Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/fr0gger/vthunting

Vthunting is a tiny script used to generate report about Virus Total hunting and send it by email, slack or telegram.
https://github.com/fr0gger/vthunting

Last synced: 15 days ago
JSON representation

Vthunting is a tiny script used to generate report about Virus Total hunting and send it by email, slack or telegram.

Awesome Lists containing this project

README 

        
# VT Hunting

                                                    

VThunting is now featured on [VirusTotal](https://support.virustotal.com/hc/en-us/articles/360006819798-API-Scripts-and-client-libraries).



Virus Total Hunting is a tiny tool based on the VT api version 3 to run daily, weekly or monthly report about malware hunting. 

The report can be send via email, Slack channel or Telegram. The tool can also be used in cli to get a report anytime. 

The default number of result is 10 but it can be increase or decrease in the config part. 

This tool is only working with a Virus Total Intelligence API. 



#### Report Example



The below extract is an example of generated report.

```

    __     _______   _   _             _   _            

    \ \   / /_   _| | | | |_   _ _ __ | |_(_)_ __   __ _ 

     \ \ / /  | |   | |_| | | | | '_ \| __| | '_ \ / _` |

      \ V /   | |   |  _  | |_| | | | | |_| | | | | (_| |

       \_/    |_|   |_| |_|\__,_|_| |_|\__|_|_| |_|\__, |

                                                    |___/ 

        

            McAfee ATR | Thomas Roccia | @fr0gger_

        Get latest hunting notification from VirusTotal 



Latest report from 2018-12-24 10:20:30.158831

-------------------------------------------------------------------------------------

Rule name: FancyBear_ComputraceAgent

Match date: 2018-12-24 17:38:17

SHA256: f5157e5b8afe1f79f29c947449477d13ede3d7341699256e62966474a7ee1eb5

Tags: [apt28, fancybear_computraceagent]

-------------------------------------------------------------------------------------

Rule name: Winexe_RemoteExecution

Match date: 2018-12-24 15:01:15

SHA256: 1e194647c05b0068c31cd443b5bcacc2dd41799e5d21a40e0c58adbad01c28c6

Tags: [winexe_remoteexecution, apt28]

-------------------------------------------------------------------------------------

Rule name: hatman_compiled_python: hatman

Match date: 2018-12-24 00:28:21

SHA256: 14c64fc93ae68f01989db992bf8ee47ffd33edf66223b84f3fae52f9a843a03f

Tags: [triton, hatman, hatman_compiled_python]

-------------------------------------------------------------------------------------

Rule name: Stuxnet_unpacked

Match date: 2018-12-24 15:00:00

SHA256: 86b05279bf4930ffc0c00e4fd22c8ab9e964e8d45d39bfca42e129b95dc33481

Tags: [stuxnet, stuxnet_unpacked]

-------------------------------------------------------------------------------------

Rule name: Stuxnet

Match date: 2018-12-24 14:59:59

SHA256: 86b05279bf4930ffc0c00e4fd22c8ab9e964e8d45d39bfca42e129b95dc33481

Tags: [stuxnet]

-------------------------------------------------------------------------------------

[truncated]

```



## Getting Started

Just download the script: 

```

git clone https://github.com/fr0gger/vthunting

```



Then configure the config part with your API keys and info:

```

# Virus Total API

VTAPI = ""

number_of_result = "" # 10 by default



# Email configuration 

smtp_serv = ""

smtp_port = ""

gmail_login = ""

gmail_pass = ""  # pass from APP

gmail_dest = ""



# Slack Bot config

SLACK_BOT_TOKEN = ""

SLACK_CHANNEL = ""



# Telegram Bot config

TOKEN = ""

chat_id = ""



# Microsoft Teams Bot config

TEAMS_CHANNEL_WEBHOOK = ""

```



Once the config is ready you can run the file with:

```

python vthunting.py --help

```

```

usage: vthunting.py [OPTION]

    -h, --help              Print this help

    -r, --report            Print the VT hunting report

    -s, --slack_report      Send the report to a Slack channel

    -e, --email_report      Send the report by email

    -t, --telegram_report   Send the report to Telegram

    -m, --teams_report      Send the report to Microsoft Teams

    -j, --json              Get full JSON report

```



### Prerequisites

#### Requirements

You first need to install the requirement:

* requests

* slackclient

* pymsteams



```

pip install -r requirements.txt

```

#### VT API

Get your API key from Virus Total. https://developers.virustotal.com/v3.0/reference



#### Email Configuration (gmail)

To create an app you can find the documentation here: https://support.google.com/accounts/answer/185833



#### Slack Bot Configuration

To generate a token you need to go here and follow the step: https://api.slack.com/custom-integrations/legacy-tokens



#### Telegram Bot Configuration

To get a token you need to create a Telegram bot by talking to @BotFather, it will help you to configure your bot and 

get your token. 

Once you get your token visit https://api.telegram.org/bot/getUpdates to get the channel id.



#### Microsoft Teams Bot Configuration

Add a webhook connector to the Microsoft Teams Channel that you'd like to receive the reports.

https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using#setting-up-a-custom-incoming-webhook



### Install in your system



If you want to access to this script anywhere you can copy it without the extension into: 



```

cp vthunting.py /usr/local/bin/vthunting

```



### Configure the task scheduler with crontab

You can use crontab to run the script and receive report periodically.



```

crontab -e 

```

Below is an example to receive the report every day at 10:15am. 



```

# Example of job definition:

# .---------------- minute (0 - 59)

# |  .------------- hour (0 - 23)

# |  |  .---------- day of month (1 - 31)

# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...

# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

# |  |  |  |  |

# *  *  *  *  *  user command to be executed



15 10  * * * /usr/local/bin/vthunting -r -t -e -s >> vthunt.log

```



## Using Docker

Git clone the repo and configure your API for the reporting in the script. 

Add your VirusTotal API in the dockerfile. 



Then run the following commands:

```

# Build the container

docker build -t vthunting:latest .



# run the script:

docker run -t vthunting -r

```



## License



This project is licensed under the MIT License - see the [LICENSE.md](LICENSE.md) file for details