From f5e2f142f67a39952edfa60a08683f43dd98c85c Mon Sep 17 00:00:00 2001 From: Alexandre Borges Date: Thu, 29 Apr 2021 04:23:18 -0400 Subject: [PATCH] Malwoverview 4.3.5 --- README.md | 13 +++++++++-- malwoverview/malwoverview.py | 42 +++++++++++++++++++----------------- setup.py | 2 +- 3 files changed, 34 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 8a2957a..4f33b78 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Malwoverview -[GitHub release (latest by date)](https://github.com/alexandreborges/malwoverview/releases/tag/4.3.4) [GitHub last commit](https://github.com/alexandreborges/malwoverview/releases) [GitHub Release Date](https://github.com/alexandreborges/malwoverview/releases) [GitHub](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) +[GitHub release (latest by date)](https://github.com/alexandreborges/malwoverview/releases/tag/4.3.5) [GitHub last commit](https://github.com/alexandreborges/malwoverview/releases) [GitHub Release Date](https://github.com/alexandreborges/malwoverview/releases) [GitHub](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE) [GitHub stars](https://github.com/alexandreborges/malwoverview/stargazers) [Twitter Follow](https://twitter.com/ale_sp_brazil) [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=M8F458EZH8UZE&source=url) @@ -113,7 +113,7 @@ See GNU Public License on . -# Current Version: 4.3.4 +# Current Version: 4.3.5 Important note: Malwoverview does NOT submit samples to Virus Total or Hybrid Analysis by default. It submits only hashes, so respecting Non-Disclosure @@ -740,6 +740,15 @@ optional arguments: # HISTORY +Version 4.3.5: + + This version: + + * Fixes formating issues related to option -M 6 from Malpedia. + * Fixes formating issues related to option -W from URLHaus. + * Fixes formating issues related to option -k from URLHaus. + * Fixes working issues related to option -L from Malshare. + * Corrects misspelled words. Version 4.3.4: diff --git a/malwoverview/malwoverview.py b/malwoverview/malwoverview.py index 3e9e472..58d500f 100755 --- a/malwoverview/malwoverview.py +++ b/malwoverview/malwoverview.py @@ -20,7 +20,7 @@ # Corey Forman (https://github.com/digitalsleuth) # Christian Clauss (https://github.com/cclauss) -# Malwoverview.py: version 4.3.4 +# Malwoverview.py: version 4.3.5 import os import sys @@ -60,7 +60,7 @@ __author__ = "Alexandre Borges" __copyright__ = "Copyright 2018-2021, Alexandre Borges" __license__ = "GNU General Public License v3.0" -__version__ = "4.3.4" +__version__ = "4.3.5" __email__ = "alexandreborges at blackstormsecurity.com" haurl = 'https://www.hybrid-analysis.com/api/v2' @@ -2579,12 +2579,14 @@ def malsharehashsearch(filehash): loc = '' if (bkg == 1): print((mycolors.reset + "sha256: " + mycolors.foreground.yellow + "%s\n" % (maltext2[0])['sha256'] + mycolors.reset + "sha1: " + mycolors.foreground.yellow + "%s\n" % (maltext2[0])['sha1'] + mycolors.reset + "md5: " + mycolors.foreground.yellow + "%s\n" % (maltext2[0])['md5'] + mycolors.reset + "type: " + mycolors.foreground.lightcyan + "%s\n" % (maltext2[0])['type'] + mycolors.reset + "source: " + mycolors.foreground.lightred + "%s\n" % (maltext2[0])['source'] + mycolors.reset + "city: " + mycolors.foreground.lightgreen + "%s" % loc)) - for k in (maltext2[0])['yarahits']['yara']: - print(mycolors.reset + "Yara Hits: " + mycolors.foreground.lightgreen + str(k)) + if (maltext2[0]['yarahits'] is not None): + for k in (maltext2[0])['yarahits']['yara']: + print(mycolors.reset + "Yara Hits: " + mycolors.foreground.lightgreen + str(k)) else: print((mycolors.reset + "sha256: " + mycolors.foreground.green + "%s\n" % (maltext2[0])['sha256'] + mycolors.reset + "sha1: " + mycolors.foreground.green + "%s\n" % (maltext2[0])['sha1'] + mycolors.reset + "md5: " + mycolors.foreground.green +"%s\n" % (maltext2[0])['md5'] + mycolors.reset + "type: " + mycolors.foreground.cyan + "%s\n" % (maltext2[0])['type'] + mycolors.reset + "source: " + mycolors.foreground.red + "%s\n" % (maltext2[0])['source'] + mycolors.reset + "city: " + mycolors.foreground.blue + "%s" % loc)) - for k in (maltext2[0])['yarahits']['yara']: - print(mycolors.reset + "Yara Hits: " + mycolors.foreground.purple + str(k)) + if (maltext2[0]['yarahits'] is not None): + for k in (maltext2[0])['yarahits']['yara']: + print(mycolors.reset + "Yara Hits: " + mycolors.foreground.purple + str(k)) if (maldownload == 1): malsharedown(filehash) @@ -4971,8 +4973,8 @@ def haussigsearchroutine(payloadtagx, haus): if 'urls' in haustext: if ('url_id' in haustext['urls']) is not None: - print(mycolors.reset + "\nStatus".center(9) + " " * 2 + "File Type".ljust(10) + " SHA256 Hash".center(64) + " " * 5 + "Virus Total".ljust(14) + ' ' * 2 + "URL to Payload".center(45)) - print("-" * 170 + "\n") + print(mycolors.reset + "\nStatus".center(9) + " " * 2 + "FType".ljust(7) + " SHA256 Hash".center(64) + " " * 5 + "Virus Total".ljust(14) + ' ' * 2 + "URL to Payload".center(45)) + print("-" * 150 + "\n") for w in haustext['urls']: if (bkg == 1): if(w['url_status'] == 'online'): @@ -4982,17 +4984,17 @@ def haussigsearchroutine(payloadtagx, haus): if(w['url_status'] == ''): print(mycolors.foreground.lightblue + mycolors.reverse + "unknown" + mycolors.reset, end=' ') if w['file_type']: - print(mycolors.foreground.lightcyan + ' ' * 2 + "%-10s" % w['file_type'] + mycolors.reset, end=' ') + print(mycolors.foreground.lightcyan + ' ' * 2 + "%-6s" % w['file_type'] + mycolors.reset, end=' ') else: - print(mycolors.foreground.lightcyan + ' ' * 2 + "%-10s" % "unknown" + mycolors.reset, end=' ') + print(mycolors.foreground.lightcyan + ' ' * 2 + "%-6s" % "data" + mycolors.reset, end=' ') if w['sha256_hash']: print(mycolors.foreground.yellow + w['sha256_hash'] + mycolors.reset, end= ' ') if w['virustotal']: - print(mycolors.foreground.lightgreen + ' ' * 2 + "%-9s" % w['virustotal'].get('result') + mycolors.reset, end= ' ') + print(mycolors.foreground.lightgreen + ' ' * 2 + "%-9s" % w['virustotal'].get('result') + mycolors.reset, end='\t ') else: - print(mycolors.foreground.lightgreen + ' ' * 2 + "%-9s" % "Not Found" + mycolors.reset, end= ' ') + print(mycolors.foreground.lightgreen + ' ' * 2 + "%-9s" % "Not Found" + mycolors.reset, end= '\t ') if (w['url']): - print(mycolors.foreground.pink + ' ' * 2 + w['url'] + mycolors.reset) + print(mycolors.foreground.red + (("\n" + " ".ljust(98)).join(textwrap.wrap(w['url'],width=40))), end="\n") else: print(mycolors.foreground.pink + ' ' * 2 + "URL not provided".center(20) + mycolors.reset) @@ -5004,9 +5006,9 @@ def haussigsearchroutine(payloadtagx, haus): if(w['url_status'] == ''): print(mycolors.foreground.blue + mycolors.reverse + "unknown" + mycolors.reset, end=' ') if w['file_type']: - print(mycolors.foreground.purple + ' ' * 2 + "%-10s" % w['file_type'] + mycolors.reset, end=' ') + print(mycolors.foreground.purple + ' ' * 2 + "%-6s" % w['file_type'] + mycolors.reset, end=' ') else: - print(mycolors.foreground.purple + ' ' * 2 + "%-10s" % "unknown" + mycolors.reset, end=' ') + print(mycolors.foreground.purple + ' ' * 2 + "%-6s" % "data" + mycolors.reset, end=' ') if w['sha256_hash']: print(mycolors.foreground.red + w['sha256_hash'] + mycolors.reset, end= ' ') if w['virustotal']: @@ -5014,7 +5016,7 @@ def haussigsearchroutine(payloadtagx, haus): else: print(mycolors.foreground.cyan + ' ' * 2 + "%-9s" % "Not Found" + mycolors.reset, end= ' ') if (w['url']): - print(mycolors.foreground.green + ' ' * 2 + w['url'] + mycolors.reset) + print(mycolors.foreground.green + (("\n" + " ".ljust(98)).join(textwrap.wrap(w['url'],width=40))), end="\n") else: print(mycolors.foreground.green + ' ' * 2 + "URL not provided".center(20) + mycolors.reset) @@ -5128,7 +5130,7 @@ def haustagsearchroutine(haustag, hausurltag): else: print(mycolors.foreground.pink + "not provided".center(22) + mycolors.reset, end=' ') if (w['url']): - print(mycolors.foreground.yellow + " " * 2 + (w['url']).ljust(80) + mycolors.reset) + print(mycolors.foreground.yellow + ("\n" + "".ljust(51)).join(textwrap.wrap(w['url'],width=80)).ljust(80), end="\n") else: print(mycolors.foreground.yellow + " " * 2 + "URL not provided".center(80) + mycolors.reset) @@ -5149,7 +5151,7 @@ def haustagsearchroutine(haustag, hausurltag): else: print(mycolors.foreground.blue + "not provided".center(22) + mycolors.reset, end=' ') if (w['url']): - print(mycolors.foreground.red + " " * 2 + (w['url']).ljust(80) + mycolors.reset) + print(mycolors.foreground.red + ("\n" + "".ljust(51)).join(textwrap.wrap(w['url'],width=80)).ljust(80), end="\n") else: print(mycolors.foreground.red + " " * 2 + "URL not provided".center(80) + mycolors.reset, end=' ') @@ -8000,7 +8002,7 @@ def dirchecking(repo2): bazaar = 0 bazaararg = '' - parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is 4.3.4", usage= "python malwoverview.py -c -d -f -o <0|1> -v <0|1|2|3> -a <0|1|2|3|4|5> -x <0|1> -w <0|1> -u -H -V -D <0|1> -e <0|1|2|3|4> -A -g -r -t <0|1> -l <1-14> -L -U -S -z -K <0|1|2> -j -J -P -R -G <0|1|2|3|4> -y <0|1|2|3> -Y -Y -T -W -k -I -n <1|2|3|4|5> -N -M <1-8> -m -Q <1-5> -q -E <1|2|3|4|5> -C -b <'1|2|3|4|5|6|7|8|9|10> -B ") + parser = argparse.ArgumentParser(prog=None, description="Malwoverview is a first response tool for threat hunting written by Alexandre Borges. This version is 4.3.5", usage= "python malwoverview.py -c -d -f -o <0|1> -v <0|1|2|3> -a <0|1|2|3|4|5> -x <0|1> -w <0|1> -u -H -V -D <0|1> -e <0|1|2|3|4> -A -g -r -t <0|1> -l <1-14> -L -U -S -z -K <0|1|2> -j -J -P -R -G <0|1|2|3|4> -y <0|1|2|3> -Y -Y -T -W -k -I -n <1|2|3|4|5> -N -M <1-8> -m -Q <1-5> -q -E <1|2|3|4|5> -C -b <'1|2|3|4|5|6|7|8|9|10> -B ") parser.add_argument('-c', '--config', dest='config', type=str, metavar = "CONFIG FILE", default = (USER_HOME_DIR + '.malwapi.conf'), help='Use a custom config file to specify API\'s') parser.add_argument('-d', '--directory', dest='direct',type=str, metavar = "DIRECTORY", help='Specifies the directory containing malware samples.') parser.add_argument('-f', '--filename', dest='fpname',type=str, metavar = "FILENAME", default = '', help='Specifies a full path to a malware sample. It returns general information about the file (any filetype)') @@ -8037,7 +8039,7 @@ def dirchecking(repo2): parser.add_argument('-T', '--androidsendvt', dest='androidsendvt', type=str, metavar = "ANDROID_SEND_VT", help='Sends an third-party APK package from your USB-connected Android device to Virus Total. The Android device does not need be rooted and the system needis to have the adb tool in the PATH environment variable.') parser.add_argument('-n', '--alienvault', dest='alienvault', type=int, default = 0, metavar = "ALIENVAULT", help='Checks multiple information from AlienVault. The possible values are: 1: Get the subscribed pulses ; 2: Get information about an IP address; 3: Get information about a domain; 4: Get information about a hash; 5: Get information about a URL') parser.add_argument('-N', '--alienvaultargs', dest='alienvaultargs', type=str, metavar = "ALIENVAULT_ARGS", help='Provides argument to AlienVault -n option.') - parser.add_argument('-M', '--malpedia', dest='malpedia', type=int, default = 0, metavar = "MALPEDIA", help='This option is related to MALPEDIA and presents different meanings depending on the chosen value. Thus, 1: List meta information for all families ; 2: List all actors ID ; 3: List all available payloads organized by family from Malpedia; 4: Get meta information from an specific actor, so it is necessary to use the -m option. Additionally, try to confirm the correct actor ID by executing malwoverview with option -M 3; 5: List all families IDs; 6: Get meta information from an specific family, so it is neccesary to use the -m option. Additionally, try to confirm the correct family ID by executing malwoverview with option -M 5; 7: Get a malware sample from malpedia (zip format -- password: infected). It is necessary to specify the requested hash by using -m option; 8: Get a zip file containing Yara rules for a specific family (get the possible families using -M 5), which must be specified by using -m option.') + parser.add_argument('-M', '--malpedia', dest='malpedia', type=int, default = 0, metavar = "MALPEDIA", help='This option is related to MALPEDIA and presents different meanings depending on the chosen value. Thus, 1: List meta information for all families ; 2: List all actors ID ; 3: List all available payloads organized by family from Malpedia; 4: Get meta information from an specific actor, so it is necessary to use the -m option. Additionally, try to confirm the correct actor ID by executing malwoverview with option -M 3; 5: List all families IDs; 6: Get meta information from an specific family, so it is necessary to use the -m option. Additionally, try to confirm the correct family ID by executing malwoverview with option -M 5; 7: Get a malware sample from malpedia (zip format -- password: infected). It is necessary to specify the requested hash by using -m option; 8: Get a zip file containing Yara rules for a specific family (get the possible families using -M 5), which must be specified by using -m option.') parser.add_argument('-m', '--malpediarg', dest='malpediaarg', type=str, metavar = "MALPEDIAARG", help='This option provides an argument to the -M option, which is related to MALPEDIA.') parser.add_argument('-Q', '--threatcrowd', dest='threatcrowd', type=int, default = 0, metavar = "THREATCROWD", help='Checks multiple information from ThreatCrowd. The possible values are: 1: Get information about the provided e-mail ; 2: Get information about an IP address; 3: Get information about a domain; 4: Get information about a provided MD5 hash; 5: Get information about a specific malware family.') parser.add_argument('-q', '--threatcrowdarg', dest='threatcrowdarg', type=str, metavar = "THREATCROWDARG", help='This option provides an argument to the -Q option, which is related to THREATCROWD.') diff --git a/setup.py b/setup.py index 1d9ae85..fb03da2 100644 --- a/setup.py +++ b/setup.py @@ -11,7 +11,7 @@ setup( name="malwoverview", - version="4.3.4", + version="4.3.5", author="Alexandre Borges", author_email="alexandreborges@blackstormsecurity.com", license="GNU GPL v3.0",