Skip to content

Commit 626470b

Browse files
Merge pull request #70 from alexandreborges/dev
Malwoverview 6.2 | merge from dev to master. Authorized by Alexandre Borges.
2 parents d5fc570 + d96d9ad commit 626470b

7 files changed

Lines changed: 94 additions & 28 deletions

File tree

.malwapi.conf

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,4 +29,10 @@ INQUESTAPI =
2929
VXAPI =
3030

3131
[IPINFO]
32-
IPINFOAPI =
32+
IPINFOAPI =
33+
34+
[BAZAAR]
35+
BAZAARAPI =
36+
37+
[THREATFOX]
38+
THREATFOXAPI =

README.md

Lines changed: 35 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Malwoverview
22

3-
[<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases/tag/v6.1.1) [<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge">](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE)
3+
[<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases/tag/v6.2) [<img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/releases) [<img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge">](https://github.com/alexandreborges/malwoverview/blob/master/LICENSE)
44
[<img alt="GitHub stars" src="https://img.shields.io/github/stars/alexandreborges/malwoverview?logoColor=Red&style=for-the-badge">](https://github.com/alexandreborges/malwoverview/stargazers)
55
[<img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/ale_sp_brazil?style=for-the-badge&logo=X&color=blueviolet">](https://twitter.com/ale_sp_brazil)
66
[<img alt="Downloads/Last Month" src="https://img.shields.io/pypi/dm/malwoverview?color=blue&style=for-the-badge&label=Last%20Month">](https://pypistats.org/packages/malwoverview)
@@ -73,7 +73,7 @@
7373
See GNU Public License on <http://www.gnu.org/licenses/>.
7474

7575

76-
## Current Version: 6.1.1
76+
## Current Version: 6.2
7777

7878
Important note: Malwoverview does NOT submit samples to any endpoint by default,
7979
so it respects possible Non-Disclosure Agreements (NDAs). There're specific options
@@ -152,7 +152,7 @@ branch and a new Python package is generated.
152152
This tool has been tested on REMnux, Ubuntu, Kali Linux, macOS and Windows. Malwoverview
153153
can be installed by executing the following command:
154154

155-
* pip3.11 install git+https://github.com/alexandreborges/malwoverview (preferred method)
155+
* pip3.11 install git+https://github.com/alexandreborges/malwoverview
156156
157157
or...
158158
@@ -182,16 +182,13 @@ AFTER having installed Malwoverview:
182182

183183
## REQUIRED APIs
184184

185-
Malwoverview does not require to insert all APIs anymore. Therefore, professionals can
186-
us it without having registered such APIs. Obviously, to use certain options is necessary to
187-
add respective API into .malwapi.conf file, whose format is shown below.
188-
189-
To use all options of Malwoverview you must insert respective API of the following services:
185+
It is possible to start using Malwoverview does without inserting all APIs. However,
186+
to use all options of Malwoverview, you must insert the respective API of the following services:
190187
VirusTotal, Hybrid Analysis, URLHaus, Malshare, Polyswarm, Alien Vault, Malpedia, Triage,
191-
InQuest, Virus Exchange and APInfo into the .malwapi.conf configuration file, which must be present
192-
(or created) in the home directory (/home/[username] or /root on Linux, and C:\Users\[username]
193-
on Windows. Alternatively, users could create a custom configuration file and indicate it by
194-
using the -c option.
188+
InQuest, Virus Exchange, APInfo, Malware Bazaar and ThreatFox into the .malwapi.conf
189+
configuration file, which must be present (or created) in the home directory (/home/[username]
190+
or /root on Linux, and C:\Users\[username] on Windows. Alternatively, users can create
191+
a custom configuration file and indicate it by using the -c option.
195192

196193
To highlight: if the .malwapi.conf file does not exist in your home directory, so you must
197194
create it!
@@ -233,6 +230,12 @@ The .malwapi.conf configuration file has the following format:
233230

234231
[IPINFO]
235232
IPINFOAPI =
233+
234+
[BAZAAR]
235+
BAZAARAPI =
236+
237+
[THREATFOX]
238+
THREATFOXAPI =
236239

237240
The APIs can be requested on the respective service websites:
238241

@@ -245,17 +248,17 @@ The APIs can be requested on the respective service websites:
245248
07. Malpedia: It doesn't offer open registration, but you can request an user account
246249
directly through Twitter (DM) or feedback e-email. The Malpedia Twitter
247250
handle is @malpedia.
248-
08. Malware Bazaar: It isn't necessary an API.
249-
09. ThreatFox: It isn't necessary an API.
251+
08. Malware Bazaar: https://bazaar.abuse.ch/api/#auth\_key
252+
09. ThreatFox: https://threatfox.abuse.ch/api/#auth\_key
250253
10. InQuest: https://labs.inquest.net/.
251254
11. Triage: https://tria.ge/signup.
252255
12. Virus Exchange: https://virus.exchange/
253256
13. IPInfo: https://ipinfo.io/
254-
14. BGPView: ihttps://bgpview.docs.apiary.io/
257+
14. BGPView: https://bgpview.docs.apiary.io/
255258

256259

257260
----------------------------------------------------
258-
A special note about API requests to the MALPEDIA:
261+
Note about API requests to the MALPEDIA:
259262
----------------------------------------------------
260263

261264
The service and acceptance is based on the community vetting. Thus, it's recommended
@@ -267,7 +270,7 @@ legitimacy, so making quicker the approval of your request.
267270

268271

269272
----------------------------------------------------
270-
Additional explanation about Triage:
273+
Note about Triage:
271274
----------------------------------------------------
272275

273276
Every Triage operation is based on the Triage ID of each artifact, so you need to
@@ -276,6 +279,14 @@ so use this ID information with the remaining Triage options (-x [2-7]) for gett
276279
further threat hunting information from Triage endpoint.
277280

278281

282+
----------------------------------------------------
283+
Note about Malware Bazaar and Threat Fox:
284+
----------------------------------------------------
285+
286+
Since second semester of 2025, it is required the Auth-Key (API) to use Malware
287+
Bazaar and Threat Fox services.
288+
289+
279290
----------------------------------------------------
280291
Note about background color of the terminal:
281292
----------------------------------------------------
@@ -787,6 +798,13 @@ Malwoverview is a first response tool for threat hunting written by Alexandre Bo
787798
## HISTORY
788799

789800

801+
Version 6.2:
802+
803+
This version:
804+
805+
* Modifies Malware Bazaar option to use Auth-Key.
806+
* Modifies Threat Fox option to use Auth-Key.
807+
790808
Version 6.1.1:
791809

792810
This version:

malwoverview/malwoverview.py

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
# Christian Clauss (https://github.com/cclauss)
2222
# Artur Marzano (https://github.com/Macmod)
2323

24-
# Malwoverview.py: version 6.1.1
24+
# Malwoverview.py: version 6.2
2525

2626
import os
2727
import argparse
@@ -56,7 +56,7 @@
5656
__author__ = "Alexandre Borges"
5757
__copyright__ = "Copyright 2018-2025, Alexandre Borges"
5858
__license__ = "GNU General Public License v3.0"
59-
__version__ = "6.1.1"
59+
__version__ = "6.2"
6060
__email__ = "reverseexploit at proton.me"
6161

6262
def finish_hook(signum, frame):
@@ -133,6 +133,8 @@ def getoption(section, name):
133133
INQUESTAPI = getoption('INQUEST', 'INQUESTAPI')
134134
VXAPI = getoption('VIRUSEXCHANGE', 'VXAPI')
135135
IPINFOAPI = getoption('IPINFO', 'IPINFOAPI')
136+
BAZAARAPI = getoption('BAZAAR', 'BAZAARAPI')
137+
THREATFOXAPI = getoption('THREATFOX', 'THREATFOXAPI')
136138

137139
optval = range(2)
138140
optval1 = range(3)
@@ -227,8 +229,8 @@ def getoption(section, name):
227229
# Module objects
228230
polyswarm = PolyswarmExtractor(POLYAPI)
229231
alien = AlienVaultExtractor(ALIENAPI)
230-
bazaar = BazaarExtractor()
231-
threatfox = ThreatFoxExtractor()
232+
bazaar = BazaarExtractor(BAZAARAPI)
233+
threatfox = ThreatFoxExtractor(THREATFOXAPI)
232234
triage = TriageExtractor(TRIAGEAPI)
233235
inquest = InQuestExtractor(INQUESTAPI)
234236
malpedia = MalpediaExtractor(MALPEDIAAPI)

malwoverview/modules/bazaar.py

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,22 @@
77
class BazaarExtractor():
88
urlbazaar = 'https://mb-api.abuse.ch/api/v1/'
99

10-
def __init__(self):
11-
pass
10+
def __init__(self, BAZAARAPI):
11+
self.BAZAARAPI = BAZAARAPI
12+
13+
def requestBAZAARAPI(self):
14+
if (self.BAZAARAPI == ''):
15+
print(mycolors.foreground.red + "\nTo be able to get/submit information from/to Malware Bazaar, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the Malware Bazaar API (Auth-Key) according to the format shown on the Github website." + mycolors.reset + "\n")
16+
exit(1)
1217

1318
def bazaar_tag(self, bazaarx):
1419
bazaar = BazaarExtractor.urlbazaar
1520
bazaartext = ''
1621
bazaarresponse = ''
1722
params = ''
1823

24+
self.requestBAZAARAPI()
25+
1926
try:
2027
print("\n")
2128
print((mycolors.reset + "MALWARE BAZAAR REPORT".center(100)), end='')
@@ -24,6 +31,7 @@ def bazaar_tag(self, bazaarx):
2431

2532
requestsession = requests.Session()
2633
requestsession.headers.update({'accept': 'application/json'})
34+
requestsession.headers.update({'Auth-Key': self.BAZAARAPI})
2735
params = {'query': 'get_taginfo', "tag": bazaarx, "limit": 50}
2836
bazaarresponse = requestsession.post(bazaar, data=params)
2937
bazaartext = json.loads(bazaarresponse.text)
@@ -201,6 +209,8 @@ def bazaar_imphash(self, bazaarx):
201209
bazaartext = ''
202210
params = ''
203211

212+
self.requestBAZAARAPI()
213+
204214
try:
205215

206216
print("\n")
@@ -210,6 +220,7 @@ def bazaar_imphash(self, bazaarx):
210220

211221
requestsession = requests.Session()
212222
requestsession.headers.update({'accept': 'application/json'})
223+
requestsession.headers.update({'Auth-Key': self.BAZAARAPI})
213224
params = {'query': 'get_imphash', "imphash": bazaarx, "limit": 50}
214225
bazaarresponse = requestsession.post(bazaar, data=params)
215226
bazaartext = json.loads(bazaarresponse.text)
@@ -389,6 +400,8 @@ def bazaar_lastsamples(self, bazaarx):
389400
bazaarresponse = ''
390401
params = ''
391402

403+
self.requestBAZAARAPI()
404+
392405
try:
393406
print("\n")
394407
print((mycolors.reset + "MALWARE BAZAAR REPORT".center(100)), end='')
@@ -397,6 +410,7 @@ def bazaar_lastsamples(self, bazaarx):
397410

398411
requestsession = requests.Session()
399412
requestsession.headers.update({'accept': 'application/json'})
413+
requestsession.headers.update({'Auth-Key': self.BAZAARAPI})
400414
params = {'query': 'get_recent', "selector": bazaarx}
401415
bazaarresponse = requestsession.post(bazaar, data=params)
402416
bazaartext = json.loads(bazaarresponse.text)
@@ -570,6 +584,8 @@ def bazaar_download(self, bazaarx):
570584
params = ''
571585
resource = bazaarx
572586

587+
self.requestBAZAARAPI()
588+
573589
try:
574590
print("\n")
575591
print((mycolors.reset + "MALWARE BAZAAR REPORT".center(100)), end='')
@@ -578,6 +594,7 @@ def bazaar_download(self, bazaarx):
578594

579595
requestsession = requests.Session()
580596
requestsession.headers.update({'accept': 'application/gzip'})
597+
requestsession.headers.update({'Auth-Key': self.BAZAARAPI})
581598
params = {'query': 'get_file', "sha256_hash": bazaarx}
582599
bazaarresponse = requestsession.post(bazaar, data=params, allow_redirects=True)
583600
bazaartext = bazaarresponse.text
@@ -623,6 +640,8 @@ def bazaar_hash(self, bazaarx):
623640
bazaarresponse = ''
624641
params = ''
625642

643+
self.requestBAZAARAPI()
644+
626645
try:
627646
print("\n")
628647
print((mycolors.reset + "MALWARE BAZAAR REPORT".center(100)), end='')
@@ -631,6 +650,7 @@ def bazaar_hash(self, bazaarx):
631650

632651
requestsession = requests.Session()
633652
requestsession.headers.update({'accept': 'application/json'})
653+
requestsession.headers.update({'Auth-Key': self.BAZAARAPI})
634654
params = {'query': 'get_info', "hash": bazaarx}
635655
bazaarresponse = requestsession.post(bazaar, data=params)
636656
bazaartext = json.loads(bazaarresponse.text)

malwoverview/modules/threatfox.py

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,13 @@
77
class ThreatFoxExtractor():
88
urlthreatfox = 'https://threatfox-api.abuse.ch/api/v1/'
99

10-
def __init__(self):
11-
pass
10+
def __init__(self,THREATFOXAPI):
11+
self.THREATFOXAPI = THREATFOXAPI
12+
13+
def requestTHREATFOXAPI(self):
14+
if (self.THREATFOXAPI == ''):
15+
print(mycolors.foreground.red + "\nTo be able to get/submit information from/to THREATFOX, you must create the .malwapi.conf file under your user home directory (on Linux is $HOME\\.malwapi.conf and on Windows is in C:\\Users\\[username]\\.malwapi.conf) and insert the THREATFOX API (Auth-Key) according to the format shown on the Github website." + mycolors.reset + "\n")
16+
exit(1)
1217

1318
def threatfox_listiocs(self, bazaarx):
1419
bazaar = ThreatFoxExtractor.urlthreatfox
@@ -17,6 +22,8 @@ def threatfox_listiocs(self, bazaarx):
1722
bazaarresponse = ''
1823
params = ''
1924

25+
self.requestTHREATFOXAPI()
26+
2027
try:
2128
print("\n")
2229
print((mycolors.reset + "THREATFOX REPORT".center(100)), end='')
@@ -25,6 +32,7 @@ def threatfox_listiocs(self, bazaarx):
2532

2633
requestsession = requests.Session()
2734
requestsession.headers.update({'accept': 'application/json'})
35+
requestsession.headers.update({'Auth-Key': self.THREATFOXAPI})
2836
params = {'query': "get_iocs", 'days': int(bazaarx)}
2937

3038
bazaarresponse = requestsession.post(
@@ -196,6 +204,8 @@ def threatfox_searchiocs(self, bazaarx):
196204
bazaarresponse = ''
197205
params = ''
198206

207+
self.requestTHREATFOXAPI()
208+
199209
try:
200210
print("\n")
201211
print((mycolors.reset + "THREATFOX REPORT".center(100)), end='')
@@ -204,6 +214,7 @@ def threatfox_searchiocs(self, bazaarx):
204214

205215
requestsession = requests.Session()
206216
requestsession.headers.update({'accept': 'application/json'})
217+
requestsession.headers.update({'Auth-Key': self.THREATFOXAPI})
207218
params = {'query': "search_ioc", 'search_term': bazaarx}
208219
bazaarresponse = requestsession.post(url=bazaar, data=json.dumps(params))
209220
bazaartext = json.loads(bazaarresponse.text)
@@ -386,6 +397,8 @@ def threatfox_searchtags(self, bazaarx):
386397
bazaarresponse = ''
387398
params = ''
388399

400+
self.requestTHREATFOXAPI()
401+
389402
try:
390403

391404
print("\n")
@@ -395,6 +408,7 @@ def threatfox_searchtags(self, bazaarx):
395408

396409
requestsession = requests.Session()
397410
requestsession.headers.update({'accept': 'application/json'})
411+
requestsession.headers.update({'Auth-Key': self.THREATFOXAPI})
398412
params = {'query': "taginfo", 'tag': bazaarx}
399413
bazaarresponse = requestsession.post(url=bazaar, data=json.dumps(params))
400414
bazaartext = json.loads(bazaarresponse.text)
@@ -584,6 +598,8 @@ def threatfox_searchmalware(self, bazaarx):
584598
bazaarresponse = ''
585599
params = ''
586600

601+
self.requestTHREATFOXAPI()
602+
587603
try:
588604

589605
print("\n")
@@ -593,6 +609,7 @@ def threatfox_searchmalware(self, bazaarx):
593609

594610
requestsession = requests.Session()
595611
requestsession.headers.update({'accept': 'application/json'})
612+
requestsession.headers.update({'Auth-Key': self.THREATFOXAPI})
596613
params = {'query': "malwareinfo", 'malware': bazaarx}
597614
bazaarresponse = requestsession.post(url=bazaar, data=json.dumps(params))
598615
bazaartext = json.loads(bazaarresponse.text)
@@ -775,6 +792,8 @@ def threatfox_listmalware(self):
775792
bazaarresponse = ''
776793
params = ''
777794

795+
self.requestTHREATFOXAPI()
796+
778797
try:
779798

780799
print("\n")
@@ -784,6 +803,7 @@ def threatfox_listmalware(self):
784803

785804
requestsession = requests.Session()
786805
requestsession.headers.update({'accept': 'application/json'})
806+
requestsession.headers.update({'Auth-Key': self.THREATFOXAPI})
787807
params = {'query': "malware_list"}
788808
bazaarresponse = requestsession.post(url=bazaar, data=json.dumps(params))
789809
bazaartext = json.loads(bazaarresponse.text)

malwoverview/modules/triage.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -746,7 +746,7 @@ def triage_download(self, triagex):
746746
print("\n" + mycolors.foreground.red + triagetext['message'] + mycolors.reset, end='\n\n')
747747
exit(1)
748748

749-
outputpath = os.path.join(cv.output_dir, )
749+
outputpath = os.path.join(cv.output_dir, triagex)
750750
open(outputpath, 'wb').write(triageresponse.content)
751751
if (cv.bkg == 1):
752752
print("\n" + mycolors.foreground.yellow + f"Sample downloaded to: {outputpath}" + mycolors.reset, end=' ')

setup.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111

1212
setup(
1313
name="malwoverview",
14-
version="6.1.1",
14+
version="6.2",
1515
author="Alexandre Borges",
1616
author_email="reverseexploit@proton.me",
1717
license="GNU GPL v3.0",

0 commit comments

Comments
 (0)