Malwoverview

<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/alexandreborges/malwoverview?color=red&style=for-the-badge"> <img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/alexandreborges/malwoverview?color=Yellow&style=for-the-badge"> <img alt="GitHub Release Date" src="https://img.shields.io/github/release-date/alexandreborges/malwoverview?label=Release%20Date&style=for-the-badge"> <img alt="GitHub" src="https://img.shields.io/github/license/alexandreborges/malwoverview?style=for-the-badge"> <img alt="GitHub stars" src="https://img.shields.io/github/stars/alexandreborges/malwoverview?logoColor=Red&style=for-the-badge"> <img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/ale_sp_brazil?style=for-the-badge&logo=X&color=blueviolet"> <img alt="Downloads/Last Month" src="https://img.shields.io/pypi/dm/malwoverview?color=blue&style=for-the-badge&label=Last%20Month"> <img alt="Downloads/Total" src="https://static.pepy.tech/personalized-badge/malwoverview?period=total&units=international_system&left_color=grey&right_color=red&left_text=Total%20Downloads">

  Copyright (C)  2018-2026 Alexandre Borges (https://exploitreversing.com) 

  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  See GNU Public License on <http://www.gnu.org/licenses/>.

Current Version: 7.1.2

 Important note:  Malwoverview does NOT submit samples to any endpoint by default, 
 so it respects possible Non-Disclosure Agreements (NDAs). There're specific options
 that explicitly submit samples, but these options are explained in the help.

ABOUT

Malwoverview.py is a first response tool for threat hunting, which performs an initial and quick triage of malware samples, URLs, IP addresses, domains, malware families, IOCs and hashes. Additionally, Malwoverview is able to get dynamic and static behavior reports, submit and download samples from several endpoints. In few words, it works as a client to main existing sandboxes.

This tool aims to :

1. Determine similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!
2. Show hash information on Virus Total, Hybrid Analysis, Malshare, Polyswarm, URLhaus, Alien Vault, Malpedia and ThreatCrowd engines.
3. Determining whether the malware samples contain overlay and, if you want, extract it.
4. Check suspect files on Virus Total, Hybrid Analysis and Polyswarm.
5. Check URLs on Virus Total, Malshare, Polyswarm, URLhaus engines and Alien Vault.
6. Download malware samples from Hybrid Analysis, Malshare, URLHaus, Polyswarm and Malpedia engines.
7. Submit malware samples to VirusTotal, Hybrid Analysis and Polyswarm.
8. List last suspected URLs from URLHaus.
9. List last payloads from URLHaus.
10. Search for specific payloads on the Malshare.
11. Search for similar payloads (PE32/PE32+) on Polyswarm engine.
12. Classify all files in a directory searching information on Virus Total and Hybrid Analysis.
13. Make reports about a suspect domain using different engines such as VirusTotal, Malpedia and ThreatCrowd.
14. Check APK packages directly from Android devices against Hybrid Analysis and Virus Total.
15. Submit APK packages directly from Android devices to Hybrid Analysis and Virus Total.
16. Show URLs related to an user provided tag from URLHaus.
17. Show payloads related to a tag (signature) from URLHaus.
18. Show information about an IP address from Virus Total, Alien Vault, Malpedia and ThreatCrowd.
19. Show IP address, domain and URL information from Polyswarm.
20. Perform meta-search on Polyswarm Network using several criteria: imphash, IPv4, domain, URL and malware family.
21. Gather threat hunting information from AlienVault using different criteria.
22. Gather threat hunting information from Malpedia using different criteria.
23. Gather threat hunting information from Malware Bazaar using different criteria.
24. Gather IOC information from ThreatFox using different criteria.
25. Gather threat hunting information from Triage using different criteria.
26. Get evaluation to hashes from a given file against Virus Total.
27. Submit large files (>= 32 MB) to Virus Total.
28. Malwoverview uses Virus Total API v.3, so there isn't longer any option using v.2.
29. Retrieve information about a given IP address from IPInfo service.
30. Retrieve information about a given IP address from BGPView service.
31. Retrieve combined information about a given IP address from multiple services.
32. Offer extra option to save any downloaded file to a central location.
33. List and search vulnerabilities from NIST through different criterias.
34. Query VulnCheck database - Community/Free tier.

CONTRIBUTORS

  Alexandre Borges (https://github.com/alexandreborges) | project owner and main developer
  Artur Marzano (https://github.com/Macmod) | co-main developer
  Corey Forman (https://github.com/digitalsleuth) | responsible for REMnux integration
  Christian Clauss (https://github.com/cclauss)

HOW TO CONTRIBUTE TO THIS PROJECT

Since version 6.0.0, there is a new branch named "dev". All contributions and proposals must be done into this "dev" branch.

Professionals who want to contribute must open an issue explaining your proposed improvement and how it would make the project better. Once it has been accepted, so she/he is authorized to submit the PR, which will be tested.

Once all changes are tested, this new version of Malwoverview is replicated to the master branch and a new Python package is generated.

INSTALLATION

This tool has been tested on REMnux, Ubuntu, Kali Linux, macOS and Windows. Malwoverview can be installed by executing the following command:

  * pip3.11 install git+https://github.com/alexandreborges/malwoverview
  
  or...
  
  * python -m pip install -U malwoverview
  

If you want to install the Malwoverview on macOS, you have to execute the following commands:

  * /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  * brew install libmagic
  * pip3 install urllib3==1.26.6
  * pip3 install -U malwoverview
  * Add Python binary directory to the PATH variable by editing .bash_profile file in your home 
    directory. Example:

      export PATH=$PATH:/Users/alexandreborges/Library/Python/3.9/bin

  * Execute: . ./.bash_profile

If you are installing Malwoverview on Windows, make sure that the following conditions are true
AFTER having installed Malwoverview:

  * python-magic is NOT installed. (pip show python-magic)
  * python-magic-bin IS installed. (pip show python-magic-bin)

Note: It is recommended to save the .malwapi.conf before any update!

REQUIRED APIs

It is possible to start using Malwoverview does without inserting all APIs. However, to use all options of Malwoverview, you must insert the respective API of the following services: VirusTotal, Hybrid Analysis, URLHaus, Malshare, Polyswarm, Alien Vault, Malpedia, Triage, APInfo, Malware Bazaar, ThreatFox and VulnCheck into the .malwapi.conf configuration file, which must be present (or created) in the home directory (/home/[username] or /root on Linux, and C:\Users[username] on Windows. Alternatively, users can create a custom configuration file and indicate it by using the