Skip to content

Script to fetch data from virustotal and add it to a specific event as an object

License

Notifications You must be signed in to change notification settings

eCrimeLabs/vt2misp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 

Repository files navigation

vt2misp

Script to fetch data from virustotal and add two specific objects to an event.

  • File object
  • VirusTotal object

Afterwards it will create a Relation between those two (file -> analysed-with -> virustotal-report)

Small blog post on the tool https://www.ecrimelabs.com/blog/2018/7/21/tool-for-adding-hashes-with-virustotal-data-to-misp-event

The script makes use of the public VirusTotal API In order to use the API you must sign up to VirusTotal Community(https://www.virustotal.com/#/join-us). Once you have a valid VirusTotal Community account you will find your personal API key in your personal settings section. This key is all you need to use the VirusTotal API.

Remember to create the file "keys.py":

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

misp_url = 'https://misp_instance/'
misp_key = '' # The MISP auth key can be found on the MISP web interface under the automation section
misp_verifycert = True

proxies = {
    "http" : '127.0.0.1:8090',
    "https": '127.0.0.1:8090'
}

vt_url = 'https://www.virustotal.com/vtapi/v2/file/report'
vt_key = 'API KEY'

Sample Usage:

~# python3 vt2misp.py -u 5b53275a-003c-4dcc-b4ce-710f9f590eb0 -a "USBGuard" --force -c 7657fcb7d772448a6d8504e4b20168b8
Virustotal to MISP
(c)2018 eCrimeLabs
https://www.ecrimelabs.com
----------------------------------------

- Checking if checksum is valid - true
- Checking if UUID format is valid - true
- UUID for MISP event detected
- Checksum 7657fcb7d772448a6d8504e4b20168b8 was not detected in the event
- The artefact was found on Virustotal
- Creating object(s)
	* Permalink: https://www.virustotal.com/file/54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71/analysis/1532138638/
	* Detection: 64/67
	* Last scan: 2018-07-21 02:03:58

	* MD5: 7657fcb7d772448a6d8504e4b20168b8
	* SHA1: 84c7201f7e59cb416280fd69a2e7f2e349ec8242
	* SHA256: 54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71
	------------
	* VirusTotal detections:
		Bkav (1.3.0.9466) Detection: W32.ZeustrackerZS.Trojan
		MicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Kazy.8782
		CMC (1.1.0.977) Detection: Trojan.Win32.Lebag!O
		CAT-QuickHeal (14.00) Detection: Trojan.Ramnit.A
		McAfee (6.0.6.653) Detection: PWS-Zbot.gen.cy
		Malwarebytes (2.1.1.1115) Detection: Trojan.Zbot
		Zillya (2.0.0.3599) Detection: Trojan.Zbot.Win32.81569
		SUPERAntiSpyware (5.6.0.1032) Detection: Trojan.Agent/Gen-FakeSecurity
		TheHacker (6.8.0.5.3418) Detection: Trojan/Lebag.agu
		K7GW (10.54.27826) Detection: Riskware ( 0015e4f11 )
		K7AntiVirus (10.54.27825) Detection: Riskware ( 0015e4f11 )
		Invincea (6.3.5.26121) Detection: heuristic
		Baidu (1.0.0.2) Detection: Win32.Worm.Autorun.f
		Babable (9107201) Detection: No detection
		F-Prot (4.7.1.166) Detection: W32/Ramnit.K.gen!Eldorado
		Symantec (1.6.0.0) Detection: W32.Ramnit
		TotalDefense (37.1.62.1) Detection: Win32/Ramnit.B!Dropper
		TrendMicro-HouseCall (9.950.0.1006) Detection: TSPY_ZBOT.SMHA
		Paloalto (1.0) Detection: generic.ml
		ClamAV (0.100.1.0) Detection: Win.Trojan.Ramnit-7847
		Kaspersky (15.0.1.13) Detection: Worm.Win32.Autorun.icp
		BitDefender (7.2) Detection: Gen:Variant.Kazy.8782
		NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.DownLoad2.wtigj
		ViRobot (2014.3.20.0) Detection: Trojan.Win32.Agent.109056.CR
		Avast (18.4.3895.0) Detection: Win32:Kryptik-JOV [Trj]
		Tencent (1.0.0.1) Detection: Worm.Win32.AutoRun.aaa
		Ad-Aware (3.0.5.370) Detection: Gen:Variant.Kazy.8782
		Sophos (4.98.0) Detection: Troj/ZXC-G
		Comodo (29383) Detection: TrojWare.Win32.Kryptik.KLV
		F-Secure (11.0.19100.45) Detection: Gen:Variant.Kazy.8782
		DrWeb (7.0.33.6080) Detection: Win32.HLLW.Tazebama.235
		VIPRE (68268) Detection: Trojan.Win32.Generic!BT
		TrendMicro (10.0.0.1040) Detection: TSPY_ZBOT.SMHA
		McAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.ZBot.ch
		Emsisoft (2018.4.0.1029) Detection: Gen:Variant.Kazy.8782 (B)
		SentinelOne (1.0.17.227) Detection: static engine - malicious
		Cyren (6.0.0.4) Detection: W32/Ramnit.K.gen!Eldorado
		Jiangmin (16.0.100) Detection: Trojan/Generic.dkmt
		Webroot (1.0.0.403) Detection: Trojan:Win32/Eyestye.H
		Avira (8.3.3.6) Detection: TR/Drop.Liks.A
		Fortinet (5.4.247.0) Detection: W32/Kryptik.KLV!tr
		Antiy-AVL (3.0.0.1) Detection: Worm/Win32.Autorun.icp
		Kingsoft (2013.8.14.323) Detection: Win32.Troj.Undef.(kcloud)
		Endgame (3.0.0) Detection: malicious (high confidence)
		Arcabit (1.0.0.831) Detection: Trojan.Kazy.D224E
		AegisLab (4.2) Detection: Worm.Win32.Autorun.o!c
		ZoneAlarm (1.0) Detection: Worm.Win32.Autorun.icp
		Avast-Mobile (180720-04) Detection: No detection
		Microsoft (1.1.15100.1) Detection: Trojan:Win32/Ramnit
		AhnLab-V3 (3.13.1.21452) Detection: Trojan/Win32.Zbot.R19508
		ALYac (1.1.1.5) Detection: Gen:Variant.Kazy.8782
		AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT
		MAX (2017.11.15.1) Detection: malware (ai score=100)
		VBA32 (3.12.32.0) Detection: Worm.AutoRun
		Cylance (2.3.1.101) Detection: Unsafe
		Zoner (1.0) Detection: Win32.Ramnit.A
		ESET-NOD32 (17750) Detection: Win32/Ramnit.A
		Rising (25.0.0.24) Detection: Trojan.Win32.Generic.127B2A0E (C64:YzY0OklB66P4SAs3)
		Yandex (5.5.1.3) Detection: Trojan.Ramnit!cLbJ7UZPdfE
		Ikarus (0.1.5.2) Detection: Virus.Win32.Virtob
		eGambit (None) Detection: No detection
		GData (A:25.17830B:25.12774) Detection: Gen:Variant.Kazy.8782
		AVG (18.4.3895.0) Detection: Win32:Kryptik-JOV [Trj]
		Cybereason (1.2.27) Detection: malicious.7d7724
		Panda (4.6.4.2) Detection: Trj/Ramnit.F
		CrowdStrike (1.0) Detection: malicious_confidence_100% (W)
		Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.544

	------------
- The MISP objects seems to have been added correctly to the event....

The tool will exit without adding anything to MISP in case the checksum(MD5, SHA1, SHA256) was not found on VirusTotal. In some cases you might still want the value you have added to MISP then use the option -f or --force

This allows you to easilier add additional informaiton should you get it later and it will then allready be in object format.

About

Script to fetch data from virustotal and add it to a specific event as an object

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages