2015/06/29

Virus Total API Python Script

by Destruct_Icon
Categories: Coding, Python
Tags: No Tags
Comments: 10 Comments

: Virus Total API Python Script :

Scripts! Ok, now that we have your attention. Quite a few months ago we worked on building a foremost script where you could carve all the files out of memory and then query Virus Total for each hash. We wanted to pull the Virus Total subset out of the script and expand on it a bit. Nanospl0it and I finally found some time to work on this and below is what we’ve got so far.

Script Location

Features

  • Choose between a single hash or a file with multiple hashes.
  • Do you have an unlimited license? Remove the pesky 26 seconds timer so you can query a hash a second.
  • Dumps information out to a text file and provides the count of detections.

Requirements

Video Tutorial

In order to Access your Virus Total API key, all you need to do is login to Virus Total from their website and click on your profile. There will be a “My API Key” option from the menu that appears. For more instructions, check out https://malwerewolf.com/2014/09/foremost-automator/.

Now that we have all our requirements out of the way, let’s check out the help menu.

vtcheckdi1

A few of the options above are required to properly run the script. Below is the breakdown of the options.

  • –i : Used for your input file if you have multiple hashes. Please make sure that the hashes are separated one per line.
  • –o : Required : The file you would like to dump the output into.
  • –H : For a single hash, you can use this flag instead of pointing to an input file.
  • –k : Required : This will be the Virus Total API key that you acquired from above.
  • –u : Fortunate enough to have an unlimited/large license? Use –u to remove the delay between queries.

Although not required, you probably want to use either –i or –H. Without these options you aren’t using anything to query VT with.

So let’s run a query!

vtcheckdi2

Keep in mind that I have removed my API key after -k. Please make sure you have yours in place. The output will print to both the console as well as dump a summary to the output file specified.

Console

vtcheckdi3vtcheckdi4

Output

vtcheckdi5

vtcheckdi6

What’s a malicious output look like!?

vtcheckdi7

In this instance, we stored the hash into a text file and performed the look up.

vtcheckdi8

Above we have used an MD5 as well as a SHA1 for our queries. The following hashes are searchable in Virus Total.

  • MD5
  • SHA1
  • SHA256

That’s all folks! If you have any questions or feature requests, please let me know at destruct_icon@malwerewolf.com or leave a comment. We do have a few ideas of what we would like to add such as being able to write and store your api key in a file so you don’t have to keep it on hand for each query.


10 Comments »

  1. freddie says:

    Is there a way to make the options a permanent value? I want to automate the script as much as possible, basically I want to add the hashes into a permanent input.txt file, double click the script and get the output on a permanent output.txt file. Also can this script be configured to query urls?

  2. jojo says:

    I get the following error. Any ideas?
    Traceback (most recent call last):
    File “vtcheck.py”, line 116, in
    main()
    File “vtcheck.py”, line 80, in main
    VT_Request(args.key, line.rstrip(), args.output)
    File “vtcheck.py”, line 89, in VT_Request
    json_response = url.json()
    File “/Library/Python/2.7/site-packages/requests-2.10.0-py2.7.egg/requests/models.py”, line 812, in json
    return complexjson.loads(self.text, **kwargs)
    File “/Library/Python/2.7/site-packages/simplejson/__init__.py”, line 516, in loads
    return _default_decoder.decode(s)
    File “/Library/Python/2.7/site-packages/simplejson/decoder.py”, line 370, in decode
    obj, end = self.raw_decode(s)
    File “/Library/Python/2.7/site-packages/simplejson/decoder.py”, line 400, in raw_decode
    return self.scan_once(s, idx=_w(s, idx).end())
    simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    • We were running into a similar bug a few weeks ago but it seems to have cleared up without any modification to the script. Spent some time today throwing the same hash sets at the script and it’s no longer having issues with the json output. We will keep an eye on this. Thanks for chatting with us via e-mail.

  3. wmac says:

    Hey guys, great work on putting this together; I’ve yet to find a script that does this specific function.

    I am running into a bit of an issue myself, and I believe it’s because I’m a total python noob. Would you be able to offer any advice on the below?

    Traceback (most recent call last):
    File “vtcheck.py”, line 116, in
    main()
    File “vtcheck.py”, line 80, in main
    VT_Request(args.key, line.rstrip(), args.output)
    File “vtcheck.py”, line 88, in VT_Request
    url = requests.get(‘https://www.virustotal.com/vtapi/v2/file/report’, params
    =params)
    File “C:\Python27\lib\site-packages\requests-2.11.0-py2.7.egg\requests\api.py”
    , line 70, in get
    return request(‘get’, url, params=params, **kwargs)
    File “C:\Python27\lib\site-packages\requests-2.11.0-py2.7.egg\requests\api.py”
    , line 56, in request
    return session.request(method=method, url=url, **kwargs)
    File “C:\Python27\lib\site-packages\requests-2.11.0-py2.7.egg\requests\session
    s.py”, line 471, in request
    resp = self.send(prep, **send_kwargs)
    File “C:\Python27\lib\site-packages\requests-2.11.0-py2.7.egg\requests\session
    s.py”, line 581, in send
    r = adapter.send(request, **kwargs)
    File “C:\Python27\lib\site-packages\requests-2.11.0-py2.7.egg\requests\adapter
    s.py”, line 491, in send
    raise SSLError(e, request=request)
    requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verif
    y failed (_ssl.c:590)

  4. WMAC says:

    Hey Destruct_Icon,

    Sorry for the delay in replaying back. I was able to get it running just fine – the proxy was the problem, thanks for checking back (and double thanks for putting this handy script together)!

Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Monday
2017/12/18