malwoverview v5.4.2 releases: perform an initial and quick triage on a directory containing malware samples

Malwoverview is a first response tool to perform an initial and quick triage in a directory containing malware samples, specific malware samples, suspect URL, and domains. Additionally, it allows us to download and send samples to the main online sandboxes.

This tool aims to :

  1. Determine similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!
  2. Show hash information on Virus Total, Hybrid Analysis, Malshare, Polyswarm and URLhaus engines.
  3. Determining whether the malware samples contain overlay and, if you want, extract it.
  4. Check suspect files on Virus Total, Hybrid Analysis and Polyswarm.
  5. Check URLs on Virus Total, Malshare, Polyswarm and URLhaus engines.
  6. Download malware samples from Hybrid Analysis, Malshare and HausURL engines.
  7. Submit malware samples to VirusTotal, Hybrid Analysis and Polyswarm.
  8. List last suspected URLs from Malshare and URLHaus.
  9. List last payloads from URLHaus. 10. Search for specific payloads on the Malshare.
  10. Search for similar payloads (PE32/PE32+) on Polyswarm engine.
  11. Classify all files in a directory searching information on Virus Total and Hybrid Analysis.
  12. Make reports about a suspect domain.

Changelog v5.4.2

  • Fixes two small issues.


$ pip3.7 install python-magic
$ git clone
$ cd malwoverview
$ pip3.7 install -r requirements.txt


$ python malwoverview -d <directory> -f <fullpath> -b <0|1> -v <0|1> -p <0|1> -s <0|1> -x <0|1>


<directory> -d is the folder containing malware samples.
<fullpath> -f specifies the full path to a file. Shows general information about the file (any filetype).
(optional) -b 1 forces light gray background (for black terminals). It does not work with -f option.
(optional) -x 1 extracts overlay (it is used with -f option).
(optional) -v 1 queries Virus Total database for positives and totals (any filetype).
(optional) -s 1 shows antivirus reports from the main players. This option is used with -f option (any filetype).
(optional) -p 1 use this option if you have a public Virus Total API. It forces a one minute wait every 4 malware
samples, but allows obtaining a complete evaluation of the malware repository..

If you use Virus Total option, so it is necessary to edit the and insert your VT API.

Remember that public VT API only allows 4 searches per second (as shown at the image above). Therefore, if you
are willing to wait some minutes, so you can use the -p option, which forces a one minute wait every 4 malware
samples, but allows obtaining a complete evaluation of the repository.

Copyright (C) 2018-2020 Alexandre Borges <ab at blackstormsecurity dot com>