-
Notifications
You must be signed in to change notification settings - Fork 79
/
Copy pathmalsub.py
76 lines (57 loc) · 2.91 KB
/
malsub.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/env python3
"""
Usage: malsub [-h] [-a <service>] [-H] [-p <num>] [-R] [-v ...]
[-d | -f | -q | -r | -s | -t]
[-i | -o | -l | -u]
[<input> ...]
Interact with online malware, URL and intelligence analysis services for malware
samples, domain names, IP addresses or URLs.
Options:
-h, --help show this help message and exit
-a, --analysis <service> character-separated list of services (class or short names) [default: all]
-H, --servhelp show help messages about selected services and exit
-p, --pause <num> wait an interval in seconds between service requests (rate limit) [default: 0]
-R, --recursive recurse on input paths
-v, --verbose display verbose and debug messages
API functions:
-d, --download download files or malware samples
-f, --find search for arbitrary terms (input format irrelevant)
-q, --quota retrieve API user quota
-r, --report retrieve submission reports for domains, files, hash values, IP addresses or URLs
-s, --submit submit malware samples or URLs for analysis
-t, --test test API calls by calling each service function as defined with some default values
Input formats (hash values or files are given as default depending on options):
-i, --ipaddr input are IPv4 addresses (applies to '-r' only)
-o, --domain input are domain names (applies to '-r' only)
-l, --appl input are hash values for application lookups (applies to '-r' only)
-u, --url input are URLs (applies to '-r' and '-s' only)
Supported hash values: MD5, SHA1, SHA-256 and SHA-512.
Examples:
- Retrieve user quota for Hybrid Analysis and be verbose:
$ python3 malsub.py -a ha -q -v
- Submit an URL for analysis to VirusTotal and output verbose and debug
messages:
$ python3 malsub.py -vva VirusTotal -su <url>
- Submit two files to maltracker and VirusTotal and pause 60
seconds between submissions:
$ python3 malsub.py -a mt,virustotal -p 60 -s <file1> <file2>
- Retrieve reports for a file, for files under a recursive path and for a hash
value:
$ python3 malsub.py -a VxStream,vt -rRv <file> <path> <hash>
- Retrieve analysis reports of a domain from all supporting services:
$ python3 malsub.py -or <domain>
- Retrieve analysis reports of a domain from all supporting services, but
exclude ThreatCrowd and maltracker:
$ python3 malsub.py -a all,-ThreatCrowd,-mt -or <domain>
- Retrieve an analysis report from PDF Examiner of a PDF file identified by
its hash value:
$ python3 malsub.py -a pe -r <hash>
- Download a malware sample from MalShare:
$ python3 malsub.py -a ms -d <hash>
Copyright (c) 2017 Diogo Fernandes
https://github.com/diogo-fern/malsub
"""
from docopt import docopt, printable_usage
from malsub.core import main
if __name__ == "__main__":
exit(main.run(docopt(__doc__), printable_usage(__doc__)))