• Stars
    star
    809
  • Rank 56,370 (Top 2 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Online hash checker for Virustotal and other services

Actively Maintained

 _________   _    _   ______  _____  ______
| | | | | \ | |  | | | |  \ \  | |  | |  \ \     /.)
| | | | | | | |  | | | |  | |  | |  | |  | |    /)\|
|_| |_| |_| \_|__|_| |_|  |_| _|_|_ |_|  |_|   // /
                                              /'" "

Online Hash Checker for Virustotal and Other Services
Florian Roth

What is Munin?

Munin is a online hash checker utility that retrieves valuable information from various online sources

The current version of Munin queries the following services:

Screenshot

Default Mode - Read Hashes from File

Munin Screenshot

Usage

usage: munin.py [-h] [-f path] [--vh search-string]
                [--vhrule search-string] [-o output] [--vtwaitquota]
                [--vtminav min-matches] [--limit hash-limit]
                [--vhmaxage days] [-c cache-db] [-i ini-file]
                [-s sample-folder] [--comment] [-p vt-comment-prefix]
                [--download] [-d download_path] [--nocache] [--nocsv]
                [--verifycert] [--sort] [--web] [-w port] [--cli]
                [--rescan] [--debug]

Online Hash Checker

optional arguments:
  -h, --help            show this help message and exit
  -f path               File to process (hash line by line OR csv with hash
                        in each line - auto-detects position and comment)
  --vh search-string    Query Valhalla for hashes by keyword, tags, YARA
                        rule name, Mitre ATT&CK software (e.g. S0154),
                        technique (e.g. T1023) or threat group (e.g. G0049)
  --vhrule search-string
                        Query Valhalla for hashes via rules by keyword,
                        tags, YARA rule name, Mitre ATT&CK software (e.g.
                        S0154), technique (e.g. T1023) or threat group
                        (e.g. G0049)
  -o output             Output file for results (CSV)
  --vtwaitquota         Do not continue if VT quota is exceeded but wait
                        for the next day
  --vtminav min-matches
                        Minimum number of AV matches to query hash info
                        from VT"
  --limit hash-limit    Exit after handling this much new hashes in batch
                        mode (cache ignored).
  --vhmaxage days       Maximum age of sample on Valhalla to process
  -c cache-db           Name of the cache database file (default: vt-hash-
                        db.json)
  -i ini-file           Name of the ini file that holds the API keys
  -s sample-folder      Folder with samples to process
  --comment             Posts a comment for the analysed hash which
                        contains the comment from the log line
  -p vt-comment-prefix  Virustotal comment prefix
  --download            Enables Sample Download from Hybrid Analysis.
                        SHA256 of sample needed.
  -d download_path      Output Path for Sample Download from Hybrid
                        Analysis. Folder must exist
  --nocache             Do not use cache database file
  --nocsv               Do not write a CSV with the results
  --verifycert          Verify SSL/TLS certificates
  --sort                Sort the input lines
  --web                 Run Munin as web service
  -w port               Web service port
  --cli                 Run Munin in command line interface mode
  --rescan              Trigger a rescan of each analyzed file
  --debug               Debug output

Features

  • Retrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)
  • Retrieves extra information from a list of platforms
  • Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text file
  • Cached objects are stored in JSON
  • Creates CSV file with the findings for easy post-processing and reporting
  • Appends results to a previous CSV if available

Displays

  • Hash and comment (comment is the rest of the line of which the hash has been extracted)
  • AV vendor matches based on a user defined list
  • Filenames used in the wild
  • PE information like the description, the original file name and the copyright statement
  • Signer of a signed portable executable
  • Result based on Virustotal ratio
  • First and last submission
  • Tags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftware

Extra Checks

  • Queries Malshare.com for sample uploads
  • Queries Hybrid-Analysis.com for reports
  • Queries multiple MISP instances for available events
  • Queries Any.run sandbox for reports
  • Queries CAPE sandbox for reports
  • Queries URLhaus for reports
  • Queries Malshare for available samples
  • Queries Valhalla for YARA rule matches
  • Imphash duplicates in current batch > allows you to spot overlaps in import table hashes
  • PE signature duplicate checks

Operation Modes

  1. Default - by providing an input file (-f) with hashes or sample directory (-s)
  2. Query - to search hashes from Valhalla by keyword, tags, ATT&CK technique (e.g. T1023), ATT&CK threat group (e.g. G0049) or rule name (-q)
  3. Command Line Interface - using the --cli parameter
  4. Web Service Mode - using the --web parameter

Getting started

  1. Download / clone the repo
  2. Install required packages: pip3 install -r requirements.txt (on macOS add --user)
  3. Set the API keys for the different services in your custom ini file cp munin.ini my.ini (see section Get the API Keys for help)
  4. Use the demo file for a first run: python munin.py -i my.ini -f munin-demo.txt

Requirements

  • Python 3.7 and higher
  • Internet Connection (Proxy Support; SSL/TLS interception can be a problem)

Typical Command Lines

Process a Virustotal Retrohunt result and sort the lines before checking so that matched signatures are checked in blocks

python3 munin.py -i my.ini -f ~/Downloads/retro_hunt

Process a directory with samples and check their hashes online

python3 munin.py -i my.ini -s ~/malware/case34

Use the command line interface mode (new in v0.14)

python3 munin.py -i my.ini

Get the API Keys

Virustotal

  1. Create an account here https://www.virustotal.com/#/join-us
  2. Check Profile > My API key for your public API key

MalShare

Register here https://malshare.com/register.php

Malware Bazaar

Register here https://bazaar.abuse.ch/. You can then find your API key in your Account Overview.

Hybrid Analysis

  1. Create an account here https://www.hybrid-analysis.com/signup
  2. After login, check Profile > API key

MISP

  1. Log into your MISP
  2. Go to your profile "My Profile"
  3. The value of Authkey is used as API key
  4. Note that the .ini file uses both a list for the MISP instances and for the respective API keys

Valhalla

Currently for customers or invited researchers only
https://valhalla.nextron-systems.com/

Hashlookup

Hashlookup CIRCL's instance is provided free of charge and served as a best-effort basis.

Command Line Interface Mode

Start munin with --cli and follow the instruction.

E.g.

python3 munin.py -i my.ini --cli

Paste content with hash values in it and then press CTRL+D to finalize the input. The last line needs a line break at its end.

In the default, it will create a CSV file with the current date in the file name.

Munin CLI

Web Service Mode

Start munin with --web and optional select a port -w port.

E.g.

python3 munin.py -i my.ini --web -w 8080

The web service waits for strings in the following URL scheme.

http://server:port/<string>

The string can be any string without line breaks, e.g.

Emotet:1585ad28f7d1e0ca696e6c6c2f1d008a
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa;IOC1
dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

The result will look like this:

{
    "comment": "Emotet",
    "commenter": "-",
    "comments": "0",
    "copyright": "Copyright (C) America Online, Inc. 1999 - 2004",
    "description": "Utilities",
    "expired": false,
    "filenames": "sourcedev.exe, MISCUTIL, x8ykNnr_9WofXq7Nh_xuEzSPW.exe, jwuKBLWN681ztj6Zks.exe",
    "filetype": "Win32 EXE",
    "first_submitted": "2019-01-19 13:46:21 UTC ( 2 months, 2 weeks ago )",
    "firstsubmission": "2019-01-19 13:46:21 UTC ( 2 months, 2 weeks ago )",
    "harmless": false,
    "hash": "1585ad28f7d1e0ca696e6c6c2f1d008a",
    "hybrid_available": false,
    "hybrid_compromised": "-",
    "hybrid_date": "-",
    "hybrid_score": "-",
    "imphash": "2820d9bdc397f88a8a1e957e1a824482",
    "last_submitted": "2019-02-27 09:44:03",
    "malshare_available": false,
    "md5": "1585ad28f7d1e0ca696e6c6c2f1d008a",
    "misp_available": true,
    "misp_events": "",
    "misp_info": [],
    "mssoft": false,
    "origname": "-",
    "positives": 48,
    "rating": "malicious",
    "res_color": "\u001b[41m",
    "result": "48 / 64",
    "revoked": false,
    "sha1": "4561d0ad575d5f02fb06e062a37de15861c3bd89",
    "sha256": "35e304d10d53834e3e41035d12122773c9a4d183a24e03f980ad3e6b2ecde7fa",
    "signed": false,
    "signer": "-",
    "total": 64,
    "urlhaus_available": true,
    "vendor_results": {
        "CrowdStrike": "win/malicious_confidence_100% (W)",
        "ESET-NOD32": "a variant of Win32/Kryptik.GOUY",
        "F-Secure": "Trojan.TR/AD.Emotet.pdiuu",
        "GData": "Trojan.GenericKD.40960256",
        "Kaspersky": "HEUR:Trojan.Win32.Generic",
        "McAfee": "Emotet-FLL!1585AD28F7D1",
        "Microsoft": "Trojan:Win32/Emotet.DN",
        "Sophos": "Mal/Emotet-Q",
        "Symantec": "Trojan.Gen.2",
        "TrendMicro": "-"
    },
    "virus": "Microsoft: Trojan:Win32/Emotet.DN / Kaspersky: HEUR:Trojan.Win32.Generic / McAfee: Emotet-FLL!1585AD28F7D1 / CrowdStrike: win/malicious_confidence_100% (W) / ESET-NOD32: a variant of Win32/Kryptik.GOUY / Symantec: Trojan.Gen.2 / F-Secure: Trojan.TR/AD.Emotet.pdiuu / Sophos: Mal/Emotet-Q / GData: Trojan.GenericKD.40960256",
    "virusbay_available": false,
    "vt_positives": 48,
    "vt_queried": false,
    "vt_total": 64,
    "vt_verbose_msg": "Scan finished, information embedded"
}

The queries to Virustotal need to be throttled. Therefore the web service applies a cool down time, that is minimized by subtracting the time it took to process all other platforms from the wait time of 15 seconds.

cooldown_time = vt_wait_time - process_time

During the cooldown, requests will return this response:

{"status": "VT cooldown active"}

The cool down is not relevant when requesting hashes that are already in the lookup cache.

Munin Hosts

The Munin host and IP checker script (munin-host.py) retrieves more information on IP addresses and host/domain names in IOC lists.

Usage

    usage: munin-host.py [-h] [-f path] [-o output] [-m max-items] [-c cache-db]
                        [-i ini-file] [--nocache] [--nocsv] [--recursive]
                        [--download] [-d download_path] [--dups] [--noresolve]
                        [--ping] [--debug]

    Virustotal Online Checker (IP/Domain)

    optional arguments:
      -h, --help        show this help message and exit
      -f path           File to process (hash line by line OR csv with hash in
                        each line - auto-detects position and comment)
      -o output         Output file for results (CSV)
      -m max-items      Maximum number of items (urls, hosts, samples) to show
      -c cache-db       Name of the cache database file (default: vt-hosts-
                        db.json)
      -i ini-file       Name of the ini file that holds the API keys
      --nocache         Do not use the load the cache db (vt-check-cache.pkl)
      --nocsv           Do not write a CSV with the results
      --recursive       Process the resolved IPs as well
      --download        Try to download the URLs (directories with host/ip names)
      -d download_path  Store the downloads to the given directory
      --dups            Do not skip duplicate hashes
      --noresolve       Do not perform DNS resolve test on found domain names
      --ping            Perform ping check on IPs (speeds up process if many
                        public but internally routed IPs appear in text file)
      --debug           Debug output

Screenshot

Munin Hosts_Screenshot

Examples

Parse the demo file, extract IPs and hosts, don't just check the domains that are still resolvable and download samples directly from the remote systems.

python3 munin-host.py -i your-key.ini -f ./munin-hosts-demo.txt --noresolve --download

Warning

Using munin-host.py in an IDS monitored network will cause numerous alerts as munin-host.py performs DNS lookups for malicious domains and has the option to download malicious samples.

Issues

pycurl on macOS

The script munin-host.py requires the module pycurl. It's sometimes tricky to make it work on macOS as it requires an openssl to be installed, which is then used in the build process.

If error's occur try the following (some environments will require pip3)

pip uninstall pycurl
brew update
brew reinstall openssl
export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig"
export LDFLAGS="-L/usr/local/opt/openssl/lib"
export CPPFLAGS="-I/usr/local/opt/openssl/include"
export PYCURL_SSL_LIBRARY=openssl
pip install pycurl --global-option="--with-openssl"

Hugin for Virustotal Retrohunts

The Hugin script (hugin.py) retrieves and displays information to all samples returned in a retrohunt. The big advantage is that you don't have to wait 15 seconds between each sample request but pull the full JSON result file via v3 of the Virustotal API. This way you get your results immediately. The disadvantage is that other services like Any.run, Hybrid-Analysis, MISP or Valhalla don't get queried with Hugin.

Usage

usage: hugin.py [-h] [-r retrohunt-name] [-i ini-file]
                [--csv-path CSV_PATH] [--debug] [--no-comments]

Retrohunt Checker

optional arguments:
  -h, --help           show this help message and exit
  -r retrohunt-name    Name for the queried retrohunt
  -i ini-file           Name of the ini file that holds the VT API key
  --csv-path CSV_PATH  Write a CSV with the results
  --debug              Debug output
  --no-comments        Skip VirusTotal comments

Examples

Parse a retrohunt and export a CSV file with the results.

python3 hugin.py -i config-with-your-key.ini -r retrohunt-123456789

More Repositories

1

Loki

Loki - Simple IOC and YARA Scanner
Python
3,321
star
2

signature-base

YARA signature and IOC database for my scanners and tools
YARA
2,426
star
3

yarGen

yarGen is a generator for YARA rules
Python
1,518
star
4

auditd

Best Practice Auditd Configuration
1,448
star
5

Raccine

A Simple Ransomware Vaccine
C++
945
star
6

log4shell-detector

Detector for Log4Shell exploitation attempts
Python
729
star
7

Fenrir

Simple Bash IOC Scanner
Shell
680
star
8

yarAnalyzer

Yara Rule Analyzer and Statistics
Python
356
star
9

vti-dorks

Awesome VirusTotal Intelligence Search Queries
325
star
10

Fnord

Pattern Extractor for Obfuscated Code
Shell
295
star
11

BlueLedger

A list of my personal projects
166
star
12

DLLRunner

Smart DLL execution for malware analysis in sandbox systems
Python
141
star
13

god-mode-rules

God Mode Detection Rules
YARA
129
star
14

YARA-Performance-Guidelines

A guide on how to write fast and memory friendly YARA rules
122
star
15

evt2sigma

Log Entry to Sigma Rule Converter
Python
104
star
16

yaraQA

YARA rule analyzer to improve rule quality and performance
Python
93
star
17

Cyber-Search-Shortcuts

Browser Shortcuts for Cyber Security Related Online Services
78
star
18

exotron

Sandbox feature upgrade with the help of wrapped samples
Python
75
star
19

Loki2

LOKI2 - Simple IOC and YARA Scanner
Rust
73
star
20

ImpHash-Generator

PE Import Hash Generator
Python
72
star
21

Rewind

Immediate Virus Infection Counter Measures
C#
62
star
22

radiocarbon

Leak File Analyzer
Python
62
star
23

tiny-shells

All kinds of tiny shells
59
star
24

panopticon

A YARA Rule Performance Measurement Tool
YARA
58
star
25

LOLSecIssues

Cybersecurity's lighter side: a collection of the most amusing misunderstandings and missteps from newcomers to offensive security tools. A repository where naiveté in infosec is met with humor.
57
star
26

ti-falsepositives

A collection of typical false positive indicators
Python
54
star
27

webshell-intel

Scan web server for known webshell names and responses
50
star
28

xorex

XOR Key Extractor
Python
48
star
29

Talks

Slides of my public talks
46
star
30

cyber-chef-recipes

Recipes for GCHQ's CyberChef Web App
35
star
31

sysmon-version-history

An Inofficial Sysmon Version History (Change Log)
32
star
32

littlesnitch-log-exporter

LittleSnitch Log Statistics Exporter
Python
32
star
33

YARA-Style-Guide

A specification and style guide for YARA rules
32
star
34

SkeletonKeyScanner

Scanner for the SkeletonKey Malware
Python
30
star
35

ThreatResearch-Reporting-Guide

Offensive Research Guide to Help Defense Improve Detection
29
star
36

prisma

Command Line STDOUT Colorer
Python
29
star
37

ReginScanner

Scanner for Regin Virtual Filesystems
Python
26
star
38

space-id

Invisible Watermarks with Space Characters in ASCII Files
Python
22
star
39

neolog

Windows Syslog Command Line Client
15
star
40

narsil

Spy Agency Teasing
Python
14
star
41

yara-uuid-generator

A tool that adds reproducible UUIDs to YARA rules
Python
13
star
42

WPWatcher

Wordpress Watcher is a wrapper for WPScan that manages scans on multiple sites and reports by email
Python
11
star
43

defensive-project-ideas

Ideas for projects for defensive research or blue teaming
10
star
44

agile-hacking

Collection of hacks that make use of the least available on victim systems
Visual Basic
8
star
45

CredsSpreader

A tool to spread canary credentials in your organisation
8
star
46

language-thor

Syntax Theme for THOR APT Scanner log files
5
star
47

yara-type-selectors

YARA rules to certain types of files without using YARA modules to avoid the performance impact
YARA
5
star
48

PassTweaker

Tweaks password files to match modern password requirements
Python
5
star
49

speedy

(Demo) - Only used to demonstrate a memory leak caused by Golang regexp
Go
4
star
50

loki-cloud

A flexible and lightweight way to execute LOKI on end systems
3
star
51

imphash-go

Imphash Generator
1
star