What is Munin?

Munin is an online hash checker utility that retrieves valuable information from various online sources

The current version of Munin queries the following services:

Virustotal
Malshare
HybridAnalysis

Note: Munin is based on the script “VT-Checker”, which has been maintained in the LOKI repository

Features

Extracts hashes from any text file based on regular expressions
Retrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)
Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text file
Creates CSV file with the findings for easy post-processing and reporting
Appends results to a previous CSV if available

Displays

Hash and comment (comment is the rest of the line of which the hash has been extracted)
AV vendor matches based on a user-defined list
Filenames used in the wild
Signer of a signed portable executable
Result based on Virustotal ratio
First and the last submission
Tags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftware

Extra Checks

Queries Malshare.com for sample uploads
Queries Hybrid-Analysis.com for the present analysis
Imphash duplicates in current batch > allows you to spot overlaps in import table hashes

Usage e.g.:

python munin.py -i my-api-keys.ini -f ~/Downloads/retrohunt_results.txt –retroverify -r 50 –nocache

Munin will then check only 50 lines with the same “comment”, which is the “signature name” in Virustotal Retrohunt results. It will generate a total result of the checked samples.