Purpose: stop searching for sample hashes on 10 different sites. This is a simple Python3 Flask application running on port 5000 interacting with various platforms (TBC) and caching the results in a Redis database for faster responses.


Git clone the repository:

$ git clone https://github.com/PaulSec/metasearch-public.git
$ cd metasearch-public

Add your API tokens (and Redis parameters) for the specific plugins in the app/config-sample.json file:

    "hybrid_analysis": {
        "api": "XXXXXXXXXXXXXXXXXX",
        "secret": "XXXXXXXXXXXXXXXXXX"
    "malshare": {
    "redis_host": "redis",
    "redis_port": 6379

Finally, rename it from config-sample.json to config.json

Quickstart (with docker-compose)

Then, use docker-compose in the metasearch directory:

$ docker-compose up
The service is accessible at You can check by typing:

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                    PORTS                    NAMES
3ed6edac232d        metasearch_web      "python main.py"         About an hour ago   Up About an hour>5000/tcp   metasearch_web_1
6bddda639254        redis:alpine        "docker-entrypoint..."   2 hours ago         Up About an hour          6379/tcp                 metasearch_redis_1

Interacting with the API

Those are the different API endpoint accessible:

HTTP Method URI HTTP Method
GET /plugins Lists all the plugins loaded within the application
GET /hybrid_analysis/hash Will check the hash provided on Hybrid-analysis
GET /virustotal/hash Will check the hash provided on VirusTotal
GET /malshare/hash Will check the hash provided on MalShare
GET /virusbay/hash Will check the hash provided on VirusBay
GET /search/hash Will check on all the platforms listed above


Retrieving all the plugins
$ curl -s | jq .

Looking up d84769d63aa6b8718ab4bd86e27e26a4 on MalShare.

$ curl -s | jq .
  "found": true,
  "data": {
    "SHA1": "78cac2c75b0fe9e7d3819341a451dabcad4d7678",
    "MD5": "d84769d63aa6b8718ab4bd86e27e26a4",
    "F_TYPE": "PE32",
    "SHA256": "c2c855b71cc8b1c1c731f4cadab8a24db4cd8b66f8583cb9640c35d296baf6b0",
    "SOURCES": [
    "SSDEEP": "384:fKxvDuPNItH19GTXjdh8duujYcV6AUwJFZb:f44atV9AhsfYcV6Dw9b"
  "name": "malshare"
Looking up 2dd395cbd297e8b40a4b64b3bb21e655 on all the platforms.
$ curl -s | jq . | more
    "links": {
      "self": "https://www.virustotal.com/ui/search?query=2dd395cbd297e8b40a4b64b3bb21e655&relationships[url]=network_location%2Clast_serving_ip_address&relationships[comment]=author%2Citem"
    "data": [
        "attributes": {
          "names": [
          "elf_info": {
            "imports": [


        "type": "file"
    "found": true,
    "name": "virustotal"
    "found": false,
    "data": [],
    "name": "malshare"
    "search": [
        "tags": [
            "__v": 0,
            "isHash": false,
            "_id": "5a3b6199697fdd3b4ded78f6",
            "lowerCaseName": "elf",
            "name": "elf"
            "__v": 0,
            "isHash": false,
            "_id": "5a3b6199697fdd3b4ded78f7",
            "lowerCaseName": "linux",
            "name": "linux"


This project has been released under MIT License. Contributions are more than welcome. Ping me on Twitter @PaulWebSec if you want some help for that.