Malwoverview.py is an easy software to carry out an preliminary and fast triage on a listing containing malware samples (not zipped).
This software goals to :
- Determining comparable executable malware samples (PE/PE+) in accordance with the import desk (imphash) and group them by totally different colours (take note of the second column from output). Thus, colours matter!
- Determining whether or not executable malware samples are packed or not packed in accordance with the next guidelines:
2a. Two or extra sections with Entropy > 7.Zero or < 1.0 ==> Packed. 2b. One one part with Entropy > 7.Zero or two sections with SizeOfRawData ==> Likely packed. 2c. None part with Entropy > 7.Zero or SizeOfRawData ==> not packed.
- Determining whether or not the malware samples comprise overlay.
- Determining the .textual content part entropy.
Malwoverview.py solely examines PE/PE+ information, skipping all the things else.
- Checking every malware pattern in opposition to Virus Total.
This software was examined on a Kali Linux 2018 system. Therefore, will probably be obligatory to put in:
- Python model 2.7.x.
$ apt-get set up python
To set up python-magic package deal you’ll be able to execute the next command:
$ pip set up python-magic
Or compiling it from the github repository:
$ git clone https://github.com/ahupp/python-magic $ cd python-magic/ $ python setup.py construct $ python setup.py set up
As there are critical issues about current two variations of python-magic package deal, my suggestion is to put in it from github (second procedure above) and replica the magic.py file to the SAME listing of malwoverview software.
- Pefile and colorama packages:
$ pip set up pefile $ pip set up colorama $ pip set up easy-json $ pip set up requests
To use the malwoverview, execute the command as proven under:
$ python malwoverview -d <listing> -f <fullpath> -i <0|1> -b <0|1> -v <0|1> -a <0|1> -p <0|1> -s <0|1> -x <0|1>
<listing> -d is the folder containing malware samples. <fullpath> -f specifies the total path to a file. Shows normal details about the file (any filetype). (non-compulsory) -b 1 forces gentle grey background (for black terminals). It doesn't work with -f choice. (non-compulsory) -i 1 present imports and exports (it's used with -f choice). (non-compulsory) -x 1 extracts overlay (it's used with -f choice). (non-compulsory) -v 1 queries Virus Total database for positives and totals (any filetype). (non-compulsory) -a 1 (non-compulsory) question Hybrid Analysis database for normal report.Thus, you must edit the malwoverview.py and insert your HA API and respective secret. (non-compulsory) -s 1 reveals antivirus experiences from the primary gamers. This choice is used with -f choice (any filetype). (non-compulsory) -p 1 use this selection when you have a public Virus Total API. It forces a one minute wait each Four malware samples, however permits acquiring a whole analysis of the malware repository.. If you utilize Virus Total choice, so it's essential to edit the malwoverview.py and insert your VT API. Remember that public VT API solely permits Four searches per second (as proven on the picture above). Therefore, if you happen to are keen to attend some minutes, so you need to use the -p choice, which forces a one minute wait each Four malware samples, however permits acquiring a whole analysis of the repository. *ATENTION: if the listing accommodates many malware samples, so malwoverview.py might take a while. :)
This model: * Adds the -a choice for getting the Hybrid Analysis abstract report. * Adds the -i choice for itemizing imported and exported features. Therefore, imported/exported operate report was decoupled for a separated choice.
This model: * Adds the -p choice for public Virus Total API.
This model contains: * evaluates a single file (any filetype) * reveals PE classes. * reveals imported features. * reveals exported operate. * extracts overlay. * reveals AV report from the primary gamers. (any filetype)
This model: * Adds the VT checking function.
Malwoverview is a software to carry out a primary triage of malware samples in a listing and group them in accordance to their import features (imphash) utilizing colours. This model: * Shows the imphash data categorized by shade. * Checks whether or not malware samples are packed. * Checks whether or not malware samples have overlay. * Shows the entropy of the malware samples.
Important side: Malwoverview does NOT submit samples to VT. It submits solely hashes, so respecting Non-Disclosure Agreements (NDAs).