ph0neutria v1.0.1 releases: malware crawler

ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.

This project was inspired by Ragpicker (, formerly known as “Malware Crawler”). However, ph0neutria aims to:

  • Limit the scope of crawling to only frequently updated and reliable sources.
  • Maximise the effectiveness of individual indicators.
  • Offer a single, reliable and well-organized storage mechanism.
  • Not do work that can instead be done by Viper.


As of version 1.0.0 all sources are created as ‘plugins’, found in the plugin sub-directory of the core scripts folder. Default sources are:

  • 0xffff0800’s Malware Library (credit:
  • CleanMX (requires approved user-agent).
  • Cymon, which includes: trackers, Bambenek C2 feed, Cyber Crime Tracker, Malc0de, URLVir and VX Vault.
  • Hybrid Analysis (requires vetted API key).
  • OTX.
  • Shodan, using the Malware Hunter search facility.
  • URLhaus.

Each plugin has parameters that must be completed prior to operation. You’ll find these at the top of each plugin file.

VirusTotal is a core component of ph0neutria that cannot be disabled. IP lists are fed into it to discover URL’s that are known for the IP’s. If you have a standard 5 requests/minute API key then I’d encourage being conservative with what you feed it. You can do this by:

  • Reducing the number of Cymon feeds.
  • Reducing your OTX subscription count.
  • Setting the Hybrid Analysis SCORE_MIN parameter to 100.

Changelog v1.0.1

  • Source update (added 0xffff0800’s library). Samples can now be tagged with VirusTotal sourced classification.


The following script will install ph0neutria along with Viper and Tor:

chmod +x
sudo ./

Simple as that!


Configure additional ClamAV signatures:

cd /tmp
git clone
cd clamav-unofficial-sigs
cp /usr/local/bin
chmod 755 /usr/local/bin/
mkdir /etc/clamav-unofficial-sigs
cp config/ /etc/clamav-unofficial-sigs
cd /etc/clamav-unofficial-sigs*




Rename os.<yourdistro>.conf to os.conf, for example:

mv os.ubuntu.conf os.conf




Modify configuration files:

  • master.conf: search for “Enabled Databases” and enable/disable desired sources.
  • user.conf: uncomment the required lines for sources you have enabled and complete them. user.conf overrides master.conf. You must uncomment user_configuration_complete=”yes” once you’ve completed setup for the following commands to succeed.

For more configuration info see:

mkdir /var/log/clamav-unofficial-sigs –install-cron –install-logrotate –install-man
cd /tmp/clamav-unofficial-sigs
cp systemd/* /etc/systemd
cd ..
rm -rf clamav-unofficial-sigs

It’ll take a while to pull down the new signatures – during which time ClamAV may not be available.


Take precautions when piecing together your malware zoo:

  • Do not disable Tor unless replacing with an anonymous VPN.
  • Operate on an isolated network and on dedicated hardware.
  • Only execute samples in a suitable Sandbox (refer:
  • Monitor for abuse of your API keys.

Ensure Tor is started:

service tor restart

Start the Viper API:

cd /opt/viper
sudo -H -u spider python viper-api

Start the Viper web interface:

cd /opt/viper
sudo -H -u spider python viper-web

  • Complete the config file at: /opt/ph0neutria/config/settings.conf
  • Complete the config file at: /home/spider/.viper/viper.conf

Start ph0neutria:

cd /opt/ph0neutria
sudo -H -u spider python

You can press Ctrl+C at any time to kill the run. You are free to run it again as soon as you’d like – you can’t end up with database duplicates.

To run this daily, create a script in /etc/cron.daily with the following:

cd /opt/ph0neutria && sudo -H -u spider python



Copyright 2018 Chris Campbell (phage-nz)