options (-x [2-7]) for getting \nfurther threat hunting information from Triage endpoint.\n\n\n----------------------------------------------------\nNote about background color of the terminal:\n----------------------------------------------------\n\nMalwoverview has been written to produce outputs to \ndark background terminal. However, there's the -o 0 \noption, which changes and adapts output's colors to \nlight background.\n\n-----------------------------------------------------\n\n\nTo check the installation, execute:\n\n malwoverview --help\n \nFurther information is available on: \n\n (PYPI.org repository) https://pypi.org/project/malwoverview/\n (Github) https://github.com/alexandreborges/malwoverview\n\nIf you want to perform the manual installation (it is not usually necessary), so few steps \nshould be executed, as shown in the next sub-section. \n\n\n## MANUAL INSTALLATION (REMnux and Ubuntu)\n\n1. Python version 3.11 or later (Only Python 3.x !!! It does NOT work using Python 2.7) \n\n $ apt-get install python3.11 (for example)\n\n2. Python-magic. \n\n To install python-magic package you can execute the following command:\n\n $ pip3.11 install python-magic\n\n Or you can compile it from the github repository:\n\n $ git clone https://github.com/ahupp/python-magic\n $ cd python-magic/\n $ python3.11 setup.py build\n $ python3.11 setup.py install\n\n As there are serious issues related to existing two versions of python-magic package, the \n recommendation is to install it from github (second procedure above) and copy the magic.py \n file to the SAME directory of malwoverview tool. \n \n3. Install all needed Python packages: \n\n $ pip3.11 install -r requirements.txt\n\n OR\n\n $ pip3.11 install -U pefile\n $ pip3.11 install -U colorama\n $ pip3.11 install -U simplejson\n $ pip3.11 install -U python-magic\n $ pip3.11 install -U requests\n $ pip3.11 install -U validators\n $ pip3.11 install -U geocoder\n $ pip3.11 install -U polyswarm-api\n $ pip3.11 install -U pathlib\n $ pip3.11 install -U configparser\n\n4. To check an Android mobile you need to install the \"adb\" tool:\n\n $ sudo apt get install adb\n\n PS: before trying Android's options, check:\n\n * If the adb tool is listed in the PATH environment variable.\n * If the system has authorized access to the device by using \"adb devices -l\"\n\n\n## HELP\n\nusage: python malwoverview.py -c \u003cAPI configuration file\u003e -d \u003cdirectory\u003e -o \u003c0|1\u003e -v \u003c1-13\u003e\n-V \u003cargument\u003e -a \u003c1-15\u003e -w \u003c0|1\u003e -A \u003cfilename\u003e -l \u003c1-7\u003e -L \u003chash\u003e -j \u003c1-7\u003e \n-J \u003cargument\u003e -p \u003c1-8\u003e -P \u003cargument\u003e -y \u003c1-5\u003e -Y \u003cfile name\u003e -n \u003c1-5\u003e \n-N \u003cargument\u003e -m \u003c1-8\u003e -M \u003cargument\u003e -b \u003c1-10\u003e -B \u003cargument\u003e -x \u003c1-7\u003e -X \u003cargurment\u003e -i \u003c1-13\u003e \n-I \u003cargument\u003e -vx \u003c1-2\u003e -VX \u003cargument\u003e -ip \u003c1-3\u003e -IP \u003cargument\u003e -O \u003cdirectory\u003e \n\nMalwoverview is a first response tool for threat hunting written by Alexandre Borges. \n\n\u003e Options:\n\n\t-h, --help\n\t\n\t\t+ show this help message and exit\n\n\t-c CONFIG FILE, --config CONFIG FILE\n\t\n\t\t+ Use a custom config file to specify API's.\n\n\t-d DIRECTORY, --directory DIRECTORY\n\t\n\t\t+ Specifies the directory containing malware samples to be checked against VIRUS TOTAL.\n\t\t+ Use the option -D to decide whether you are being using a public VT API or a Premium \n\t\tVT API.\n\n\t-o BACKGROUND, --background BACKGROUND\n\t\n\t\t+ Adapts the output colors to a light background color terminal. \n\t\t+ The default is dark background color terminal.\n\n\t-v VIRUSTOTAL, --virustotal_option VIRUSTOTAL\n\n\t\t+ -v 1: given a file using -V option, it queries the VIRUS TOTAL database (API v.3)\n\t\t\t to get the report for the given file through -V option.\n\t\t+ v 2: it shows an antivirus report for a given file using -V option (API v.3);\n\t\t+ v 3: equal to -v2, but the binary's IAT and EAT are also shown (API v.3); \n\t\t+ v 4: it extracts the overlay; \n\t\t+ v 5: submits an URL to VT scanning; \n\t\t+ v 6: submits an IP address to Virus Total; \n\t\t+ v 7: this options gets a report on the provided domain from Virus Total; \n\t\t+ v 8: verifies a given hash against Virus Total; \n\t\t+ v 9: submits a sample to VT (up to 32 MB). Use forward slash to specify the \n\t\t\t target file on Windows systems. Demands passing sample file with -V option; \n\t\t+ -v 10: verifies hashes from a provided file through option -V. This option uses \n\t\t\t\tpublic VT API v.3;\n\t\t+ -v 11: verifies hashes from a provided file through option -V. This option uses \n\t\t\t\tPremium API v.3; \n\t\t+ -v 12: it shows behaviour information of a sample given a hash through option -V. \n\t\t\t\tThis option uses VT API v.3; -v 13: it submits LARGE files (above 32 MB)\n\t\t\t\tto VT using API v.3;\n\n\t-V VIRUSTOTAL_ARG, --virustotal_arg VIRUSTOTAL_ARG\n\t\n\t\t+ Provides arguments for -v option.\n\n\t-a HYBRID_ANALYSIS, --hybrid_option HYBRID_ANALYSIS\n\t\n\t\t+ This parameter fetches reports from HYBRID ANALYSIS, download samples and submits\n\t\tsamples to be analyzed. \n\t\t+ The possible values are: \n\t\t\t+ 1: gets a report for a given hash or sample from a Windows 7 32-bit environment; \n\t\t\t+ 2: gets a report for a given hash or sample from a Windows 7 32-bit \n\t\t\tenvironment (HWP Support); \n\t\t\t+ 3: gets a report for given hash or sample from a Windows 64-bit environment; \n\t\t\t+ 4: gets a report for a given hash or sample from an Android environment; \n\t\t\t+ 5: gets a report for a given hash or sample from a Linux 64-bit environment; \n\t\t\t+ 6: submits a sample to Windows 7 32-bit environment; \n\t\t\t+ 7. submits a sample to Windows 7 32-bit environment with HWP support environment; \n\t\t\t+ 8. submits a sample to Windows 7 64-bit environment;\n\t\t\t+ 9. submits a sample to an Android environment; \n\t\t\t+ 10. submits a sample to a Linux 64-bit environment;\n\t\t\t+ 11. downloads a sample from a Windows 7 32-bit environment; \n\t\t\t+ 12. downloads a sample from a Windows 7 32-bit HWP environment; \n\t\t\t+ 13. downloads a sample from a Windows 7 64-bit environment; \n\t\t\t+ 14. downloads a sample from an Android environment; \n\t\t\t+ 15. downloads a sample from a Linux 64-bit environment.\n\t\t\t\n\t-A SUBMIT_HA, --ha_arg SUBMIT_HA\n\t\n\t\t+ Provides an argument for -a option from HYBRID ANALYSIS.\n\n\t-D VT_PUBLIC_PREMIUM, --vtpubpremium VT_PUBLIC_PREMIUM\n\t\n\t\t+ This option must be used with -d option. \n\t\t+ Possible values: \n\t\t\t+ \u003c0\u003e it uses the Premium VT API v3 (default); \n\t\t\t+ \u003c1\u003e it uses the Public VT API v3.\n\t\t\t\n\t-l MALSHARE_HASHES, --malsharelist MALSHARE_HASHES\n\t\n\t\t+ This option performs download a sample and shows hashes of a specific type\n\t\tfrom the last 24 hours from MALSHARE repository. \n\t\t+ Possible values are: \n\t\t\t+ 1: Download a sample; \n\t\t\t+ 2: PE32 (default) ; \n\t\t\t+ 3: ELF ; \n\t\t\t+ 4: Java; \n\t\t\t+ 5: PDF ; \n\t\t\t+ 6: Composite(OLE); \n\t\t\t+ 7: List of hashes from past 24 hours.\n\n\t-L MALSHARE_HASH_SEARCH, --malshare_hash MALSHARE_HASH_SEARCH\n\t\n\t\t+ Provides a hash as argument for downloading a sample from MALSHARE repository.\n\t\t\n\t-j HAUS_OPTION, --haus_option HAUS_OPTION\n\t\n\t\t+ This option fetches information from URLHaus depending of the value passed as argument: \n\t\t\t+ 1: performs download of the given sample; \n\t\t\t+ 2: queries information about a \n\t\t\tprovided hash ; \n\t\t\t+ 3: searches information about a given URL; \n\t\t\t+ 4: searches a malicious URL by a given tag (case sensitive); \n\t\t\t+ 5: searches for payloads given a tag; \n\t\t\t+ 6: retrives a list of downloadable links to recent payloads; \n\t\t\t+ 7: retrives a list of recent malicious URLs.\n\n\t-J HAUS_ARG, --haus_arg HAUS_ARG\n\t\n\t\t+ Provides argument to -j option from URLHaus.\n\n\t-p POLY_OPTION, --poly_option POLY_OPTION\n\t\n\t\t+ (Only for Linux) This option is related to POLYSWARM operations:\n\t\t\t+ 1. searches information related to a given hash provided using -P option; \n\t\t\t+ 2. submits a sample provided by -P option to be analyzed by Polyswarm engine ; \n\t\t\t+ 3. Downloads a sample from Polyswarm by providing the hash throught option -P.\n\t\t\tAttention: Polyswarm enforces a maximum of 20 samples per month; \n\t\t\t+ 4. searches for similar samples given a sample file thought option -P;\n\t\t\t+ 5. searches for samples related to a provided IP address through option -P; \n\t\t\t+ 6. searches for samples related to a given domain provided by option -P; \n\t\t\t+ 7. searches for samples related to a provided URL throught option -P; \n\t\t\t+ 8. searches for samples related to a provided malware family given by option -P.\n\n\t-P POLYSWARM_ARG, --poly_arg POLYSWARM_ARG\n\t\n\t\t+ (Only for Linux) Provides an argument for -p option from POLYSWARM.\n\n\t-y ANDROID_OPTION, --android_option ANDROID_OPTION\n\t\n\t\t+ This ANDROID option has multiple possible values: \n\t\t\t+ \u003c1\u003e: Check all third-party APK packages from the USB-connected Android device \n\t\t\tagainst Hybrid Analysis using multithreads. Notes: the Android device does not \n\t\t\tneed to be rooted and the system does need to have the adb tool in the PATH \n\t\t\tenvironment variable; \n\t\t\t+ \u003c2\u003e: Check all third-party APK packages from the USB-connected Android device\n\t\t\tagainst VirusTotal using Public API (slower because of 60 seconds delay for each \n\t\t\t4 hashes). Notes: the Android device does not need to be rooted and the system \n\t\t\tdoes need to have adb tool in the PATH environment variable; \n\t\t\t+ \u003c3\u003e: Check all third-party APK packages from the USB-connected Android device \n\t\t\tagainst VirusTotal using multithreads (only for Private Virus API). Notes: the \n\t\t\tAndroid device does not need to be rooted and the system needs to have adb tool \n\t\t\tin the PATH environment variable; \n\t\t\t+ \u003c4\u003e Sends an third-party APK from your USB-connected Android device to \n\t\t\tHybrid Analysis; \n\t\t\t+ 5. Sends an third-party APK from your USB-connected Android device to Virus-Total.\n\n\t-Y ANDROID_ARG, --android_arg ANDROID_ARG\n\t\n\t\t+ This option provides the argument for -y from ANDROID.\n\n\t-n ALIENVAULT, --alienvault ALIENVAULT\n\t\n\t\t+ Checks multiple information from ALIENVAULT. The possible values are: \n\t\t\t+ 1: Get the subscribed pulses; \n\t\t\t+ 2: Get information about an IP address; \n\t\t\t+ 3: Get information about a domain; \n\t\t\t+ 4: Get information about a hash; \n\t\t\t+ 5: Get information about a URL.\n\n\t-N ALIENVAULT_ARGS, --alienvaultargs ALIENVAULT_ARGS\n\t\n\t\t+ Provides argument to ALIENVAULT -n option.\n\n\t-m MALPEDIA, --malpedia MALPEDIA\n\t\n\t\t+ This option is related to MALPEDIA and presents different meanings depending on \n\t\tthe chosen value. Thus:\n\t\t\t+ 1: List meta information for all families; \n\t\t\t+ 2: List all actors ID; \n\t\t\t+ 3: List all available payloads organized by family from Malpedia; \n\t\t\t+ 4: Get meta information from an specific actor, so it is necessary to use \n\t\t\tthe -M option. Additionally, try to confirm the correct actor ID by executing\n\t\t\tmalwoverview with option -m 3; \n\t\t\t+ 5: List all families IDs; \n\t\t\t+ 6: Get meta-information from an specific family, so it is necessary to \n\t\t\tuse the -M option. Additionally, try to confirm the correct family ID by \n\t\t\texecuting malwoverview with option -m 5; \n\t\t\t+ 7: Get a malware sample from malpedia (zip format -- password: infected). \n\t\t\tIt is necessary to specify the requested hash by using -M option;\n\t\t\t+ 8: Get a zip file containing Yara rules for a specific family \n\t\t\t(get the possible families using -m 5), which must be specified by using -M option.\n\n\t-M MALPEDIAARG, --malpediarg MALPEDIAARG\n\t\n\t\t+ This option provides an argument to the -m option, which is related to MALPEDIA.\n\n\t-b BAZAAR, --bazaar BAZAAR\n\t\n\t\t+ Checks multiple information from MALWARE BAZAAR and THREATFOX. The possible \n\t\tvalues are: \n\t\t\t+ 1: (Bazaar) Query information about a malware hash sample; \n\t\t\t+ 2: (Bazaar) Get information and a list of malware samples associated \n\t\t\tand according to a specific tag; \n\t\t\t+ 3: (Bazaar) Get a list of malware samples according to a given imphash; \n\t\t\t+ 4: (Bazaar) Query latest malware samples; \n\t\t\t+ 5: (Bazaar) Download a malware sample from Malware Bazaar by providing a \n\t\t\tSHA256 hash. The downloaded sample is zipped using the following \n\t\t\tpassword: infected; \n\t\t\t+ 6: (ThreatFox) Get current IOC dataset from last x days given by \n\t\t\toption -B (maximum of 7 days); \n\t\t\t+ 7: (ThreatFox) Search for the specified IOC on ThreatFox given by option -B; \n\t\t\t+ 8: (ThreatFox) Search IOCs according to the specified tag given by option -B; \n\t\t\t+ 9: (ThreatFox) Search IOCs according to the specified malware family provided by \n\t\t\toption -B; \n\t\t\t+ 10. (ThreatFox) List all available malware families.\n\n\t-B BAZAAR_ARG, --bazaararg BAZAAR_ARG\n\t\n\t\t+ Provides argument to -b MALWARE BAZAAR and THREAT FOX option:\n\t\t\t+ \"-b 1\" indicates that the -B's argument must be a hash and a report about \n\t\t\tthe sample will be retrieved; \n\t\t\t+ \"-b 2\" indicates that -B's argument must be a malware tag and last samples \n\t\t\tmatching this tag will be shown; \n\t\t\t+ \"-b 3\" means that the argument given by -M must be a imphash and last samples \n\t\t\tmatching this impshash will be shown; \n\t\t\t+ \"-b 4\" means that the argument given by -M must be \"100 or time\", where \"100\" \n\t\t\tlists last \"100 samples\" and \"time\" lists last samples added to Malware Bazaar \n\t\t\tin the last 60 minutes; \n\t\t\t+ \"-b 5\" means that the sample will be downloaded and -B's argument must be \n\t\t\ta SHA256 hash of the sample that you want to download from Malware Bazaar; \n\t\t\t+ \"-b 6\" indicates that a list of IOCs will be retrieved and the -B's value \n\t\t\tis the number of DAYS to filter such IOCs. The maximum time is 7 (days); \n\t\t\t+ \"-b 7\" indicates that the -B's argument is the IOC you want to search for; \n\t\t\t+ \"-b 8\" indicates that the -B's argument is the IOC's TAG that you want \n\t\t\tsearch for; \n\t\t\t+ \"-b 9\" indicates that the -B argument is the malware family that you want \n\t\t\tto search for IOCs;\n\t\t\t\n\t-x TRIAGE, --triage TRIAGE\n\t\n\t\t+ Provides information from TRIAGE according to the specified value: \n\t\t\t+ 1: this option gets sample's general information by providing an \n\t\t\targument with -X option in the following possible formats: \n\t\t\t\t- sha256:\u003cvalue\u003e\n\t\t\t\t- sha1:\u003cvalue\u003e\n\t\t\t\t- md5:\u003cvalue\u003e\n\t\t\t\t- family:\u003cvalue\u003e\n\t\t\t\t- score:\u003cvalue\u003e\n\t\t\t\t- tag:\u003cvalue\u003e\n\t\t\t\t- url:\u003cvalue\u003e\n\t\t\t\t- wallet:\u003cvalue\u003e\n\t\t\t\t- ip:\u003cvalue\u003e; \n\t\t\t\t\n\t\t\t+ 2: Get a sumary report for a given Triage ID (got from option -x 1); \n\t\t\t+ 3: Submit a sample for analysis; \n\t\t\t+ 4: Submit a sample through a URL for analysis; \n\t\t\t+ 5: Download sample specified by the Triage ID; \n\t\t\t+ 6: Download pcapng file from sample associated to given Triage ID; \n\t\t\t+ 7: Get a dynamic report for the given Triage ID (got from option -x 1);\n\n\t-X TRIAGE_ARG, --triagearg TRIAGE_ARG\n\t\n\t\t+ Provides argument for options especified by -x option. Pay attention: \n\t\tthe format of this argument depends on provided -x value.\n\n\t-i INQUEST, --inquest INQUEST\n\t\n\t\t+ Retrieves multiple information from INQUEST. The possible values are: \n\t\t\t+ 1: Downloads a sample; \n\t\t\t+ 2: Retrives information about a sample given a SHA256; \n\t\t\t+ 3: Retrieves information about a sample given a MD5 hash; \n\t\t\t+ 4: Gets the most recent list of threats. To this option, the -I \n\t\t\targument must be \"list\" (lowercase and without double quotes); \n\t\t\t+ 5: Retrives threats related to a provided domain; \n\t\t\t+ 6: Retrieves a list of samples related to the given IP address; \n\t\t\t+ 7: Retrives a list of sample related to the given e-mail address; \n\t\t\t+ 8: Retrieves a list of samples related to the given filename; \n\t\t\t+ 9: Retrieves a list of samples related to a given URL; \n\t\t\t+ 10: Retrieves information about a specified IOC; \n\t\t\t+ 11: List a list of IOCs. Note: you must pass \"list\" (without \n\t\t\tdouble quotes) as argument to -I;\n\t\t\t+ 12: Check for a given keyword in the reputation database; \n\t\t\t+ 13: List artifacts in the reputation dabatabse. Note: you must \n\t\t\tpass \"list\" (without double quotes) as argument to -I.\n\n\t-I INQUEST_ARG, --inquestarg INQUEST_ARG\n\t\n\t\t + Provides argument to INQUEST -i option.\n\n -vx VXOPTION, --vx VXOPTION\n \n + 1: Gets basic metadata for a given SHA256 hash; \n + 2: Downloads sample given a SHA256 provided in the -VX argument.\n\n -VX VXARG, --VX VXARG\n \n + Provides argument to the -vx option from VirusExchange.\n\n -O OUTPUTDIR, --output-dir OUTPUTDIR\n \n + Set output directory for all sample downloads.\n \n -ip IP, --ip IP\n\n + Get IP information from various sources. The possible values are: \n + 1: Get details for an IP address provided with -IP from IPInfo; \n + 2: Get details for an IP address provided with -IP from BGPView; \n + 3: Get details for an IP address provided with -IP from all \n available intel services (VirusTotal/Alienvault).\n \n -IP IPARG, --iparg IPARG\n \n + Provides argument for IP lookup operations specified by the -ip option.\n\n\n## EXAMPLES\n\n malwoverview -d /home/remnux/malware/windows_2/\n malwoverview -v 1 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe\n malwoverview -v 2 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe\n malwoverview -v 3 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe\n malwoverview -v 4 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe,\n malwoverview -v 5 -V http://jamogames.com/templates/JLHk/\n malwoverview -v 6 -V 185.220.100.243\n malwoverview -v 7 -V xurl.es\n malwoverview -v 8 -V ab4d6a82cafc92825a0b88183325855f0c44920da970b42c949d5d5ffdcc0585\n malwoverview -v 9 -V cc2d791b16063a302e1ebd35c0e84e6cf6519e90bb710c958ac4e4ddceca68f7.exe\n malwoverview -v 10 -V /home/remnux/malware/hash_list_3.txt\n malwoverview -v 11 -V /home/remnux/malware/hash_list_3.txt\n malwoverview -v 12 -V 9d26e19b8fc5819b634397d48183637bacc9e1c62d8b1856b8116141cb8b4000\n malwoverview -v 13 -V /largefiles/4b3b46558cffe1c0b651f09c719af2779af3e4e0e43da060468467d8df445e93\n malwoverview -a 1 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8\n malwoverview -a 1 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8.exe\n malwoverview -a 2 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8\n malwoverview -a 3 -A 2e1fcadbac81296946930fe3ba580fd0b1aca11bc8ffd7cefa19dea131274ae8\n malwoverview -a 4 -A malware1.apk\n malwoverview -a 4 -A 82eb6039cdda6598dc23084768e18495d5ebf3bc3137990280bc0d9351a483eb\n malwoverview -a 5 -A 2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46\n malwoverview -a 5 -A 2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46.elf\n malwoverview -a 6 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe\n malwoverview -a 7 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe\n malwoverview -a 8 -A 47eccaaa672667a9cea23e24fd702f7b3a45cbf8585403586be474585fd80243.exe\n malwoverview -a 9 -A malware_7.apk\n malwoverview -a 10 -A 925f649617743f0640bdfff4b6b664b9e12761b0e24bbb99ca72740545087ad2.elf\n malwoverview -a 11 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e\n malwoverview -a 12 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e\n malwoverview -a 13 -A cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e\n malwoverview -a 14 -A d90a5552fd4ef88a8b621dd3642e3be8e52115a67e6b17b13bdff461d81cf5a8\n malwoverview -a 15 -A 925f649617743f0640bdfff4b6b664b9e12761b0e24bbb99ca72740545087ad2\n malwoverview -l 1 -L d3dcc08c9b955cd3f68c198e11d5788869d1b159dc8014d6eaa39e6c258123b0\n malwoverview -l 2\n malwoverview -l 3\n malwoverview -l 4\n malwoverview -l 5\n malwoverview -l 6\n malwoverview -j 1 -J 7c99d644cf39c14208df6d139313eaf95123d569a9206939df996cfded6924a6\n malwoverview -j 2 -J 7c99d644cf39c14208df6d139313eaf95123d569a9206939df996cfded6924a6\n malwoverview -j 3 -J https://unada.us/acme-challenge/3NXwcYNCa/\n malwoverview -j 4 -J Qakbot\n malwoverview -j 5 -J Emotet\n malwoverview -j 5 -J Icedid\n malwoverview -j 6\n malwoverview -j 7\n malwoverview -p 1 -P 1999ba265cd51c94e8ae3a6038b3775bf9a49d6fe57d75dbf1726921af8a7ab2\n malwoverview -p 2 -P 301524c3f959d2d6db9dffdf267ab16a706d3286c0b912f7dda5eb42b6d89996.exe\n malwoverview -p 3 -P 68c11ef39769674123066bcd52e1d687502eb6c4c0788b4f682e8d31c15e5306\n malwoverview -p 4 -P 68c11ef39769674123066bcd52e1d687502eb6c4c0788b4f682e8d31c15e5306.exe\n malwoverview -p 5 -P 188.40.75.132\n malwoverview -p 6 -P covid19tracer.ca\n malwoverview -p 7 -P http://ksahosting.net/wp-includes/utf8.php\n malwoverview -p 8 -P Qakbot\n malwoverview -y 1\n malwoverview -y 2\n malwoverview -y 3\n malwoverview -y 4 -Y com.spaceship.netprotect\n malwoverview -y 5 -Y com.mwr.dz\n malwoverview -v 1 -V 368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792.apk\n malwoverview -n 1 -N 10\n malwoverview -n 2 -N 176.57.215.100\n malwoverview -n 3 -N threesmallhills.com\n malwoverview -n 4 -N 6d1756aa6b45244764409398305c460368d64ff9 -o 0\n malwoverview -n 5 -N http://ksahosting.net/wp-includes/utf8.php\n malwoverview -m 1 | more\n malwoverview -m 2 | more\n malwoverview -m 3 | more \n malwoverview -m 4 -M apt41 | more\n malwoverview -m 5 | more \n malwoverview -m 6 -M win.qakbot\n malwoverview -m 7 -M 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d \n malwoverview -m 8 -M win.qakbot\n malwoverview -b 1 -B c9d7b5d06cd8ab1a01bf0c5bf41ef2a388e41b4c66b1728494f86ed255a95d48\n malwoverview -b 2 -B Revil | more\n malwoverview -b 3 -B f34d5f2d4577ed6d9ceec516c1f5a744\n malwoverview -b 4 -B 100 \n malwoverview -b 4 -B time | more\n malwoverview -b 5 -B bda50ff249b947617d9551c717e78131ed32bf77db9dc5b7591d3e1af6cb2f1a\n malwoverview -b 6 -B 3 | more\n malwoverview -b 7 -B 193.150.103.37:21330\n malwoverview -b 8 -B Magecart | more\n malwoverview -b 9 -B \"Cobalt Strike\"\n malwoverview -b 10 | more\n malwoverview -x 1 -X score:10 | more\n malwoverview -x 1 -X 71382e72d8fb3728dc8941798ab1c180493fa978fd7eadc1ab6d21dae0d603e2\n malwoverview -x 2 -X 220315-qxzrfsadfl\n malwoverview -x 3 -X cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e\n malwoverview -x 4 -X http://ztechinternational.com/Img/XSD.exe\n malwoverview -x 5 -X 220315-xmbp7sdbel\n malwoverview -x 6 -X 220315-xmbp7sdbel\n malwoverview -x 7 -X 220315-xmbp7sdbel\n malwoverview -i 1 -I 5119c804448dd877e1a32d5157dc2e5ff9344cb55e053b20117c9b3b4c974389 \n malwoverview -i 2 -I 5119c804448dd877e1a32d5157dc2e5ff9344cb55e053b20117c9b3b4c974389\n malwoverview -i 3 -I 0a1b0c7a21c8929b7742db195338af5c\n malwoverview -i 4 -I list\n malwoverview -i 5 -I rebrand.ly | more\n malwoverview -i 6 -I 10.247.111.124 \n malwoverview -i 7 -I diseno@distracom.com \n malwoverview -i 8 -I 20firmas-02.jpg\n malwoverview -i 9 -I http://diagnostic.htb \n malwoverview -i 10 -I http://jaao.net \n malwoverview -i 11 -I list\n malwoverview -i 12 -I rebrand.ly\n malwoverview -i 13 -I list | more\n malwoverview -vx 1 -VX c3247ada71931ee267e975cb04160dc8ac611f3b4409f41b595177e124be7c2e\n malwoverview -vx 2 -VX c3247ada71931ee267e975cb04160dc8ac611f3b4409f41b595177e124be7c2e\n malwoverview -ip 1 -IP 8.8.8.8\n malwoverview -ip 2 -IP 8.8.8.8\n malwoverview -ip 3 -IP 8.8.8.8\n malwoverview -vx 2 -VX \u003chash\u003e -O \u003cdirectory\u003e\n malwoverview -b 5 -B \u003chash\u003e -O \u003cdirectory\u003e \n\n\n## HISTORY\n\n\nVersion 6.1.1:\n\n This version:\n\n * Modifies the code to not require to registers all APIs at the first usage.\n * Add a new section in the README (this file) about required APIs.\n\nVersion 6.1.0:\n\n This version:\n\n * Introduces -vx option for Virus Exchange.\n * Introduces -ip option for IPInfo and BGPView.\n * Introduces -O option to save samples in a central directory. \n * Fixes multiple other issues.\n\nVersion 6.0.1:\n\n This version:\n\n * Issue in Malshare's download option has been fixed.\n\nVersion 6.0.0:\n\n This version:\n\n * It has been completely refactored.\n\t * README.md has been also changed.\n * Special thanks to Artur Marzano, who has contributed\n and dedicated his time to conduct and write this new version.\n\nVersion 5.4.5:\n\n This version:\n\n\t * Includes a fix related to the installation path. \n\nVersion 5.4.4:\n\n This version:\n\n\t * Includes only small changes and updates in the README.md.\n\nVersion 5.4.3:\n\n This version:\n\n\t * Fixes a recent issue on -v 10 and 11 options (VT) due to \n\t a change in one of the used libraries. \n\t * Fixes other minor issues on several options.\n\nVersion 5.4.2:\n\n This version:\n\n * Fixes two small issues.\n\nVersion 5.4.1:\n\n This version:\n\n * Fixes issues related to URLHaus.\n * Fixes issues related to Polyswarm.\n * Fixes issues related to Malware Bazaar.\n * Fixes issues related to InQuest.\n * Introduces changes to the help description. \n * Introduces changes to installation process. \n\nVersion 5.3:\n\n This version:\n\n * Fixes issues related to Malshare (-l and -L options).\n * Adds a new Malshare option (-l 7) to list all samples \n from last 24 hours.\n\nVersion 5.2:\n\n This version:\n\n * Multiple issues related to Hybrid Analysis have been fixed.\n\nVersion 5.1.1:\n\n This version:\n\n * A formatting issue related to -v 10 option has been fixed.\n\nVersion 5.1:\n\n This version:\n\n * Introduces thirteen options related to InQuest Labs.\n * Fix an issue related to -b 6 option from ThreatFox.\n\nVersion 5.0.3:\n\n This version:\n\n * Includes the possibility of getting information from \n Hybrid-Analysis using a SHA256 hash or the malware file.\n * Removes all options related to ThreatCrowd.\n * Fix an issue related to downloading from Malshare.\n * Includes macOS as operating system supported to run Malwoverview.\n\nVersion 5.0.2:\n\n This version:\n\n * Includes a small fix for options -v 1 and -v 8. \n\nVersion 5.0.0:\n\n This version:\n\n * Includes upgrades of all Virus Total options from API v.2 \n to API v.3.\n * Introduces a new option to check hashes within a given\n file using Virus Total.\n * Introduces a new option to submit large files (\u003e= 32 MB) to\n Virus Total.\n * Changes all Virus Total options.\n * Inverts Malpedia options (\"m\" and \"M\") purposes.\n * Introduces a new purpose for -D option.\n * Removes Malshare option to check a binary.\n * Removes all Valhalla options completely.\n * Changes all Malshare options.\n * Removes -g option.\n * Changes all URLhaus options.\n * Changes all Polyswarm options.\n * Removes -S and -z options.\n * Upgrades, fixes and merges Android options.\n * Updates Android options to Android 11 version.\n * Removes -t and T options.\n * Fixes and changes Hybrid Analysis options.\n * Changes -d option to Virus Total APIi v.3 with a new content.\n * Swaps options -q and -Q from Threatcrowd.\n * Fixes tag option from Triage.\n * Fixes URL formatting issues from URLhaus.\n * Removes several support functions.\n * Fixes several color issues.\n * Fixes descriptions.\n * Changes configuration, setup and requirement files.\n * Removes many option's letters used in previous versions.\n\nVersion 4.4.2:\n\n This version:\n\n * It is NOT longer necessary to insert all APIs into .malwapi.conf file \n before using Malwoverview. For example, if you have only Virus Total\n and Hybrid Analysis APIs, so you can use their respective options \n without needing insert the remaining ones. The same rule is valid \n for any API and option. \n\n * Small fixes have been done on the code and this README file. \n\nVersion 4.4.1:\n\n This version:\n\n * Improves and fixes a formatting issue with cmd field \n from option -x 2.\n\nVersion 4.4.0.2:\n\n This version:\n\n * Improves and fixes a formatting issue with cmd field \n from option -x 7.\n\nVersion 4.4:\n\n This version:\n\n * Introduces Triage endpoint and seven associated options. \n * Changes the overlay extraction option (previously -x) \n to -v 4. \n\nVersion 4.3.5:\n\n This version:\n\n * Fixes formating issues related to option -M 6 from Malpedia. \n * Fixes formating issues related to option -W from URLHaus. \n * Fixes formating issues related to option -k from URLHaus. \n * Fixes working issues related to option -L from Malshare. \n * Corrects misspelled words.\n\nVersion 4.3.4:\n\n This version:\n\n * Removes two columns from option -y 1 (Android package checking on HA) \n to offer better formatting. \n\nVersion 4.3.3:\n\n This version:\n\n * Fixes output formatting of option -y (Android package checking on VT and HA) \n * Fixes issue with option -y while using -o 0. \n\n\nVersion 4.3.2:\n\n This version:\n\n * Fixes output formatting of option -n 2 (Alien Vault).\n * Fixes URL output formatting of long URL when using option -I (Virus Total). \n * Fixes option -f when using a binary without IAT (Virus Total). \n * Fixes option -B 10, which caused a endless loop (ThreatFox). \n * Fixes option formatting issue related to -K 2 when fetched URLs were long\n (URLHaus). \n * Introduces \"FireEye\" endpoint in -v 2 output (VirusTotal). This\n addition has been suggested by @vxsh4d0w.\n\nVersion 4.3.1:\n\n This version:\n\n * Introduces a fix in the \"-b 8\" ThreatFox option.\n * Corrects sentences in the help's section.\n\nVersion 4.3:\n\n This version:\n\n * Introduces Malware Bazaar and ThreatFox endpoints, with 5 options for each one.\n to get the APIs.\n * Changes background option from -b to -o.\n * Fixes problems on Malpedia and URLHaus options.\n\nVersion 4.2:\n\n This version:\n\n * Fixes -L option from Malware.\n * Introduces additional instruction on README.md (this file) to help professionals\n to get the APIs.\n\nVersion 4.1:\n\n This version:\n\n * Introduces the -E and -C options for Valhalla service \n (https://www.nextron-systems.com/valhalla/) \n * Introduces few changes in the setup.py file (contribution from Christian \n Clauss). \n * Introduces a new contributor: Christian Clauss (https://github.com/cclauss) \n\nVersion 4.0.3:\n\n This version:\n\n * Fixes the fact of Virus Total evaluation wasn't showed when the user specified \"-v 2\" and \n \"-v 3\" options.\n * The version of the Python request package is fixed to prevent issues with Polyswarm API 2.x.\n\nVersion 4.0.2:\n\n This version:\n\n * Two small bugs (typos) in the functions for Polyswarm downloading and Android package checking\n have been fixed. \n * An unnecessary and dead code has been removed.\n * Several typos in the README.md and in the help have been corrected. \n * All fixes for this version have been suggested by Christian Clauss (https://github.com/cclauss)\n\n\nVersion 4.0.1:\n\n This version:\n\n * Fixes small typos and the README. \n\n\nVersion 4.0.0:\n\n This version:\n\n * Introduces new engines such as Alien Vault, Malpedia and ThreatCrowd. \n * The -s option has been removed. Use -v 2 option for antivirus report.\n * The -n option is not longer associated to Malshare. Use -l option with \n values between 1 and 14.\n * To specify the hash in Malshare use the L option instead of -m option. \n * The -i option has been removed. Use the -v 3 option for IAT/EAT. \n * The -a option has been changed to include the system environments in Hybrid \n Analysis. However, the -e option has been kept to be used with other options. \n * The -M option is not longer responsible for downloading samples in Malshare. Use\n -D option for this task. \n * The -B option for list URLs from URLHaus has been replaced by -K 2 option. \n * The -Z and -X options (related to Android) have been replaced for -y 2 and -y 3, \n respectively. \n * The -D option (download a malware sample) has been extended to Polyswarm. \n * The malware sample's DLL list has been introduced. \n * The -R and -G options from Polyswarm have been completely fixed. Additionally, both\n ones also include the polyscore in the output. \n * The -N option is not longer associated to Polyswarm . \n * The -G 4 option has been introduced and it makes possible to search samples by \n families and types such as \"*Trickbot*\", \"*Ransomware\", \"*Trojan*\" and so on. \n * Colors from -I option have been fixed. \n * The -w option has been removed. \n * Several issues in the help have been fixed. \n\n\nVersion 3.1.2:\n\n This version:\n\n * Introduces the -c option that allows the user to specify a custom API configuration file. \n * The API configuration file has been changed to .malwapi.conf file.\n * The project structure has been changed to make easier to install it in different operating \n systems.\n * Updates for this version are a contribution from Corey Forman (https://github.com/digitalsleuth).\n\nVersion 3.0.0:\n\n This version:\n\n * Includes fixes in the URL reporting (-u option) from Virus Total. \n * New players have have been included in the URL reporting (-u option) from Virus Total.\n * Fixes have been included in payload listing (-K option) from URLhaus.\n * Yara information has been include in the hash report (-m option) from Malshare.\n * Fixes have been included in the -l option. \n * New file types have been included in the -n option: Java, Zip, data, RAR, PDF, Composite (OLE),\n MS_DOS and UTF-8.\n * New -W option, which is used to show URLs related to an user provided tags from URLHaus.\n * New -k option, which is used to show payloads related to a tag from URLHaus\n * New -I option, which is used to show information related to an IP address from Virus Total.\n * The -R option was refactored and now it supports searching for file, IPv4, domain or URL on \n Polyswarm. \n\nVersion 2.5.0:\n\n This version:\n\n * Introduces the following options:\n * -y to check all third-party APKs from an Android device against \n the Hybrid Analysis. \n * -Y to send a third-party APKs from an Android device to the Hybrid\n Analysis. \n * -Z to check all third-party APKs from an Android device against \n the Virus Total. \n * -X to check all third-party APKs from an Android device against the\n Virus Total (it is necessary private API). \n * -T to send a third-party APK from an Android device to Virus Total. \n * Fixes several issues related to color in command outputs. \n * Adds the filename identification in the report while sending a sample to Virus Total.\n\nVersion 2.1.9.1:\n\n This version:\n\n * Fixes several issues about colors in outputs. \n * Removes the -L option from Malshare (unfortunately, Malshare doesn't provide an \n URL list anymore). \n * Removes the -c option.\n * Introduces some verification lines in the URLHaus command. \n\nVersion 2.1:\n\n This version:\n\n * Fixes formatting issues related to Hybrid Analysis output (-Q 1 -a 1). \n * Fixes color issues. \n * Fixes small issues related to Polyswarm. \n\nVersion 2.0.8.1:\n\n This version:\n\n * Introduces installation using: pip3.8 install malwoverview (Linux) or \n python -m pip install malwoverviewwin (Windows). \n * Fixes small problems related to Polyswarm usage. \n * Changes the help to verify whether the APIs were inserted into configmalw.py file. \n\nVersion 2.0.1:\n\n This version:\n\n * Fixes a problem related to searching by hash on Malshare (-m option). \n * Fixes a problem related to searching by hash on Polyswarm (-O option). \n\nVersion 2.0.0:\n\n This version:\n\n * Introduces a completely ported version of Malwoverview to Python 3.x (it does not work in \n Python 2.7.x anymore!)\n * Fixes several bugs related to IAT/EAT listing. \n * Fixes several bugs related to colors. \n * Introduces multi-threading to some options. \n * Introduces several options related to Malshare. \n * Introduces several options related to URLHaus.\n * Introduces several options related to Polyswarm engine. \n * Changes the place of the API key configuration. Now you should edit the configmalw.py file. \n * Changes the help libraries and functions, so making the Malwoverview's help more complete. \n * Introduces geolocation feature by using the package named Geocoder written by Dennis Carrierre.\n * Fixes problems related to Hybrid Analysis engine. \n * Fixes several mistaked related to a mix between spaces and Tab.\n * Extends the -d option to include Hybrid Analysis. \n \nVersion 1.7.5:\n\n This version: \n\n * It has been fixed a problem related to sample submission to Hybrid Analysis on Windows operating \n system. Additionally, file name handling has been also fixed. \n \nVersion 1.7.3:\n\n This version: \n\n * Malwoverview has been adapted to API version 2.6.0 of Hybrid Analysis.\n * -A option has been fixed according to new version (2.6.0) of Hybrid Analysis.\n * -a option has been modified to work together with -e option.\n * help information has been modified. \n \nVersion 1.7.2:\n\n This version: \n\n * A small fix related to -g option has been included. \n \nVersion 1.7.1:\n\n This version: \n\n * Relevant fix of a problem related to options -A and -H options.\n * Includes a new Hybrid Analysis environment to the -e option (Windows 7 32-bits with HWP support).\n * Updates the Malwoverview to support Hybrid Analysis API version 2.5.0.\n\nVersion 1.7.0:\n\n This version: \n\n * Includes -A option for submitting a sample to Hybrid Analysis.\n * Includes -g option for checking the status a submission of a sample to Hybrid Analysis.\n * Includes -e option for specifying the testing environment on the Hybrid Analysis.\n * Includes -r option for getting a complete domain report from Virus Total.\n * Modifies the -H options for working together the -e option.\n * Modifies several functions of the tool to prepare it for version 1.8.0\n\nVersion 1.6.3:\n\n This version: \n\n * Includes creation of new functions aiming 1.7.0 version.\n * Includes new exception handling blocks.\n\nVersion 1.6.2:\n\n This version: \n\n * Includes small fixes.\n * For the Hybrid Analysis API version 2.40 is not longer necessary to include the API Secret. \n\nVersion 1.6.1:\n\n This version: \n\n * Includes small format fixes.\n\nVersion 1.6.0:\n\n This version: \n\n * It is using the Hybrid Analysis API version 2.4.0.\n * Includes certificate information in the Hybrid Analysis report. \n * Includes MITRE information in the Hybrid Analysis report. \n * Includes an option to download samples from Hybrid Analysis. \n\nVersion 1.5.1:\n\n This version: \n\n * Small change to fix format issue in -d option. \n\nVersion 1.5.0:\n\n This version: \n\n * Includes the -u option to check URLs against Virus Total and associated engines. \n * Includes the -H option to find existing reports on Virus Total and Hybrid Analysis through the \n hash.\n * Includes the -V option to submit a file to Virus Total. Additionally, the report is shown after \n few minutes.\n * Includes two small fixes. \n\nVersion 1.4.5.2:\n\n This version:\n\n * Includes two small fixes.\n\nVersion 1.4.5.1:\n\n This version:\n\n * Includes one small fix. \n\nVersion 1.4.5:\n\n This version:\n\n * Adds the -w option to use malwoverview in Windows systems.\n * Improves and fixes colors when using -b option with black window. \n\nVersion 1.4: \n\n This version:\n\n * Adds the -a option for getting the Hybrid Analysis summary report.\n * Adds the -i option for listing imported and exported functions. Therefore, imported/exported\n function report was decoupled for a separated option. \n\nVersion 1.3: \n\n This version:\n\n * Adds the -p option for public Virus Total API.\n\nVersion 1.2: \n\n This version includes:\n\n * evaluates a single file (any filetype)\n * shows PE sessions.\n * shows imported functions.\n * shows exported function.\n * extracts overlay.\n * shows AV report from the main players. (any filetype)\n\nVersion 1.1: \n\n This version:\n\n * Adds the VT checking feature.\n\n\nVersion 1.0:\n\n Malwoverview is a tool to perform a first triage of malware samples in a directory and group them \n according to their import functions (imphash) using colors. This version:\n\n * Shows the imphash information classified by color. \n * Checks whether malware samples are packed. \n * Checks whether malware samples have overlay. \n * Shows the entropy of the malware samples. \n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexandreborges%2Fmalwoverview","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falexandreborges%2Fmalwoverview","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexandreborges%2Fmalwoverview/lists"}