PasteHunter v1.4.2 releases: Scanning pastebin with yara rules

PasteHunter
Image: techanarchy

PasteHunter is a python3 application that is designed to query a collection of sites that host publicly posted data. For all the pasts it finds it scans the raw contents against a series of yara rules looking for information that can be used by an org or a researcher.

Image: techanarchy

Supported Inputs

Pastehunter currently has support for the following sites:

  • pastebin.com
  • gist.github.com
  • slexy.org
  • StackExchange # There are about 176!

Supported Outputs

Pastehunter supports several output modules:

  • dump to ElasticSearch DB (default).
  • Email alerts (SMTP).
  • Slack Channel notifications.
  • Dump to JSON file.
  • Dump to CSV file.

PostProcess

There are a handful of post-process modules that can run additional checks on the raw paste data.

There are a few generic options for each input.

  • enabled: This turns the input on and off.
  • module: This is used internally by pastehunter.

Email

This postprocess module extracts additional information from data that includes email addresses. It will extract counts for:

  • Total Emails
  • Unique Email addresses
  • Unique Email domains

These 3 values are then added to the metadata for storage.

  • rule_list: List of rules that will trigger the postprocess module.

Base64

This postprocess will attempt to decode base64 data and then apply further processing on the new file data. At the moment this module only operates when the full paste is a base64 blob, i.e. it will not extract the base64 code that is embedded in other data.

  • rule_list: List of rules that will trigger the postprocess module.

Cuckoo

If the samples match a binary file format you can optionally send the file for analysis by a Cuckoo Sandbox.

  • api_host: IP or hostname for a Cuckoo API endpoint.
  • api_port: Port number for a Cuckoo API endpoint.

Viper

If the samples match a binary file format you can optionally send the file to a Viper instance for further analysis.

  • api_host: IP or hostname for a Cuckoo API endpoint.
  • api_port: Port number for a Cuckoo API endpoint.

Entropy

This postprocess module calculates Shannon entropy on the raw paste data. This can be used to help identify binary and encoded or encrypted data.

  • rule_list: List of rules that will trigger the postprocess module.

Changelog v1.4.2

Changed

  • Fixed ix.io import
  • Made slexy’s timeout configurable (#121)

Install

For examples of data discovered using pastehunter check out author’ tutorial here and here.

Copyright (C) 2017 kevthehermit 

Source: https://github.com/kevthehermit/