-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmalwarebazaar.py
More file actions
101 lines (88 loc) · 4.21 KB
/
Copy pathmalwarebazaar.py
File metadata and controls
101 lines (88 loc) · 4.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import json
from viper.common.abstracts import Module
from viper.core.session import __sessions__
from viper.core.config import Config
import requests
import hashlib
cfg = Config()
malware_bazaar_api_key = cfg.get("malwarebazaar").api_key
class MalwareBazaar(Module):
cmd = 'malwarebazaar'
#It recquires a Malware Bazaar API Key.
description = 'This module queries MalwareBazaar for finding potential matches of the file opened on a Viper session.'
authors = ['Alejandro Prada']
categories = ['OSINT', 'correlation', 'triage']
def md5_file(self, filename):
md5_hash = hashlib.md5()
with open(filename, "rb") as f:
# Read and update hash in chunks of 4K
for byte_block in iter(lambda: f.read(4096), b""):
md5_hash.update(byte_block)
return md5_hash.hexdigest()
def sha256_file(self, filename):
sha256_hash = hashlib.sha256()
with open(filename, "rb") as f:
# Read and update hash in chunks of 4K
for byte_block in iter(lambda: f.read(4096), b""):
sha256_hash.update(byte_block)
return sha256_hash.hexdigest()
def show_response(self, response):
response_json = response.json()["data"][0]
file_name = response_json.get("file_name")
self.log("info", "Filename: " + file_name)
file_type_mime = response_json.get("file_type_mime")
file_type = response_json.get("file_type")
self.log("info", "MIME File Type: " + file_type_mime)
self.log("info", "File Type: " + file_type)
first_seen = response_json.get("first_seen")
last_seen = response_json.get("last_seen")
self.log("info", "First Seen: " + str(first_seen))
self.log("info", " Last Seen: " + str(last_seen))
malwarebazaar_signature = response_json.get('signature')
self.log("info", 'Signature: ' + malwarebazaar_signature)
tags = response_json.get("tags")
self.log('info', "Tags:" + str(tags))
# yararules
yara_rules = response_json.get('yara_rules')
if yara_rules:
self.log("info", "YARA rules:")
for yar in range(0, len(yara_rules)):
self.log("YARA Rule name: " + str(yara_rules[yar]['rule_name']))
self.log("YARA Description: " + str(yara_rules[yar]['description']))
self.log('info', "Intelligence information")
delivery_method = response_json.get("delivery_method")
self.log('info', "Delivery method: " + str(delivery_method))
intelligence = response.json()["data"][0]["intelligence"]["clamav"]
self.log('info', 'Intelligence-ClamAV: ' + str(intelligence))
#Threat Intelligence providers
threat_intel_results = response_json.get('vendor_intel')
if threat_intel_results:
vendors = threat_intel_results.keys()
self.log("info", "Threat Intel provider results:")
for v in vendors:
self.log('info', '\t' + v)
if 'Spamhaus_HBL' in v:
for res in threat_intel_results[v]:
for r in res.keys():
self.log('info', '\t\t' + str(r) + ": " + str(res[r]))
else:
atts = list(threat_intel_results[v].keys())
for a in atts:
self.log('info', '\t\t' + str(a) + ": " + str(threat_intel_results[v][a]))
def run(self):
self.log('info', "Searching for md5 hash on MalwareBazaar...")
if not __sessions__.is_set():
# No open session.
return
file = __sessions__.current.file.path
md5_file = self.md5_file(file)
data = {'query': 'get_info', 'hash': md5_file}
url = "https://mb-api.abuse.ch/api/v1/"
response = requests.post(url, data=data)
if response.json()["query_status"] == 'hash_not_found':
self.log('info', "\t[!] he sample hash was not found on Malwarebazaar ")
else:
self.show_response(response)
self.log('info', 'AbuseCH Malware Bazaar page:')
self.log('info', '\t https://bazaar.abuse.ch/sample/' + self.sha256_file(file))
self.log('info', 'Completed analysis.')