: Virus Total API Python Script :
Scripts! Ok, now that we have your attention. Quite a few months ago we worked on building a foremost script where you could carve all the files out of memory and then query Virus Total for each hash. We wanted to pull the Virus Total subset out of the script and expand on it a bit. Nanospl0it and I finally found some time to work on this and below is what we’ve got so far.
- Choose between a single hash or a file with multiple hashes.
- Do you have an unlimited license? Remove the pesky 26 seconds timer so you can query a hash a second.
- Dumps information out to a text file and provides the count of detections.
- Python 2.7
- Python lib “Requests”
- Virus Total API Key
In order to Access your Virus Total API key, all you need to do is login to Virus Total from their website and click on your profile. There will be a “My API Key” option from the menu that appears. For more instructions, check out https://malwerewolf.com/2014/09/foremost-automator/.
Now that we have all our requirements out of the way, let’s check out the help menu.
A few of the options above are required to properly run the script. Below is the breakdown of the options.
- –i : Used for your input file if you have multiple hashes. Please make sure that the hashes are separated one per line.
- –o : Required : The file you would like to dump the output into.
- –H : For a single hash, you can use this flag instead of pointing to an input file.
- –k : Required : This will be the Virus Total API key that you acquired from above.
- –u : Fortunate enough to have an unlimited/large license? Use –u to remove the delay between queries.
Although not required, you probably want to use either –i or –H. Without these options you aren’t using anything to query VT with.
So let’s run a query!
Keep in mind that I have removed my API key after -k. Please make sure you have yours in place. The output will print to both the console as well as dump a summary to the output file specified.
What’s a malicious output look like!?
In this instance, we stored the hash into a text file and performed the look up.
Above we have used an MD5 as well as a SHA1 for our queries. The following hashes are searchable in Virus Total.
That’s all folks! If you have any questions or feature requests, please let me know at firstname.lastname@example.org or leave a comment. We do have a few ideas of what we would like to add such as being able to write and store your api key in a file so you don’t have to keep it on hand for each query.