malwoverview: perform an initial and quick triage on a directory containing malware samples
Important aspect: Malwoverview does NOT submit samples to VT. It submits only hashes, so respecting Non-Disclosure Agreements (NDAs).
Malwoverview.py is a simple tool to perform an initial and quick triage on a directory containing malware samples (not zipped).
This tool aims to :
- Determining similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!
- Determining whether executable malware samples are packed or not packed according to the following rules:2a. Two or more sections with Entropy > 7.0 or < 1.0 ==> Packed.
2b. One one section with Entropy > 7.0 or two sections with SizeOfRawData ==> Likely packed.
2c. None section with Entropy > 7.0 or SizeOfRawData ==> not packed.
- Determining whether the malware samples contain overlay.
- Determining the .text section entropy.
Malwoverview.py only examines PE/PE+ files, skipping everything else.
- Checking each malware sample against Virus Total.
$ git clone https://github.com/ahupp/python-magic
$ cd python-magic/
$ python setup.py build
$ python setup.py install
$ git clone https://github.com/alexandreborges/malwoverview.git
$ cd malwoverview
$ pip install -r requirements.txt
$ python malwoverview -d <directory> -f <fullpath> -b <0|1> -v <0|1> -p <0|1> -s <0|1> -x <0|1>
<directory> -d is the folder containing malware samples.
<fullpath> -f specifies the full path to a file. Shows general information about the file (any filetype).
(optional) -b 1 forces light gray background (for black terminals). It does not work with -f option.
(optional) -x 1 extracts overlay (it is used with -f option).
(optional) -v 1 queries Virus Total database for positives and totals (any filetype).
(optional) -s 1 shows antivirus reports from the main players. This option is used with -f option (any filetype).
(optional) -p 1 use this option if you have a public Virus Total API. It forces a one minute wait every 4 malware
samples, but allows obtaining a complete evaluation of the malware repository..
If you use Virus Total option, so it is necessary to edit the malwoverview.py and insert your VT API.
Remember that public VT API only allows 4 searches per second (as shown at the image above). Therefore, if you
are willing to wait some minutes, so you can use the -p option, which forces a one minute wait every 4 malware
samples, but allows obtaining a complete evaluation of the repository.
*ATENTION: if the directory contains many malware samples, so malwoverview.py could take some time. 🙂
(Gaps in the VT output at the image above are because public VT API key, which allows only 4 searches per minute).
Copyright (C) 2018 Alexandre Borges <ab at blackstormsecurity dot com>