domingo, 10 de noviembre de 2013

[Script] VirusTotal public and private API v2 with all features


Few days ago I finish to improve previous script and add private API  support, so very big thank to VirusTotal team for this :)

I will show a few options with examples, for all options see usage

Important! Some functions as behaviour have many options, if you want active all of them, just use -v/--verbose. For get more details from report use verbose mode.

You can use options --dump for dump json to file, and after analyse it, you can combine this, so you will can see a report and dump him to file, and after pass file as the parameter instead of hash/scan-id/url/etc...

File scan:
Important, if file has been scanned before, you will get a report, file will not be uploaded
Files with size bigger then 32mb will be ignored and you will see warning with file name

You can use name/path wildcard as: /home/user/malware*/*Zeus*

vt.py -f path_to_file


vt.py -f path_to_file -v #with verbose mode you will see the same more detection by AV's



Url scan and report:

Depend of API, if you have public API you can scan up to 4 urls. With private api up to 25 urls.
Example for scanning 2 urls/domains

python vt.py -ur google.com virustotal.com



When you trying to get report and url/domain is not scanned before, and you will upload it to scan you can execute it with option:

python vt.py -ur -u google.com virustotal.com

If you directly want add it to scan/rescan just execute it as:

python vt.py -u google.com virustotal.com

Report search

Here you can use md5/sha1/sha256 hash or scan-id


python vt.py -s 99017f6eebbac24f351415dd410d522d

MD5       : 99017f6eebbac24f351415dd410d522d
SHA1     : 4d1740485713a2ab3a4f5822a01f645fe8387f92
SHA256 : 52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c

Scan  Date     : 2013-11-02 05:21:11

Detections:
      39/46 Positives/Total


                                   output is very long, so it's just a part of him

Permanent link : https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1383369671/


Domain search:
Get resolver Ip and date  of the domain

python vt.py -d http://027.ru --dump -v #public api



Get domain info with all info: # the same execution but with private api

You can get all info with verbose mode or just activate options what you want to see, see usage



Get IP info:

python vt.py -i ip/json_dump #public api


Search report
python vt.py -s 99017f6eebbac24f351415dd410d522d #private api example


ExifTool file metadata:


                                                                  <cutted>



Cluster info:

python vt.py --cluster 2013-10-01



Distribucion:

python vt.py --distribution-files --report --limit 1



python vt.py --distribution-urls



Permanent link : https://www.virustotal.com/url/6df0f88d03421a4c202bb6151d4b16666be0d8fac3780d387a5b818ca824d6b7/analysis/1383121114/


Get comments:



Behaviour:

it's very cutted output of behaviour, because is very very long






          And much more!

Process Tree

pid:484
name:82a4d0467f93e3ddec3b51a66dbd55cfce3f6c5725d2759850fb4b3b37c28304
children:[]


You need to see usage for all options

python vt.py -h

Enjoy it!

6 comentarios:

  1. Hi. Extremely useful. Thanks a lot. I'm also looking for retrieve also the first submission date. Are you planning to include it also?

    ResponderEliminar
    Respuestas
    1. Thank you Alvaro, coming soon great upgrade with a lot of features.
      You can get first submission with private-api only, using --report-all-info
      For example:
      vt -s --report-all-info 9fc5f95fb1e7fd4cc45fd6c04264abff

      Scan Date : 2014-10-05 18:44:31
      First Submission : 2014-09-24 04:01:53
      Last Submission : 2014-09-24 04:01:53

      Cheers

      PS If you have any suggestions or everything what you see utils can tell me here or open requests on github

      Eliminar
  2. Ok cool. I've tried but I don't see this info. Probably my API key is a public one instead of a private / purchased one.. right?. I mean.. the script is able to use private-api features without any modification?

    Thanks

    ResponderEliminar
    Respuestas
    1. by default all keys are public, if you want private, give a touch to VT for a prices
      yes without any modification :)

      In new version, private api has a little improvement, but I will explain it when i do it public :)
      best regards

      Eliminar
  3. Hi, Thanks for such a great tool. I need to download reports (in json or csv format) for static and behavioral analysis of Android applications from VT using your tool. Can you please give me an example command through which i can perform the said task. I shall be thankful to you.

    ResponderEliminar
  4. hello @Ahmed, thanks for using it. If you have private apikey you can do it in this way:
    1) vt -rai android_app_hash --dump <- for static
    2) vt -behaviour android_app_hash --dump <- for dynamic

    if you have only public key, then you will only can get basic static information:
    vt -fs --dump

    --dump will save returned data from VT to json file

    ResponderEliminar