Table of Contents
Introduction
In this post, I share a python script with you that checks for malicious file hashes. The hashes are checked against VirusTotal using the VirusTotal API v3. The script essentially pulls the number of malicious reports of a hash. An example of a malicious report number can be seen below in figure 1, where we can see 58 members have identified the hash in the example as malicious.
This script can be particularly useful to blue team members, incident response handlers, and cybersecurity enthusiasts who wish to automate the process of vetting a long list of hashes.
Simple Configuration
Before using the script, you must first configure the line in the source code holding the API_KEY variable which can be found on line 6. If it is not already apparent to you, this is where you put your API key which you can get for free from the VirusTotal website.
Copy the script code from here:
#! /usr/bin/python3
import requests
import sys
API_KEY = "" #<--- Put your API key here
class VirusTotal:
def __init__(self):
self.headers = {"accept": "application/json","X-Apikey": API_KEY}
self.url = "https://www.virustotal.com/api/v3/"
def upload_hash(self, hash):
url = self.url + "search?query=" + hash
response = requests.get(url, headers=self.headers)
result = response.json()
if response.status_code == 200 and len(result['data']) > 0:
try:
malicious = result['data'][0]['attributes']['last_analysis_stats']['malicious']
except:
malicious = 0
else:
malicious = 0
if len(sys.argv) > 2:
if malicious > int(sys.argv[2]):
print(hash + " " + str(malicious))
else:
if malicious > 1:
print(hash + " " + str(malicious))
if __name__ == "__main__":
try:
file = open(sys.argv[1], 'r')
lines = file.readlines()
for line in lines:
virustotal = VirusTotal()
virustotal.upload_hash(line[:-1])
except:
None
Usage
Now that we have configured the script let us now learn how to run it. The script takes at least one argument which is the name of the file containing a list of hashes to check. In the following examples, I have named the script hashcheck.py.
The following command checks for malicious hashes within file.txt. If VirusTotal detects that the hash has been flagged as malicious at least one time, it will be printed on the screen along with the number of malicious detections reported.
┌──(N3NU㉿kali)-[~/code]
└─$ ./hashcheck.py file.txt
d1f7832035c3e8a73cc78afd28cfd7f4cece6d20 58
As we can see, the script detected a hash containing 58 counts of malicious reports on VirusTotal.
If we wanted to increase the malicious count threshold, we can add the threshold number after the file argument. The following example increases the default threshold number (1) to 5.
┌──(N3NU㉿kali)-[~/code]
└─$ ./hashcheck.py file.txt 5
d1f7832035c3e8a73cc78afd28cfd7f4cece6d20 58
Observing the command above, we can see that after we adjusted the malicious count detection threshold, the output is still the same because the malicious detection count reported is greater than 5.
If we increased the threshold to 60, we should not see any output.
┌──(N3NU㉿kali)-[~/code]
└─$ ./hashcheck.py file.txt 60
Just as expected, we do not receive output due to the hashes within the file.txt file not having a malicious detection count greater than 60.
I hope you have enjoyed learning about vetting hashes against VirusTotal via an API. Subscribe for more tools, tips, and tricks to add to your arsenal.
Until next time…
— N3NU
Disclaimer: My content is for informational and educational purposes only. You may try out these hacks on your own computer at your own risk.