This is just a small collection of VirusTotal lookup scripts i've written to help automate a couple things. My IR collection script collects autoruns output and I also run md5deep against a few areas often visited by malware (%appdata%, %temp%, system32, etc.) I always found myself right clicking on hashes in autoruns and looking them up on the internet. That's too time consuming so I wanted some form of automation. Likewise with the md5deep output. It takes too long to review without some form of automation.
The code it pretty ghetto, but it seems to work on the output I have tested. Hit me up if you get any errors or if you have suggestions for making them better/more effecient. patrick[dot]olsen@sysforensics[dot]org, or twitter [at]patrickrolsen.
This will take a text output from Microsoft's Autoruns tool, "parse it", then look up the hashes on VT.
autohash.py -h
usage: autohash.py [-h] [-f INFILE]
Take autoruns txt output and look the hashes up on VirusTotal.
optional arguments:
-h, --help show this help message and exit
-f INFILE, --infile INFILE
Path to autoruns text file.
You will need to run autorunsc.exe first and get some output.
autorunsc.exe -f /accepteula * >> Autostart_All.txt
autoruns_vtlookup.py -f Autostart_All.txt
c:\program files (x86)\dell\upsmanagementsoftware\upsms.exe
0a15e929756ab59eee6115996bf09313 1 / 53 McAfee: None https://www.virustotal.com/file/9214919c458dd9472276330f1669249ec53c594c3af735dbfd297c062ff6d85e/analysis/1401228199/
c:\program files (x86)\kaspersky lab\kaspersky small office security 3\avp.exe
cf75b4d3cdfb3f14b272ea6799a9f03b 0 / 52
c:\windows\system32\unregmp2.exe
51df02e674a47191aa58111cb157174d 0 / 52
If the positives are >= 1 it will print the McAfee malware label and also print a link to the suspect file.
This "parses" the output from md5deep, bounces up the hashes against a whitelist, then the remaining files that are not in the whitelist it will query virus total.
md5_vtlookup -h
usage: vt.py [-h] [-wl WHITELIST] [-bl BLACKLIST]
Look up hashes against a white list then look at VT.
optional arguments:
-h, --help show this help message and exit
-wl WHITELIST, --whitelist WHITELIST
Path to your whitelist.
-bl BLACKLIST, --blacklist BLACKLIST
Path to the dumped hashes.
First run md5deep and output it to a file.
md5deep.exe -r -l -s "" >> Hashes.txt
md5_vtlookup.py -wl whitelist.txt -bl Hashes.txt
2e83ec18c281102c5dbb423f6df57cf3 C:\Windows\bootstat.dat has not been scanned before.
b30afc59f449c93d7030cd85d28a8c45 C:\Windows\certenroll.log has not been scanned before.
bd3d4eabd379a59f336b099a48d382f0 C:\Windows\CertReq.log has not been scanned before.
1ccc16aa7c32c1395fa95311229fbd83 C:\Windows\certutil.log has not been scanned before.
313a22f8f16b6bc1cfe857737dfc2935 C:\Windows\aksdrvsetup.log has not been scanned before.
963f5385ff22824af6a9b1429555d4a2 C:\Windows\certocm.log has not been scanned before.
fbcbc70c8f2d4ce235f32151860ee79d C:\Windows\dchcfg32.exe 0 / 47
9966b5dfeb602224d1854da81e603cf7 C:\Windows\dcmdev64.exe 0 / 48
16c4d2e3935f1a0934d115959426268c C:\Windows\DELL_VERSION has not been scanned before.
682ae0ffa6a865a8d137c43139bb4bcd C:\Windows\diagerr.xml 0 / 47
49d9fb48f4c2078fa8e663d7c5758259 C:\Windows\DirectX.log has not been scanned before.
5bf963f4626737e5c342fb58827a6718 C:\Windows\DtcInstall.log has not been scanned before.
c696428435782e9c7646f590a360b85d C:\Windows\fmprog.ini has not been scanned before.
37261c0b333a74748022e98f42d57740 C:\Windows\malware_example.exe 30 / 52 McAfee: Artemis!37261C0B333A https://www.virustotal.com/file/0b2c2b1e0b4969f1b3129627ca1c3cb5d1ac8509eda7fccd39995dfa11a3f30f/analysis/1401458794/