Malwarehouse is a warehouse for your malware. Malwarehouse is a useful command line utility for storing, tagging, storing, and searching for malware. This is intended to help analyst manage their workflow by conducting basic triage and making it easy to look up past samples.
- Python3
- Scott J Roberts - @sroberts
See LICENSE for more information
- Jonathan Hencinski
- Chris St.Myers
Xen0ph0ns Fork of Malwarehouse below this point: Let me know if stuff is broken chris@xenosec.org
- ssdeep / pydeep
- exiftool / pyexiftool
- yara / python yara
- VirusTotal API (Free is fine)
- Moved directory settings / VT API Key / Yara Rule File Settings to malwarehouse.cfg
- Added SSdeep Fuzzy Hashing
- Added Extraction and Search Feature for Metadata
- Added Full File Yara Scanning and Search Feature
- Added VirusTotal Hit Ratio / Scan Date Lookup (can do much better stuff with a paid API)
- Increased breadth of sample search to cover Tags / Source / Name (No longer needs exact match)
- Redid other various things to make the above happy...
Install the prereqs.. then edit the following to the malwarehouse.cfg file:
#Config File for Malwarehouse
#Turn on or off options here
[options]
vtcheck: Off
metadata: On
yara: On
ssdeep: On
[settings]
#This is where you want the malware and DB to live
basedir: /Path/to/Malwarehouse/MWH/
#This is the path to your yara rules file full path please.
yararules: /Path/To/yararules/yararules.yar
#This is your free virus total API, max lookups is 4 per minute IIRC. Make a VT Account then click Profile API in the upper right corner, it's free.
vtapikey: VTAPI KEY GOES HERE
m-jingu Fork of Malwarehouse below this point:
- Implement DELETE option.
- Implement UPDATE option.
- Add notes to search target.
- Add sha1 to DB schema.
- When load a sample to DB, copy a sample. Not delete.
- When find a sample with hash, uppercase and lowercase letters are not distinguished.
Usage: malwarehouse.py [options] filepath
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-s SOURCE, --source=SOURCE
Source of file
-t TAGS, --tags=TAGS Any characteristics of the malware
-n NOTES, --notes=NOTES
Notes about file
-f FIND, --find=FIND Find a sample by name, tags, source, notes, md5, sha1,
or sha256
-m MFIND, --metadata=MFIND
Find a sample by searching Extracted Metadata
-y YFIND, --yara=YFIND
Find a sample by searching Yara Matches
-r QUANTITY, --recent=QUANTITY
Find the most recent # samples
-u HASH, --update=HASH
Update data of a sample (sha256)
-d HASH, --delete=HASH
Delete data of a sample (sha256)
Results for "vt":
-> a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24 (5a78974df88ab6a67bb72a5c7a437fb2) Source: vt
VirusTotal: 38/56 on 2017-01-06 08:57:00 Tags: RAT, PlugX, menuPass
Notes: dll
Yara: [anti_dbg, win_registry, contentis_base64, without_attachments, without_images, without_urls, IsPE32, IsDLL, IsConsole, IsPacked, HasRichSignature, Visual_Cpp_2005_DLL_Microsoft, Visual_Cpp_2003_DLL_Microsoft]
-> Sample Location: /malwarehouse/data/a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24
-> 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd (7f7ccaa16fb15eb1c7399d422f8363e8) Source: vt
VirusTotal: 49/60 on 2017-05-15 04:19:14 Tags: WannaCryptor, Ransom
Notes: drop by: f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
Yara: []
-> Sample Location: /malwarehouse/data/2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
-> f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85 (f107a717f76f4f910ae9cb4dc5290594) Source: vt
VirusTotal: 51/61 on 2017-05-15 04:26:55 Tags: WannaCryptor, Ransom
Notes: c2: hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (KillSwitch)
Yara: []
-> Sample Location: /malwarehouse/data/f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
datetime: 2017-04-07 15:21:59.210481
name: a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24
source: vt
tags: RAT, PlugX, menuPass
notes: dll
mimetype: application/x-dosexec
size: 165376
md5: 5a78974df88ab6a67bb72a5c7a437fb2
sha1: 68e3f80012a78518ddbde055b5e42dd4d82e58e5
sha256: a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24
ssdeep: 3072:fNPaNYarzoyHOj+qPPkD+KFVSXpKt3TPsRtCywElqG:Vydbw+4kDH8XpKd4DxwI
virustotal: 38/56 on 2017-01-06 08:57:00
yara: [anti_dbg, win_registry, contentis_base64, without_attachments, without_images, without_urls, IsPE32, IsDLL, IsConsole, IsPacked, HasRichSignature, Visual_Cpp_2005_DLL_Microsoft, Visual_Cpp_2003_DLL_Microsoft]
metadata:
FileSubtype: 0
InternalName: APDS.DLL
FileAccessDate: 2017:04:07 15:22:00+09:00
InitializedDataSize: 145408
FileModifyDate: 2017:04:07 12:56:23+09:00
CompanyName: Microsoft Corporation
FileVersionNumber: 6.1.7600.16385
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileSize: 165376
CharacterSet: 04B0
MachineType: 332
FileOS: 262148
ProductVersion: 6.1.7600.16385
ObjectFileType: 2
FileType: Win32 DLL
UninitializedDataSize: 0
FileName: a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24
ImageVersion: 0.0
FileTypeExtension: DLL
OSVersion: 5.1
OriginalFileName: APDS.DLL
PEType: 267
TimeStamp: 2014:05:15 17:52:30+09:00
FileFlagsMask: 63
LinkerVersion: 10.0
FileFlags: 0
Subsystem: 3
EntryPoint: 7595
SubsystemVersion: 5.1
CodeSize: 18944
FileInodeChangeDate: 2017:04:07 12:56:26+09:00
LanguageCode: 0409
ProductVersionNumber: 6.1.7600.16385